FIM Management Agents from Partners

Update 11 October 2010: This blog post has been converted into a Wiki page instead so that we can provide a more living document. Please go to:

Forefront Identity Manager includes a number of different management agents to connect to a variety of data sources. To enable you to connect to other data sources, FIM includes the Extensible Connectivity Management Agent (ECMA). To interact with a data source, the ECMA uses a connected data source extension. A connected data source extension is a Microsoft .NET Framework assembly that is implemented in the form of a dynamic link library (.dll) file.

You can create this extension by using any programming language and compiler that creates a .NET Framework assembly. For more information, see Creating Connected Data Source Extensions.

There are a number of partners that have created Management Agents using the ECMA to connect to a number of different systems or just to enhance connectivity options that are available out of the box.

This is the first blog post on MA and I will follow up with a similar post with MA’s that Microsoft Consulting Services have developed as part of their engagements.

MA’s from some of our great Identity and Access partners:


Identity Forge

ACF2, Top Secret, RACF, i5 Management Agent for FIM

The IdF Management Agent for FIM has been tightly integrated with Microsoft’s Forefront Identity Manager as well as ILM and MIIS.  The Management Agent works with IdF’s Adapter Suite providing Microsoft customers with an “out of the box” solution for ACF2, Top Secret, RACF, i5 and legacy applications

Mainframe MA’s – See current MA Datasheet for specs
IBM – RACF        Currently Available
CA – ACF2          Currently Available
CA-Top Secret    Currently Available
CICS                   Target Release Date:  February 2011
Midrange MA’s – See current MA Datasheet for specs
IBM-i5 (AS400)  Currently available
HP Non – Stop    Target Release Date:  November 2010
Open VMS          Target Release Date:  February 2011

Unix MA

Generic Unix MA Target Release Date: February 2011

Supported Unix Systems: Oracle-Solaris, HP-UX, IBM-AIX, LINUX


    • Create  and  manage  UNIX  accounts  using  UNIX-­specific  account  templates
    • Change  account  passwords  and  account  activations  in  one  place
    • Synchronize  global  users  with  their  roles  or  synchronize  global  users’   accounts  with their  account  templates
    • Assign  a  UNIX  policy  to  each  of  your  UNIX  endpoints
    • Use  the  default  Endpoint  Type  policy  to  create  accounts  with  the  minimum
    • Create  and  manage  UNIX  groups
    • Generate  and  print  reports  about  UNIX  accounts  and  groups


SAP r3 4.5 and higher – Available November 2010

    • ERP
    • HR
    • Web Services

SAP ECC 6.0   – Available October 2010
SAP HR 6.0
Web Services


    • Retrieve  existing  users  from  the  SAP  repository
    • Display,  create,  modify,  or  delete  a  user
    • Retrieve  the  existing  authorization  profiles  from  the  SAP  repository
    • Display  authorization  profiles
    • Assign  or  unassign  an  authorization  profile  to  a  user
    • Retrieve  the  existing  SAP  roles  from  the  SAP  repository
    • Display  SAP  roles
    • Assign  or  unassign  a  SAP  role  to  a  user
    • Register  endpoints,  explore  them  for  objects  to  manage,  and  correlate  their   accounts with  global  users
    • Create  and  manage  SAP  accounts  using  SAP-­specific  account  templates
    • Change  account  passwords  and  account  activations  in  one  place
    • Assign  a  SAP  account  template  to  each  of  your  SAP  endpoints
    • Use  the  default  endpoint  type  account  template  to  create  accounts  with  the   minimum level  of  security  needed  to  access  a  SAP  endpoint
    • Harvest  SAP  accounts,  SAP  profiles,  and  SAP  roles
    • Manage  SAP  CUA  environments information real time for reporting services.’
Directory Service MA’s
    • Active Directory   –  Currently Available
    • LDAPv3  JNDI       –  Currently Available
    • IBM Directory Integrator   – Target Release Date November 2010


Visit for more information or contact Omada on email

Omada Connectivity Framework for FIM2010

Omada provides a range of Management Agents (MA’s) supporting advanced deployments of FIM2010. The MA’s covers integration to SAP, SAP GRC, Exchange, File shares, SharePoint, SCCM, Exchange, Powershell and more.


Omada’s SAP MA is based on FIM’s extensible connectivity management agent framework. The agent supports both full and delta imports as well as exports. The integration to SAP is performed  via web services, and supports interaction directly with the SAP backend such as SAP ERP, SAP HR, SAP BI etc. or via SAP PI. Omada provides web services for various objects in SAP such as Org. Units (organizational structure in SAP HR), Employees, Cost Centers (including the hierarchy), Company Codes, Users (includes Password reset), Roles (With Transaction Codes, Auth. Objects).

Omada also provides advanced integration to SAP GRC.

System Center Configuration Manager MA

Omada’s SCCM Management Agent is based on FIM’s extensible connectivity management agent framework.  The agent supports full import of systems, collections, collection assignments, and installs from a SCCM system.  On export, the agent supports the addition of systems to collections, as well as removal of a system from a collection.

Exchange Objects MA

Omada’s Exchange Object Management Agent is based on FIM’s extensible connectivity management agent framework.  The agent supports full import, and can move mailboxes within an Exchange 2003/2007 organization.  The agent has two modes of export operation:  1) synchronous moves of mailboxes 2) asynchronous moves of mailboxes (i.e., multiple threads moving mailboxes).

File share MA

Omada’s  File Share Management Agent is based on FIM’s extensible connectivity management agent framework.  The agent supports import and export operations, and can create, move/rename, and delete file shares.  Additionally, the agent can optionally set permissions on file shares, and move file shares between different file system volumes.

Home Folder MA

Omada’s  Home Folder Management Agent is based on FIM’s extensible connectivity management agent framework.  The agent supports import and export operations, and can create, move/rename, and delete home folders.  Additionally, the agent can optionally set permissions on folders, and move home folders between different file system volumes.

PowerShell MA

Omada’s PowerShell Management Agent is based on FIM’s extensible connectivity management agent framework.  The agent supports export (add) of a script with parameters to execute.  The agent is based on the “post processing” approach to creating extensible management agents that execute external (to FIM) commands.

Initial Load MA’s

Omada provides a number of Management Agents which are used to populate the FIM Portal with the customer’s existing Accounts and group memberships in the target systems such as Active Directory, ADLDS, SAP etc.

SharePoint MA

The SharePoint Management API is based on SharePoint’s standard API. The agent supports full import of users, sites, lists, permissions and permission levels. On export, the agent supports adding user permissions and revokes violating permissions.


“Centrify’s core capability is to extend Active Directory’s authentication, authorization and group policy capabilities to non-Microsoft platforms such as UNIX, Linux and Mac.  In doing this “identity consolidation” into Active Directory, UNIX attributes such as UNIX UIDs, home directories, etc. are stored within Active Directory, including the ability to map multiple UNIX UIDs to a single AD account (this technology is called Centrify Zones).

In order to simplify provisioning of UNIX user profiles within Active Directory, Centrify provides a Provisioning Agent that leverages Active Directory Groups to automate the management of Centrify Zone profiles. Adding a user to the Active Directory control group for a specific Zone will cause the Zone Provisioning Agent to add a UNIX profile for that user to the Zone, similarly if you remove the user from the group it will delete the UNIX profile, and in this way Forefront Identity Manager only needs to manage an Active Directory Group’s membership in order to manage the provisioning of Centrify UNIX profiles.

Also, because Centrify makes the AD username/password the global username/password, FIM’s self-service password reset capabilities reach beyond Windows and into hundreds of non-Microsoft systems.  For a free version of Centrify’s software for Linux/AD integration, check out .”

Oxford Computer Group

For more information:

SharePoint MAclip_image001

Oxford Computer Group’s SharePoint MA makes the creation, deletion and maintenance of up-to-date SharePoint profiles significantly easier. The solution allows an organization’s SharePoint user profiles to be kept up-to-date by FIM. FIM populates the SharePoint user profiles with data from any of its connected data sources, such as Active Directory, HR systems, company white pages, email Global Address Lists etc. By utilizing FIM’s provisioning and deprovisioning power, an organization’s SharePoint user profiles can be created and deleted in line with its business rules. That means a new starter can have access to all the required and approved systems from the minute they join the company. It also means their access privileges can be changed as and when required and removed when they leave. This significantly reduces the possibility of data theft.


Oxford Computer Group provides a solution specifically designed for organizations running SAP HR, R/3 and Netweaver. The MA integrates SAP with FIM, uses standard BAPI calls to manager employees, user and roles By combining the power and flexibility of Microsoft Forefront Identity Manager (FIM) with a bespoke connector for SAP OCG have created a cost-effective and easily deployable solution to address issues of identity and access management.

Delta Generator MA

Oxford Computer Group’s Delta Generator is a Replacement for the Microsoft SQL and Oracle MA. It specifically adds delta imports for those systems that do not support deltas. Significantly reduces sync time, orders of magnitude faster than the MS MA even for full imports in some cases

Blackberry (BES)

MA – Oxford Computer Group (OCG) provide solutions that use Microsoft Forefront Identity Manager (FIM) to manage Blackberry® identity and security by integrating with Blackberry® Enterprise Server (BES), the management solution for Blackberry®. This allows secure access for Blackberrys to be managed through an integrated solution in the same way as other enterprise systems. To complement FIM, OCG has developed a .NET-based Management Agent for BES (BES XMA). This provides added functionality and tighter integration between FIM and BES. The integration of BES XMA helps increase IT productivity and reduce administrative overheads by enabling centralized control and management of user accounts and mobile devices.


For more information:

Identity Broker™ for FIM Connected Directories

The UNIFY Identity Broker, is a service that solves the following issues:

    • Connectivity to specific systems for which no MA exists – Identity Broker allows UNIFY to easily develop MAs to any system using its own API.
    • Providing a framework of common patterns involved in connecting to sources of identity data, including security models, WCF, SOA, interconnectivity with other platforms, data modeling allowing targeted systems to appear as directories to the identity management platform;
    • Complete implementation of all FIM’s extensible management agent interfaces, regardless of the capabilities of the target system;
    • Password synchronisation ability where target system maintains its own identity store for authentication/authorisation; and
    • Real-time capabilities when matched with UNIFY Real-time Broker.
    • Audit capture and reporting within Identity Broker
    • Single Interface for managing all connected Brokers within the ILM/FIM solution
    • GUI management interface for configuration and management, including application schema discovery and mapping
    • Installation and configuration wizard including automated generation of ILM/FIM MA

UNIFY’s list of Identity Broker MAs includes (but is not limited to) the following:

    • Identity Broker for Microsoft SharePoint;
    • Identity Broker for Aurion HRMS (Prevalent Australian Tier 2 HR application);
    • Identity Broker for Frontier chris21 (Prevelant Tier 2 HR and Payroll. Clients in APAC and EMEA)
    • Identity Broker for HP TRIM;
    • IBM Tivoli Access Manager (allows ILM/FIM to manage TAM repository
    • Identity Broker for BigHand Digital Dictation;
    • Identity Broker for Aderant Expert
    • Identity Broker for LexisNexis InterAction.
    • SAP HR (platform and version independent)


Home Directory Management Agent

With the Home Directory Management Agent (HDMA) for FIM, user home directories can be managed with the same ease and familiar environment as other aspects of the identity lifecycle.


Management Agents available on blogs as well as on sites like and

Microsoft Dynamics AX MA

Blog post series describing creating a MA for Dynamics AX:

MIIS/ILM/FIM Code Experiment: Dynamics AX Management Agent (part 1)

MIIS/ILM/FIM Code Experiment: Dynamics AX Management Agent (part 2)

MIIS/ILM/FIM Code Experiment: Dynamics AX Management Agent (part 3)

SharePoint List Management Agent (from Steven Kean at Version3)

The SharePoint List Management Agent is an attempt to provide an easy-to-use, familiar interface between ILM 2007 and a WSS 3.0 or MOSS 2007 list. It is deployed as a “PackagedMA” to help alleviate some of the more tedious tasks involved with the development of extensible management agents (ex. run profile configuration, object type configuration, data manipulation, etc.). For more information and to download the code please click here.

OpenLDAP MA (from SourceForge)

The OpenLDAP Extensible Management Agent (XMA) for Microsoft Identity Lifecycle Manager(ILM)  enables efficient two-way synchronization of identity information with the OpenLDAP directory. For more information and to download the code please click here.

For other LDAP v3 directories such as Oracle Internet Directory you can use the OpenLDAP MA as starting point for integration with FIM.


I will keep updating this post going forward and  I hope this helps in finding the MA’s that you need for your projects.

// Brjann Brekkan

Follow me on Twitter as well

Post updated 29 July with info on Omada’s SharePoint MA