--- title: PowerShell description: The PowerShell application template allows you to provision users to a PowerShell instance. component: pingoneaic page_id: pingoneaic:app-management:applications/powershell canonical_url: https://docs.pingidentity.com/pingoneaic/app-management/applications/powershell.html section_ids: register_the_application: Register the application configure_provisioning: Configure provisioning provision_side_tabs: Provision side tabs next_steps: Next steps --- # PowerShell The PowerShell application template allows you to provision users to a PowerShell instance. ## Register the application 1. In the Advanced Identity Cloud admin console, go to Applications, and click [icon: grid_view, set=material, size=inline] Browse App Catalog. 2. In the Browse App Catalog modal, select an application, and click Next. 3. Review the Application Integration information, and click Next. 4. In the Application Details window, specify the name, description, application owners, and logo for the application. 5. To make the application an [Authoritative](../applications.html#target_and_authoritative_applications) source of identity data, select the Authoritative check box. This option is not available for every application. 6. Click Create Application. ## Configure provisioning You can use the PowerShell Connector Toolkit to create connectors that can provision any Microsoft system, including but not limited to Active Directory, Microsoft SQL, MS Exchange, SharePoint, Office365, and Azure. Any task performed with PowerShell can be executed through connectors based on this toolkit. The PowerShell Connector Toolkit lets you develop connectors in PowerShell that address the requirements of your Microsoft Windows ecosystem. The framework is included with the .NET RCS server. Note that the framework itself is not a connector. The Powershell Connector toolkit is built-in to the .NET RCS server. Connectors created with the PowerShell Connector Toolkit run on the .NET platform and require the installation of a .NET connector server on the Windows system. To install the .NET connector server, refer to [Sync identities](../../identities/sync-identities.html). | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The PowerShell connector combines a command-line shell and scripting language, built on the .NET Framework. For more information, refer to [PowerShell Documentation](https://learn.microsoft.com/en-us/powershell/). | 1. In the Advanced Identity Cloud admin console, on the Provisioning tab: * If setting up provisioning for the first time: 1. If you have not done so already, [create an application](#register_the_application). 2. On the Provisioning tab, click Set up Provisioning. 3. [Choose a server or server cluster](../register-an-application.html). * When editing existing settings in the Connection area, click Settings. 2. Configure the following fields: | Field | Description | | --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Active Directory Host | The host name or IP address of the Active Directory server. | | Active Directory Port | The port number on which the remote resource listens for connections. | | Login | The user account in the remote resource that is used for the connection. | | Password | The password of the user account that is used for the connection | | Authenticate Script | The name of a script file that uses a custom PowerShell script to implement the [ICF authenticate operation](https://docs.pingidentity.com/openicf/connector-dev-guide/operations/operation-authenticate.html). The ICF authenticate operation lets an application authenticate an object on the target system, usually with a unique identifier (username) and a password.To reference a script, use the format `C:\path\to\script\script.ps1`. | | Create Script | The name of a script file that uses a custom PowerShell script to implement the [ICF create operation](https://docs.pingidentity.com/openicf/connector-dev-guide/operations/operation-create.html). The ICF create operation lets an application create objects on the target system.To reference a script, use the format `C:\path\to\script\script.ps1`. | | Delete Script | The name of a script file that uses a custom PowerShell script to implement the [ICF delete operation](https://docs.pingidentity.com/openicf/connector-dev-guide/operations/operation-delete.html). The ICF delete operation lets an application delete objects on the target system.To reference a script, use the format `C:\path\to\script\script.ps1`. | | Schema Script | The name of a script file that uses a custom PowerShell script to implement the [ICF schema operation](https://docs.pingidentity.com/openicf/connector-dev-guide/operations/operation-schema.html). The ICF schema operation lets an application describe the types of objects that it can handle on the target system and the operations and options that the connector supports foreach object type.To reference a script, use the format `C:\path\to\script\script.ps1`. | | Search Script | The name of a script file that uses a custom PowerShell script to implement the [ICF search operation](https://docs.pingidentity.com/openicf/connector-dev-guide/operations/operation-search.html). The ICF search operation lets an application search for objects on the target system.To reference a script, use the format `C:\path\to\script\script.ps1`. | | Sync Script | The name of a script file that uses a custom PowerShell script to implement the [ICF sync operation](https://docs.pingidentity.com/openicf/connector-dev-guide/operations/operation-sync.html). The ICF sync operation lets an application poll the target system for synchronization events created by changes to target objects.To reference a script, use the format `C:\path\to\script\script.ps1`. | | Test Script | The name of a script file that uses a custom PowerShell script to implement the [ICF test operation](https://docs.pingidentity.com/openicf/connector-dev-guide/operations/operation-test.html). The ICF test operation lets an application test the connector configuration against the target system.To reference a script, use the format `C:\path\to\script\script.ps1`. | | Update Script | The name of a script file that uses a custom PowerShell script to implement the [ICF update operation](https://docs.pingidentity.com/openicf/connector-dev-guide/operations/operation-update.html). The ICF update operation lets an application update (modify or replace) objects on the target system.To reference a script, use the format `C:\path\to\script\script.ps1`. | | UID attribute name | The attribute on the resource that contains the object `UID`. | | NAME attribute name | The attribute on the resource that contains the object `NAME`. | | Substitute UID and NAME in query filter | Enable if the `UID` and `NAME` should be replaced by the value defined in the `NameAttributeName` and `UidAttributeName` in the query filter. | 3. Optionally, click Show advanced settings to set any of the following options: **Application specific settings** | Field | Description | | -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Variables Prefix | To avoid variable namespace conflicts, define a prefix for script variables. All variables are injected into the script under that prefix and can be used with the dotted notation.The default value is `Connector`. | | Query Filter Type | To define the format used when injecting the query into the connector, set a query filter type by clicking one of the following:- Map - The query filter is a map. - Ldap - The query filter is in LDAP search format, for example, `(cn=Joe)`. - Native - The query filter is a native OpenICF query filter. - AdPsModule - The query filter is compatible with the Active Directory PowerShell module, `Get-ADUser Filter`. | | Reload script on execution | To reload the script from disk every time the connector executes the script, enable this setting.This can be useful for debugging. In production, disable this setting. | | Use Interpreter's Pool | To leverage the PowerShell RunSpace Pool, enable this setting. | | Min interpreter pool size | The minimum size of the interpreter pool. The default value is `1`. | | Max interpreter pool size | The maximum size of the interpreter pool. The default value is `5`. | | Pool cleanup interval | To specify the interval (in minutes) to discard unused interpreter instances. To avoid cleaning up unused interpreter instances, set this property to `0`. The default value is `60`. | | PS Modules to Import | An array of additional PowerShell modules that must be imported | | Custom Properties | An array of Strings that define custom configuration properties. Each property uses the format `name=value`. | | Exclude Unmodified | Select this option to synchronize only the modified properties on a target resource. | **Pool configuration** | Field | Description | | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Max idle and active container instances | The maximum number of idle and active container instances. The default value is `10`. | | Max Idle Connector Instances | The maximum number of idle connector instances. The default value is `10`. | | Set Timeout Period | Select to enable a timeout period for the connection. After enabling, configure the following:- Timeout period (ms): The timeout period in milliseconds. | | Set Minimum Idle Time | Select to set a minimum time (in milliseconds) before an idle object is removed. After enabling, configure the following:- Min idle time (ms): The minimum idle time in milliseconds. | | Min Idle Instances | The minimum number of idle connector instances. | **Result Handler configuration** | Field | Description | | ----------------------------------------------------------------------- | --------------------------------------------------------------------------------- | | Enable for connectors with the attribute normalizer interface | Enables the attribute normalizer interface for supported connectors. | | Enable local filtering/search features | Enables local filtering and search capabilities. | | Enable case insensitive filter | Configures filters to ignore case sensitivity. | | Enable configuration of search attributes; disable for local connectors | Enables search attribute configuration. Disable this option for local connectors. | 1. In the Operation Timeouts (ms) area, select the operations to enforce timeouts on and enter the duration in milliseconds. Available operations include Create, Validate, Test, Enable a Script on the Connector, Schema, Delete, Update, Sync, Authenticate, Get, Enable a Script on the Target, and Search. 2. In the Operation Rate Limits area, select the operations to enforce rate limits on. You can enforce limits on specific operations, including Create, Validate, Test, Script on Connector, Schema, Delete, Update, Sync, Authenticate, Get, Script on Target, and Search. For each selected operation, configure the following fields: | Field | Description | | --------------- | ---------------------------------- | | Request Limit | Requests allowed over time. | | Request Period | Limit resets after this time (ms). | | Request Timeout | Time before exception thrown (ms). | 4. Click Connect. 5. Verify the information in the Details tab. ## Provision side tabs The object type determines the side tabs that display on the Provisioning tab. Use the object type list to select an object type, such as `Group`. Afterward, you can configure properties in the different sub-tabs under the Provisioning tab. ![Sub-tabs under the Provisioning tab](../_images/ui-workforce-provisioning.png) | Provisioning tab | Description | Related sections | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | | Details | View and manage an application, including name, ID, and native type. | Select the specific application from [Provision settings for an application](../provision-an-application.html#provision_settings_for_an_application). | | Properties | View and manage properties for the selected object type. | [Manage application attributes](../provision-an-application.html#manage_application_attributes) | | Data | View data about the selected object type. | [View user access data](../provision-an-application.html#view_user_access_data) | | Mapping | View and manage mappings from the Advanced Identity Cloud admin console properties to external system properties and from external system properties to the Advanced Identity Cloud admin console properties. | [Manage mappings](../provision-an-application.html#manage_mappings) | | Reconciliation | Preview mappings on target applications between external systems and the Advanced Identity Cloud admin console, and reconcile the data between the two systems.View and manage rules for the users and groups that use your application.View and manage schedules for Full and Incremental reconciliation. | [Reconcile and synchronize end-user accounts](../provision-an-application.html#recon-sync-end-users) | | Privacy & Consent | Manage end-user data sharing and synchronization. | [Configure end-user data sharing](../provision-an-application.html#config-end-user-data-sharing) | | Rules | View and manage provisioning rules for mappings between Advanced Identity Cloud and a target application. | [Manage provisioning rules](../provision-an-application.html#manage-provisioning-rules) | | Advanced Sync | Create and manage mappings between a managed object type and an application or between applications. | [Manage advanced sync](../provision-an-application.html#manage-advanced-sync) | ## Next steps * [icon: check-square-o, set=fa][Application management](../applications.html) * [icon: check-square-o, set=fa][App catalog](../app-catalog.html) * [icon: check-square-o, set=fa][Register an application](../register-an-application.html) or [Register a custom or SSO application](../register-a-custom-application.html) * [icon: check-square-o, set=fa][Provision an application](../provision-an-application.html) * [icon: square-o, set=fa]*[Manage end users and roles](../manage-users-and-roles.html)* * [icon: square-o, set=fa][Manage application registrations](../manage-app-status.html)