Notice Version 2.0

Version 2.0 is not backwards compatible with 1.0; export your workflows before upgrading! The following can export all the scripts from the workflow definitions with the PowerShellActivity:
Get-FIMResource '/WorkflowDefinition' |% { 
  $wf = $_; ([XML]$_.XOML).DocumentElement.ChildNodes.GetEnumerator() |? { $_.LocalName -eq 'PowerShellActivity' } |% { $_.Script } | select @{L='Workflow';E={$wf.DisplayName}},@{L='Script';E={$_}} 
} | fl *

Installation

Copy the assembly to the FIMService and FIM Portal server(s) and then drag-drop it into the GAC (C:\Windows\assembly).

In the FIM Portal go to Administration -> All Resources and select Activity Information Configuration. Click New and enter the following information:

Attribute Value
Display Name PowerShell Activity
Description Activity to execute PowerShell scripts as part of a workflow.
Activity Name FIM.PowerShell.Workflow.Activities.PowerShellActivity
Assembly Name FIM.PowerShell.Workflow.Activities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=f681f8b177020005
Is Action Activity X
Is Authentication Activity X
Is Authorization Activity X
Type Name FIM.PowerShell.Workflow.Activities.PowerShellActivitySettingsPart


PSWorkflowActivity_ActivityInformationConfiguration.png

For more information see the Configuring the Activity in FIM section of http://msdn.microsoft.com/en-us/library/ff859524.aspx

You can use the following PowerShell script if you have installed the FIM PowerShell Module to add the ActivityInformationConfiguration.
Import-Module FIM

New-FIMResource -ObjectType 'ActivityInformationConfiguration' -Attributes @{
  DisplayName = 'PowerShell Activity';
  Description = 'Activity to execute PowerShell scripts as part of a workflow.';
  ActivityName = 'FIM.PowerShell.Workflow.Activities.PowerShellActivity';
  AssemblyName = 'FIM.PowerShell.Workflow.Activities, Version=1.0.0.0, Culture=neutral, PublicKeyToken=f681f8b177020005';
  IsActionActivity = 'True';
  IsAuthenticationActivity = 'True';
  IsAuthorizationActivity = 'True';
  IsConfigurationType = 'False';
  TypeName = 'FIM.PowerShell.Workflow.Activities.PowerShellActivitySettingsPart'
} | Set-FIMResource -ComputerName 'FIMServiceHost'

Usage

The activity has two primary settings, the Run As and the actual script.

PowerShellActivity_WebPartSettings.png

Run As

This setting controls which identity the script will run as. The default is to run as the FIMService account. The only other option at this time is to run as the Requestor.

This can be useful if you want to delegate permissions to just the FIMService account or if you want to perform some action as the requestor that initiated the workflow.

Script

The PowerShell script is just that, a script that will be executed. For security reasons, the PowerShell is actually run in an isolated AppDomain.

By default the parameters from the SequentialWorkflow object are passed to the script as parameters. These include ActorId, TargetId, RequestId, WorkflowDefinitionId, and WorkflowData which is the WorkflowDictionary property. To use the parameters the activity will inject the default param list when you add the activity to the designer.
param($WorkflowDefinitionId, $RequestId, $TargetId, $ActorId, $WorkflowData)

WorkflowData
Each item in the workflow data will be added as parameters to the script. For instance if you use a function evaluator above the script to set [//WorkflowData/RequestorAccountName] to the Requestor/AccountName value then you can add $RequestorAccountName to the end of the param statement to be able to use that value.
param($WorkflowDefinitionId, $RequestId, $TargetId, $ActorId, $WorkflowData, $RequestorAccountName)

You can also change workflow data values through this parameter as it is a reference to the actual WorkflowDictionary property off the containing workflow of the activity. This means you can modify or add outbound workflow data.
$WorkflowData['CurretDateTime'] = [DateTime]::Now
You can then use this workflow data in other subsequent activities like the notification or function evaluator by using the workflow data reference [//WorkflowData/CurrentDateTime].

Examples

Using the PowerShell workflow activity to disable an Active Directory account immediately

Last edited May 2, 2014 at 12:23 AM by adweigert, version 8

Comments

AgentPineapple May 14, 2013 at 10:35 PM 
Hi,
I've installed the PowerShell workflow activity and have added an activity to an AD sync rule, this should execute a simple script to dump some data to a text file, but it fails to run.

The errors in the Forefront Identity Manager event log are difficult to diagnose, how can I go about troubleshooting?

Thanks

arbhushan Feb 12, 2013 at 12:50 PM 
I need to run a powershell command with the user's email address as an argument. How can I read the email attribute from the Metaverse or FIM Portal DB in the Powershell Activity?

drmiru Sep 7, 2012 at 11:43 AM 
Hi adweigert

The Activity Information Configuration has been successfully created. I copied the dll into C:\Windows\assembly\GAC , but the activity type is not listed when I create a new workflow. Guess I missed something little stupid?

Thanks
Michael

richardgil Jun 11, 2012 at 7:29 AM 
Hi adweigert,

Thanks for this excellent powershell activity! We've been trying it out and really like it. There's just one thing we can't seem to get working though -

We can get information from the workflow into the activity, but can't seem to get it back out although we've followed the examples in your "disable an ad account".

If I set $WorkflowData['test'] = "hello world" and then try and do anything with [//WorkflowData/test] in the next part of the workflow, I get an empty value. I've sent the variables to a text file using "Out-File" and this confirms the variable is set correctly in the first part of the workflow, but is blank in the next step.

Do you have any ideas?

Thanks a million
Richard