MIM 2016 SP3 - Sync rules issues

Question

I have upgraded Microsoft Identity Manager 2016 to the newly released SP3 (4.7.6.0). I've managed to upgrade both Synchronization Service and Portal (now using SharePoint Subscription Edition).

I have a management agent using the built in SQL Server. Full Import works fine, but when executing the full sync for this MA I get a lot of errors referring to custom expressions I've built using sync rules in the MIM Portal.

I've noticed that if I create a view in the DB where NULL values are replaced with '' and redirect the MA towards the view. At the same time I unchecked 'Convert empty string to NULL on import' for attributes used in the custom expressions in the sync rule. See image.

This behaviour after the SP3 upgrade has been verified on two separate environments. It feels like the handling of null attributes has changes within the sync rules. Does anyone have a good idea? Who may I contact within the Microsoft MIM Development team?

Answer 1

Hello Andreas Lindholm,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having MIM 2016 SP3 - Sync rules issues.

The issue is caused by SQL NULL values reaching MIM synchronization-rule custom expressions after the MIM 2016 SP3 upgrade. Full Import succeeds because the SQL MA can read the data, but Full Sync fails when the sync-rule expression engine evaluates attributes that are null, missing, or converted back to null during import. The production fix is to normalize every SQL column used in a custom expression to a deterministic value, preserve that value during import, and explicitly handle empty values in the expression using supported MIM logic such as Null() where no value should be contributed. Microsoft documents Null() as the supported no-contribution function, and Microsoft’s sync-rule guidance confirms that synchronization can fail when expected attributes are unavailable. - https://learn.microsoft.com/en-us/microsoft-identity-manager/reference/mim2016-functions-reference, https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/introducing-synchronization-rules---part-2/973298

The below are required steps in order:

1. Confirm the SQL connector is supported. If using SQL Server later than 2017 or Azure SQL, move to the Generic SQL Connector. - https://learn.microsoft.com/en-us/microsoft-identity-manager/supported-management-agents, https://learn.microsoft.com/en-us/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericsql
2. Create a SQL view that replaces NULL with '' for every attribute used in custom expressions.
3. Disable Convert empty string to NULL on import for those same attributes.
4. Update the custom expressions so blank values are handled intentionally and Null() is returned only when no attribute contribution is required. - https://learn.microsoft.com/en-us/microsoft-identity-manager/reference/mim2016-functions-reference
5. Run Delta Import / Delta Sync on the MIM/FIM MA, then Full Import / Full Sync on the SQL MA. - https://learn.microsoft.com/en-us/microsoft-identity-manager/install-mim-sync-ad-service, https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/introducing-synchronization-rules---part-2/973298
6. If the issue still reproduces, open a Microsoft support case under Microsoft Entra ID > User Provisioning and Synchronization > Microsoft Identity Manager (MIM) > Synchronization engine or Connectors. - https://learn.microsoft.com/en-us/microsoft-identity-manager/support-update-for-azure-active-directory-premium-customers

I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.