SharePoint 2016: Import profile pictures with MIM 2016 - walkthrough

In this post, I'll walk through importing user profile pictures to SharePoint 2016 using Microsoft Identity Manager (MIM) 2016 using a ton of screenshots.  The idea is to show how the process works so you know how to configure it and where to go looking when something goes wrong.

After completing the basic SharePoint 2016/ Microsoft Identity Manager (MIM) 2016 setup, as described here
https://thesharepointfarm.com/2016/03/basic-mim-configuration-support-sharepoint-2016/ 
I found that the proper attribute mappings are already there when the Management Agents are configured.


 

AD Management Agent:

 

SharePoint Management Agent:

 

-- From there this appears to work exactly the same way it did in 2010 / 2013 with FIM Sync.

-- Add some pictures to my AD accounts:

 Import-Module ActiveDirectory 
$photo=[byte[]](Get-Content C:\pics\karl.jpg -Encoding byte) 
Set-ADUser "karl" -Replace @{thumbnailPhoto=$photo}

-- I did this for the following  5 users:
Karl
Vern
EVedder
MJagger
JLennon

 

-- I can see that worked in AD because thumbnailPhoto is now populated:

 

-- Run a MIM Sync.

-- The AD Import step shows I have a thumbnailPhoto in the AD Connector space:

 

And SharePoint Export shows it as well:

IMPORTANT:   Just because MIM doesn't throw an error on export, does not mean that the picture was successfully saved in SharePoint during the Export step.  You'd have to look at SharePoint ULS logs from the Central Admin server (or whichever server MIM is pointed to) that cover the duration of the SharePoint EXPORT step.  It helps to have a specific user you're looking for to find the applicable entries in the logs.
For an example of a problem you may run into on this step, see my other blog post here: https://blogs.technet.microsoft.com/spjr/2017/06/20/sharepoint-2016-some-profile-pictures-are-not-imported-from-mim-2016/

 

-- Now the User Photos library at the root of the Mysite Host site collection shows I have 5 GUID-named pictures:

 

The number after the underscore is the RecordID for the profile that the picture belongs to.
For example:
0c37852b-34d0-418e-91c6-2ac25af4be5b_22.jpg

So I have pictures for RecordIDs 22, 36, 37, 38, and 39 in the UserProfile_Full table in the Profile database:

However, I still have zero profiles that are showing pictures:

 

-- Now I need to run the follow PowerShell to change the GUID-named pictures into the three thumbnails and link them to their profiles:

 Update-SPProfilePhotoStore -createthumbnailsForImportedPhotos $true -MySiteHostLocation https://j16mysite

Note: If you aren't running PowerShell as a user that has Full Control permission to the UPA (like the farm admin), it will fail with Access Denied:

 Update-SPProfilePhotoStore : UserProfileDBCache_WCFLogging :: 
ProfileDBCacheServiceClient.GetUserData threw exception: Access is denied.
At line:1 char:1
+ Update-SPProfilePhotoStore -createthumbnailsForImportedPhotos $true

All you need to do is give the user running the PowerShell permission to the User Profile Service Application (UPA) in Central Admin.

 

-- Now that I ran Update-SPProfilePhotoStore, I have 3 thumbnails for each user instead of the GUID-named pictures:

-- And they are linked to their respective profiles:

 

-- I can see the picture when I edit the users profile in Central Admin as well:

Closing Thoughts:

  • Just like in 2010 and 2013, you need to run the "Update-SPProfilePhotoStore -createthumbnailsForImportedPhotos" command after every Sync (full and incremental).  It's the only way to create the thumbnails and set the new picture for the user.  I recommend creating a scheduled task or custom timer job to automate this.
  • SharePoint logging (ULS) is only useful for troubleshooting the Sync steps for the SharePoint Management Agent (SPMA).  Typically only the logs from the server that MIM is pointed to are needed.
  • If you see errors during any Sync step in the MIM client (miisclient.exe), check the Application event log on the MIM server for details.