Share via


SharePoint 2016 – MIM 2016: Full Sync does not export profile pictures to Active Directory

Consider the following scenario:

You have SharePoint 2016 configured to import user profiles using Microsoft Identity Manager (MIM) 2016 as the External Identity Manager.

You have configured MIM to import profile pictures from Active Directory (AD).

After the pictures have been created in SharePoint, you decide to reverse the flow to export profile pictures from SharePoint back to the thumbnailPhoto attribute in Active Directory.

You make the required attribute flow changes in MIM and update some profile pictures in SharePoint by uploading new photos.

You then notice the following behaviors:

  • For users that already have a photo imported from AD:
    • If a new photo is uploaded in SharePoint, only DeltaImport (aka: incremental sync) for the SharePoint Management Agent (SP MA) will pick up the change and result in an update in Active Directory.

    • FullImport will not pick up the change, even though a completely different profile photo was uploaded.

       

  • For users that never had a profile photo:
    • When one is uploaded, both Full and Delta imports will pick up the change and export it to AD.

 

Why doesn't Full Import pick up the change for users that previously had profile pictures imported from Active Directory?

This happens due to a unique situation created by first importing user profile pictures from Active Directory and then reversing the flow to export profile pictures to Active Directory.

Profile picture import / export for SharePoint has always been a "unique" scenario, meaning it doesn't really follow the same set of rules as importing / exporting other profile properties.  One part that makes profile pictures different from other attributes is that in SharePoint, no matter what you change your profile picture to, the value for the "Picture" property never changes.  It always points to the URL for the medium thumbnail. Example: https://mysite:80/User Photos/Profile Pictures/User1_MThumb.jpg.

There is logic within the SharePoint extension DLL (SharePointSynchronization.dll) to take this URL and do an HTTP GET for the picture to obtain the actual bytes.  That part works during the FullImport, but since the users profile picture already exists in the SharePoint Connector Space, and the value for the "Picture" (PictureURL) property never changes, the FullImport does not recognize the profile picture update as a change.

Note: I tested this behavior with a different attribute (WorkPhone / telephoneNumber) and could not get it to reproduce. The difference there is that when you update WorkPhone in SharePoint, the property value actually changes.

 

How can we fix it?

After reversing the flow for the Picture attribute, you must clear out the SharePoint Connector Space in order to trigger it for update. Once the SharePoint Connector Space is cleared out, you run a Full Import, which will treat all data from SharePoint as new. Once that's been done, subsequent profile picture changes will be picked up by both FullImport and DeltaImport.

1. Clear out the SharePoint Connector Space.

a. In the MIM client (miisclient.exe), go to Management Agents.

b. Right-click on the SharePoint MA and chose Delete.

c. Choose "Delete connector space only"

 

 

2. Run through a Full Synchronization.

a. By this, I mean a Full Import, Full Sync, and Export for both the Active Directory and SharePoint Management Agents.

 

 

That's it.  Step 2 should update all profile pictures in Active Directory, which should update any "stale" ones to reflect the current picture users have within their SharePoint profile.

This should be a one-time thing.  After this is done, any new photo uploads in SharePoint should be exported to AD by either a Full or Delta.