Is it possible to script the creation of a synchronization rule via PowerShell? I've tried this but it is failing: #---------------------------------------------------------------------------------------------------------- Function SetAttribute { Param($object, $attributeName, $attributeValue) End { $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange $importChange.Operation = 1 $importChange.AttributeName = $attributeName $importChange.AttributeValue = $attributeValue $importChange.FullyResolved = 1 $importChange.Locale = "Invariant" If ($object.Changes -eq $null) {$object.Changes = (,$importChange)} Else {$object.Changes += $importChange} } } #---------------------------------------------------------------------------------------------------------- Function CreateObject { Param($objectType) End { $newObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject $newObject.ObjectType = $objectType $newObject.SourceObjectIdentifier = [System.Guid]::NewGuid().ToString() $newObject } } #---------------------------------------------------------------------------------------------------------- Function AddMultiValue { Param($object, $attributeName, $attributeValue) End { $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange $importChange.Operation = 0 $importChange.AttributeName = $attributeName $importChange.AttributeValue = $attributeValue $importChange.FullyResolved = 1 $importChange.Locale = "Invariant" If ($object.Changes -eq $null) {$object.Changes = (,$importChange)} Else {$object.Changes += $importChange} } } #---------------------------------------------------------------------------------------------------------- $URI = "http://localhost:5725/resourcemanagementservice" #Variables $DisplayName = "Test Sync Rule" $ConnectedSystem = "{FE78747F-34D3-41D2-ADD6-F823870A1FE4}" $CreateConnectedSystemObject = $false $CreateILMObject = $false $Dependency = "urn:uuid:9bd6345c-9f76-4efa-bc82-1276f07152a" $FlowType = 2 $ILMObjectType = "person" $ObjectType = "SynchronizationRule" $RelationshipCriteria = "<conditions><condition><ilmAttribute>accountName</ilmAttribute><csAttribute>sAMAccountName</csAttribute</condition></conditions>" $ManagementAgentID = "urn:uuid:cd02a559-18e4-42bf-9be3-1550f5a57974" $PersistentFlow = "<export-flow allows-null=`"false`"><src><attr>accountName</attr></src><dest>dn</dest><scoping></scoping><fn id=`"+`" isCustomExpression=`"false`"><arg>`"CN=`"</arg><arg>accountName</arg><arg>`",OU=Department,OU=People,DC=my,DC=domain,DC=com`"</arg></fn></export-flow>" If(@(Get-PSSnapin | Where-Object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {Add-PSSnapin FIMAutomation} $NewSR = CreateObject -objectType $ObjectType SetAttribute -object $NewSR -attributeName "DisplayName" -attributeValue $DisplayName SetAttribute -object $NewSR -attributeName "ConnectedSystem" -attributeValue $ConnectedSystem SetAttribute -object $NewSR -attributeName "CreateConnectedSystemObject" -attributeValue $CreateConnectedSystemObject SetAttribute -object $NewSR -attributeName "CreateILMObject" -attributeValue $CreateILMObject SetAttribute -object $NewSR -attributeName "Dependency" -attributeValue $Dependency SetAttribute -object $NewSR -attributeName "FlowType" -attributeValue $FlowType SetAttribute -object $NewSR -attributeName "ILMObjectType" -attributeValue $ILMObjectType SetAttribute -object $NewSR -attributeName "RelationshipCriteria" -attributeValue $RelationshipCriteria SetAttribute -object $NewSR -attributeName "ManagementAgentID" -attributeValue $ManagementAgentID AddMultiValue -object $NewSR -attributeName "PersistentFlow" -attributeValue $PersistentFlow $NewSR | Import-FIMConfig -uri $URI The error in the FIM application log is: Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4 Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: SystemConstraint ---> System.InvalidOperationException: The string attribute ILMObjectType does not exist. --- End of inner exception stack trace --- at Microsoft.ResourceManagement.ActionProcessor.SyncRuleActionProcessor.PreProcessCreateRequest(RequestType request) at Microsoft.ResourceManagement.ActionProcessor.SyncRuleActionProcessor.PreProcessRequestFromObjectType(RequestType request) at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.PreProcessRequestFromObjectType(RequestType request) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(CreateRequestDispatchParameter dispatchParameter) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, Boolean maintenanceMode, String synchronizationSequenceIdentifier) at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, String synchronizationSequenceIdentifier) at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)

Is it possible? Yes. SharePoint does it. They have their own WCF client but they certainly create MAs and SRs via the WS. Are there any documented examples? No. Has anyone done it via PowerShell? Not yet (that I've heard of).

I just took your code into my lab and here are some tips: First try configuring your SR by hand: note down every choice/value you have to provide The advanced view of an existing rule can give you the attributes which are required (those with an asterix) The schema (attributes) can show you what system names those attributes have This way you will detect that: $FlowType = 2 means Inbound and Outbound You can't have a dependency specified for anything other than an Outbound rule The errors shown in the PowerShell prompt are often very unclear. However if you take a peak in the FIM Event Log: Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4 Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: SystemConstraint ---> System.InvalidOperationException: Cannot modify the data flow direction because this Synchronization Rule has a dependency. The data flow direction is defined by the Synchronization Rule’s dependency. An other issue: You specyfiy both ConnectedSystem and ManagementAgentID. For an outbound (type 1) rule you only may specify just one: Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4 Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: SystemConstraint ---> System.InvalidOperationException: A value must be provided for exactly one of the following attributes: ConnectedSystem , ManagementAgentID. Also for an outbound (type 1) rule you need to specify a value ($true or $false) for DisconnectConnectedSystemObject Request '2cd25efb-1334-42d9-b3b8-08e84de73ce6' failed while trying to commit the changes to the database. Exception: 'AttributeFailureCode: 'RequiredValueIsMissing', AttributeName: 'DisconnectConnectedSystemObject', '. Here's your modified code to create an Outbound SR (just a sample): #---------------------------------------------------------------------------------------------------------- Function SetAttribute { Param($object, $attributeName, $attributeValue) End { $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange $importChange.Operation = 1 $importChange.AttributeName = $attributeName $importChange.AttributeValue = $attributeValue $importChange.FullyResolved = 1 $importChange.Locale = "Invariant" If ($object.Changes -eq $null) {$object.Changes = (,$importChange)} Else {$object.Changes += $importChange} } } #---------------------------------------------------------------------------------------------------------- Function CreateObject { Param($objectType) End { $newObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject $newObject.ObjectType = $objectType $newObject.SourceObjectIdentifier = [System.Guid]::NewGuid().ToString() $newObject } } #---------------------------------------------------------------------------------------------------------- Function AddMultiValue { Param($object, $attributeName, $attributeValue) End { $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange $importChange.Operation = 0 $importChange.AttributeName = $attributeName $importChange.AttributeValue = $attributeValue $importChange.FullyResolved = 1 $importChange.Locale = "Invariant" If ($object.Changes -eq $null) {$object.Changes = (,$importChange)} Else {$object.Changes += $importChange} } } #---------------------------------------------------------------------------------------------------------- $URI = "http://localhost:5725/resourcemanagementservice" #Variables $DisplayName = "Test Sync Rule" $ConnectedSystem = "{09A22997-1E65-4745-9259-DE047EF3E524}" $CreateConnectedSystemObject = $false $CreateILMObject = $false $Dependency = "urn:uuid:a91ecb11-d692-4bb1-ae9b-a2cd56956ce1" $FlowType = 1 $ILMObjectType = "person" $ConnectedObjectType = "user" $ObjectType = "SynchronizationRule" $RelationshipCriteria = "<conditions><condition><ilmAttribute>accountName</ilmAttribute><csAttribute>sAMAccountName</csAttribute></condition></conditions>" $ManagementAgentID = "urn:uuid:657745e6-8d15-4cfb-889e-1cca82d7d69d" $PersistentFlow = "<export-flow><src><attr>accountName</attr></src><dest>sAMAccountName</dest><scoping></scoping></export-flow>" $DisconnectConnectedSystemObject = $false If(@(Get-PSSnapin | Where-Object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {Add-PSSnapin FIMAutomation} $NewSR = CreateObject -objectType $ObjectType SetAttribute -object $NewSR -attributeName "DisplayName" -attributeValue $DisplayName #SetAttribute -object $NewSR -attributeName "ConnectedSystem" -attributeValue $ConnectedSystem SetAttribute -object $NewSR -attributeName "CreateConnectedSystemObject" -attributeValue $CreateConnectedSystemObject SetAttribute -object $NewSR -attributeName "ConnectedObjectType" -attributeValue $ConnectedObjectType SetAttribute -object $NewSR -attributeName "CreateILMObject" -attributeValue $CreateILMObject SetAttribute -object $NewSR -attributeName "DisconnectConnectedSystemObject" -attributeValue $DisconnectConnectedSystemObject SetAttribute -object $NewSR -attributeName "Dependency" -attributeValue $Dependency SetAttribute -object $NewSR -attributeName "FlowType" -attributeValue $FlowType SetAttribute -object $NewSR -attributeName "ILMObjectType" -attributeValue $ILMObjectType SetAttribute -object $NewSR -attributeName "RelationshipCriteria" -attributeValue $RelationshipCriteria SetAttribute -object $NewSR -attributeName "ManagementAgentID" -attributeValue $ManagementAgentID AddMultiValue -object $NewSR -attributeName "PersistentFlow" -attributeValue $PersistentFlow $NewSR | Import-FIMConfig -uri $URI http://setspn.blogspot.com