Back to the Future with SharePoint 2016 User Profile Synchronization

Posted by Eric Shupps on Mar 8, 2016 4:09:03 PM

With every iteration of the SharePoint Server platform, there are new features and functionality that administrators must learn about. But every now and then, instead of introducing something entirely new, Microsoft goes in the opposite direction and revisits the ability to better reflect customer needs. Such is the case with User Profile Synchronization in SharePoint Server 2016.

Every administrator who has worked with SharePoint outside of a lab environment has struggled with the process of synchronizing user data between an identity-management system and the SharePoint User Profile service application. It is one of the least understood and most challenging feature sets in the entire platform. There are many reasons for this, but foremost among them is the reliance of the primary synchronization mechanism in the 2010 and 2013 product versions on a bundled implementation of the Forefront Identity Manager (FIM) Sync service, and a general lack of knowledge by SharePoint practitioners as to how it should be properly set up and configured. Anyone who has ever struggled to get past the “stuck on starting” phase is more than familiar with how frustrating this process can be.

With SharePoint 2013, Microsoft introduced a lightweight in-process Active Directory Import (ADI) option similar to what was used prior to SharePoint 2010. This sat alongside User Profile Synchronization (UPS) and External Identity Manager as customer options for profile sync; however, the majority of SharePoint 2013 customers continued to use UPS. In an effort to simplify and streamline user profile synchronization, Microsoft chose to eliminate the FIM dependency entirely in SharePoint 2016. The result is a much less complex synchronization mechanism under the hood (ADI) that should, in theory, make it easier for administrators to get up and running quickly

But such ease of use comes with a cost, as the ADI is much less flexible than FIM, making it less than desirable in complex environments and scenarios that require two-way read/write synchronization. Even adding “simple” requirements such as profile picture import cannot be achieved using ADI.

On the surface, not much has changed. The User Profile Service Application is created in the same manner it always has been, with nearly identical screens and PowerShell commands for creating synchronization connections, selecting objects, and initiating full or incremental synchronizations.

This is sufficient for a large majority of use cases, but as soon as the situation calls for advanced functionality, it quickly becomes apparent that all is not as it used to be. For example, the ADI mechanism can only facilitate one-way, read-only connections. It can’t be used to write property values back to the identity store. As its name implies, it can only be used with Active Directory. In addition, there is no way to achieve fine-grained control over property mappings beyond what is offered out-of-the-box. It’s a simple solution to a complex problem and that may leave many customers wanting more.

Fortunately, there is an answer in combination of the new Microsoft Identity Manager (MIM) and the SharePoint Connector for MIM (or, if you prefer, a third-party tool of your choosing). MIM is the new name for FIM, and the MIM Sync engine will be available at no extra software licensing cost for SharePoint 2016 customers.

MIM fills the gaps left by the ADI mechanism, providing a robust set of features for synchronizing with many different types of identity providers. This approach allows SharePoint deployments to take advantage of the latest and greatest version of MIM rather than continue to be handcuffed to the out-of-date and unsustainable bundled version of FIM previously included. There is no question that this approach is architecturally superior.

It is important to note, however, that there is no built-in MIM configuration for SharePoint 2016; it is a standalone server product that is implemented completely outside of SharePoint. To use it effectively, administrators must expand their skill set and learn how to properly implement and maintain it. Doing so can provide a wealth of benefits, including a more robust, scalable architecture and a range of features beyond what was available in the previous bundled FIM sync service. Microsoft plans to offer a toolkit of sample configurations and deployment guidance alongside the RTM of SharePoint 2016 and Windows PowerShell to assist with migration from UPS to MIM. However, every MIM deployment requires a significant “skill up” outside the natural domain of the SharePoint practitioner.

When contemplating a new 2016 implementation, or an upgrade from previous versions of SharePoint, it is important to give careful consideration to how user profiles will be used, what information is critical to the feature sets being deployed, where that information will come from, and how it will be managed. It may very well be that the built-in AD Import mechanism will be sufficient to meet the overall requirements, but if it is not, then the implementation or upgrade plan must include a separate synchronization solution such as MIM, along with the necessary skills to properly implement it.

The best way to avoid user profile synchronization frustration in SharePoint 2016 is to be prepared for what the built-in capabilities can achieve and have a plan to address any shortcomings well in advance. As always, with any identity management initiative, planning is paramount. It is far cheaper and easier to plan ahead than try to retrofit requirements after the fact. As the vast majority of SharePoint 2013 deployments currently make use of UPS, it is imperative to plan your upgrade/migration strategy with respect to profiles early.

Spencer Harbar contributed to this article.

Eric Shupps is a SharePoint Server MVP, and the founder and president of BinaryWave, a global provider of SharePoint managed services. He has worked with SharePoint products and technologies since 2001 as a consultant, administrator, architect, developer and trainer.

Spencer Harbar represents Microsoft at events worldwide and was a speaker most recently at the SharePoint Conference 2012, 2011 and 2009 and Microsoft Tech Ed New Zealand, 2011.

Topics: identity management

Thoughts? Leave a comment: