Working with the User Profile Service Application

This is a live blogging post from the International SharePoint Conference London 2012. So don’t expect well-written proza here.

Session by Spencer Harbar & Kimmo Forss

Identity Management

  • SharePoint people are in the identity mgmt business, whether you like it or not
  • A lot of political issues concerning identity mgmt in the enterprise
  • 10% technology 90% organizational stuff
  • Considerations: ownership of data, data quality, system quality, access control
  • Make friends with your directory services admins!

Lessons from the field

  • Inadequate understanding of the UPA architecture
  • Features and design constraints drive deployment options (e.g. federate or replicate, central or regional)
  • Inadequate planning for user profiles

ForeFront Identity Manager

  • SyncDB is in fact a FIM db
  • Primarily a metadirectory solution
  • SharePoint includes a bundled version of FIM
  • Does not provide full synchronization!
  • provisioning the service instance is effectively installing and configuring FIM
  • Was FIM the right source? Yes it is! You cannot do IdM without a metadirectory


  • via central administration
  • via PowerShell, but beware the default schema issue
  • do not try to script the creation of import connections, it’s not supported
  • you shouldn’t ever see “welcome, system account” in your life : )

Augmenting Profiles with BCS

  • Import only
  • Runs only at full import
  • Does not create new user profiles, only complements
  • Single & multi value properties
  • Create an external content type in SharePoint Designer
  • Set permissions on the content type in the BCS to farm account (execute & set permissions)
  • Create a new BCS import connection
  • Change property to import from the BCS in stead of AD

Export to AD

  • grant the farm account write permission in AD
  • change the property to export its value to AD