Upgrading the Forefront Identity Manager Connector for Windows Azure Active Directory

On 19th February 2014 Microsoft released version 1.0.6635.0069 of the Forefront Identity Manager Connector for Windows Azure Active Directory (WAAD), a.k.a. the Azure Active Directory (AAD) Connector for FIM 2010 R2.  The new connector introduces four new attributes to support the new SMIME feature in Exchange Online:

  • contact.userCertificate
  • contact.userSMIMECertificate
  • user.userCertificate
  • user.userSMIMECertificate

Peter caught the new build being published.  But the version number wasn’t increased by mistake.  The listed version is the RTW build (1.0.6567.0002).  The actual published version is 1.0.6635.0069.  The new version will be documented in kb2935541 but that KB is not yet live.

As with the RTW build the MSI prohibits upgrade, therefore you have to uninstall the current version and install the new version and refresh the interfaces, as described in this post.

After refreshing the interfaces (Open the AAD connector properties | OK | OK | OK) the new attributes must be configured for use.  We’ll walk through this configuration in this post.

Metaverse configuration

We need to add the new attributes to the metaverse before we can configure the import attribute flow (IAF) on your Active Directory Management Agent (ADMA) and export attribute flow (EAF) on your AAD connector.

Create the attributes and assign them to their classes

Open the FIM Synchronization Manager, click Metaverse Designer and add the following new attributes to your contact and user classes.

  • contact
    • userCertificate – Binary (non-indexable); multi-valued
    • userSMIMECertificate – Binary (non-indexable); multi-valued
  • user
    • re-add the userCertificate and userSMIMECertificate attributes

I added the attributes to my user class and then added the existing attributes to my contact class.  Here’s some instructions and screenshots.

  • Select user/person and click Add Attribute; New attribute…
  • Specify the attribute name, select the attribute type of Binary (non-indexable) and check Multi-valued:





Add the attributes to the contact object

  • Select contact and click Add Attribute
  • Scroll to the bottom and select userCertificate and userSMIMECertificate.
  • Click OK.


Now that the schema is updated we can update the AAD connector and ADMAs.

Configure the AD MA

The configuration on the ADMA is pretty simple – direct IAF for userCertificate and userSMIMECertificate.

To configure this, open the properties of the ADMA and click Select Attributes.  Click Show All, scroll to the bottom of the list and select (check) userCertificate and userSMIMECertificate.


Next click Configure Attribute Flow and create an IAF for each attribute for contact and user objects.


Repeat the flows for the user object too.  Once done all that’s left to do is configure the AAD EAFs.

Configure the AAD connector

The AAD connector requires attribute select and EAF, which is very similar to the ADMA configuration, and some simple code changes.  We’ll step through this here.

Configure the attributes and flows

Open the properties of the connector and click Select Attributes.  At the bottom of the list the two new attributes are present and unselected.


Select/check the userCertificate and userSMIMECertificate attributes and click Configure Attribute Flow.

Click the contact object type flows and create new advanced EAF for userCertificate and userSMIMECertificate.  Repeat for the user object type.

In my case I copied the exact names used by DirSync:



The DirSync solution uses a rules extension based EAF to control the number of certificates that get exported to AAD.  The DirSync code only exports the first 15 values of the multivalued BLOB.  We’ll write our own code to do this too (and I’ve taken inspiration from the name of the DirSync rule to write this code so feel free to do something different).  The following is example code, intended for the IMASynchronization::MapAttributesForExport method of your AAD rules extension.

Write the code

if (flowRuleName.StartsWith("valueLimit::"))
    String pattern = "valueLimit::((?<limit>[0-9]+))::cd:((?<aADAttr>[a-zA-Z-]+))<-mv:((?<mVAttr>[a-zA-Z-]+))";
    Match m = new Regex(pattern).Match(flowRuleName);

    String aADAttributeName = m.Groups["aADAttr"].Value;
    String mVAttributeName = m.Groups["mVAttr"].Value;
    Int32 limit = Int32.Parse(m.Groups["limit"].Value);

    Int32 i = 0;

    if (mventry[mVAttributeName].IsPresent)
        foreach (Value v in mventry[mVAttributeName].Values)
            if (i < limit)

Wrap up

The new build will be documented in Microsoft knowledgebase article KB2935541, which isn’t published yet.  Even if you’re not planning on utilising SMIME it is still worth keeping on top of updates and “upgrading” your connector.


About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in Azure, Azure Active Directory, FIM, FIM 2010 R2, Office 365 and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s