FIM: Troubleshooting Codeless Provisioning

Published on Sunday, November 28, 2010 in

One of the coolest features in FIM 2010 is the declarative provisioning. It allows you to do a lot of things by simply clicking together the desired items from within the Portal. The alternative is the “classical rules extensions”. This requires writing .net code to extend the possibilities of an MA. I prefer the declarative provisioning. I’m not saying you should abandon classical all the way though. I’m using the following logic to decide between them:

  1. Can it be done from within the Portal (using normal Synchronization Rules)
  2. If not: can it be done by writing a rule extension to be used in the MA
  3. If not: can it be done by writing a workflow to be used in the Portal

I’ve never done 3 to be honest. Most attribute flows and transformations I can manage by defining flows in the Portal. Creating a unique account name I do with a rules extension. I tend to take the best of two worlds. Some people, often seasoned MIIS/ILM folks, still prefer to use classical rules extensions because of the debugging options. I can’t blame them, with the declarative rules you’re sometimes left alone in the dark. So here are some checks to do when your MA of choice is just refusing to show those “provisioning adds” you desire.

This is how it looks when it’s not working, you run your import and synchronization profiles and no “provisioning adds” are being shown. All you see is some EAF’s back to FIM flowing “Not applied” for the “SynchronizationRuleStatus” attribute. And then you say: What, Not applied? Why? How? It sure as hell isn’t my fault, I did it all by the book!


So here is my list of things to check when it’s just not working. It’s not rocket science, but you might have that “Aaah” moment with one of these.

1. Did you check “Create resource in external system


2. Do you have at least one “Initial Flow Only” flow configured? Even if you want to have all attributes flowed all the time, you should have at least one “Initial Flow Only” flow. Just add the same flow twice and check it once to have the desired effect if you want the attribute to be flowed always.


3. Is the Outbound Synchronization Rule being added to the object? If it’s not, it’s very likely something is wrong with the definition of the MPR. Or your object isn’t part of the correct set. Or it was already part of set before you created the MPR. Run on policy update might help you here. Verify the provisioning tab of the object:

No SR present:


SR pending:


4. Is the ERE present in the ExpectedRuleList attribute for the object in the Connector Space (CS) of the FIM MA? If it’s not, something is wrong with the import or the selected attributes of the FIM MA.


5. Is the ERE present in the ExpectedRuleList attribute for the object in the Metaverse? If it’s not, something is wrong with the synchronization or IAFs of the FIM MA.


6. Did you enable "Synchronization Rules Provisioning” in the Options for the Synchronization Manager. If it’s not checked, declarative provisioning will be disabled.


If you got all these covered, you should see the desired result:


And the update of the SynchronizationRuleStatus attribute:


This post was writing after providing all of the above as possible solutions for the following thread: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/1aa13147-e16c-4e99-a7da-76e3c9e8c10d

Related Posts

6 Response to FIM: Troubleshooting Codeless Provisioning

17 January, 2011 01:09

your amazing

21 March, 2011 13:35

Hi Thomas,
very good article indeed!
I just discovered another possible cause of trouble, i.e. an MPR not being triggered because the requestor is not in All People.
Details here: http://cern.ch/idm/Lists/Posts/Post.aspx?ID=33


21 March, 2011 22:02

Hey Paolo,

Thanks for the thumbs up and the interesting blogpost. Definately something to look closer at in my FIM environment.

Here's an other great source for troubleshooting declarative provisioning: TechNet Wiki: Troubleshooting Generic FIM Synchronization Errors


30 August, 2011 02:35

Thank you for the article. It turns out the cause of my "Not Applied" message was one not covered here: the Join rules were incorrect in the Management Agent. Took me a while to figure that out, so thought I'd post in case it helps someone else.

11 September, 2011 17:02

Thank for the feedback!

03 April, 2014 14:49

Excellent article, another thing to add which was my problem - expectedRulesList was missing from the FIM MA attribute flow. Adding an import flow for person worked

Add Your Comment