Microsoft Forefront Identity Manager 2010 (FIM) administrators create workflows using one or more activities; these activities can be out-of-box activities that are included in the Microsoft.ResourceManagement.dll assembly, or they can be custom activities. Administrators can then specify when those workflows will be run by associating those workflows with events using Management Policy Rules. (For more information, see Management Policy in FIM.)

Developers can create custom activities and workflows in Microsoft Visual Studio 2008 that can be used in the FIM Service. Custom workflows can include a combination of out-of-box FIM activities, custom activities, or Windows Workflow Foundation (WF) activities. Using Windows Workflow Foundation, you can develop a custom authentication, authorization, or action workflow activity to use in FIM.

To develop custom workflows and activities for FIM, you must know about the FIM request processing model and how to develop workflows and activities for WF. To get started, see the guidance that is provided in the FIM Request Processing overview and Windows Workflow Foundation Programming Guide. For guidelines for creating custom activities and workflows, see Developing Custom Activities and Workflows. For an example of creating a custom activity and using that activity in FIM, see How to: Create a Custom Logging Activity.

Custom Authentication Activities

With FIM, you can modify a Credential plug-in (also known as the gate framework) so that you can create your own authentication gate. For example, you could create a custom authentication gate that requires that a user insert a smart card or provide an RSA key. You would also have to create a custom authentication activity for FIM that would interact with the Credential plug-in. Developer guidance for using the gate framework with FIM is currently not available.

Custom Authorization Activities

The following are some example activities that you can implement using a custom authorization activity.

  • Custom approval activity that has a different time interval for the original set of approvers and escalation approvers.

  • Custom approval activity that has more than two levels of escalation.

  • Custom approval activity that calculates escalation approvers based on information in the FIM Service database at the time that the escalation occurs.

  • Custom activity to validate user input. For example, you could require the user to enter an ExpirationTime for a group that is after today, and no more than a year from now.

  • Custom activity to verify that a potential employeeID value does not already exist in the FIM Service database or another connected system, such as Active Directory Domain Services (AD DS).

  • Custom activity to run any PowerShell script.

  • Activity to log the information about the Request object and the WorkflowDictionary that is associated with the workflow into a file. For more information, see SequentialWorkflow.

We do not recommend updating resources in the FIM Service database in the authorization phase of Request Processing.

Custom Action Activities

The following are some examples of activities that you can implement using a custom action activity:

  • Activity that runs FIM Synchronization Service run profiles from a FIM workflow.

  • Activity to send information to a remote system that is not connected through a FIM management agent.

  • Custom activity to run any PowerShell script. For example, the activity could run a script to connect to the file server that is specified for a new user, create a home-share for the user, and set share and NTFS permissions on the share that is created.

  • Custom activity to generate an ExpirationTime for a Group resource.


To create a FIM custom workflow, you must have the Microsoft .NET Framework 3.5 and Visual Studio 2008 installed.

For custom activities to load correctly and appear in the Workflow Designer in the FIM Portal, they must be signed. For more information, see How to: Sign an Assembly with a Strong Name.

See Also