In today’s world, synchronising various systems is important for seamless operations. It helps to share information between them, making work easier and faster. Without it, there could be mistakes, delays, and problems accessing the latest data, which can slow down business and cause issues.On-premises Active directory (AD) serves as a main hub for user management in many organizations, while Azure Active Directory (Azure AD) extends user management to the cloud. When it comes to customize attributes to meet specific business needs, organizations often find it necessary to sync these attributes between their on-premises AD and Azure AD.
In a hybrid setup, (one with both regular computers and cloud services), Azure AD connect synchronises attribute values from on-premises ADto Azure AD . While default attributes are automatically synced, there are instances where organizations require the synchronization of on-premises ADattributes to Azure AD. This need is addressed through the Azure AD Connect feature known as “Directory extension attribute sync”. In this blog, we’ll go through the process of synchronising on-premises AD attributes to Azure AD using Azure AD Connect.
Prerequisites
- Azure AD Connect installed and configured to synchronise between on-premises AD and Azure AD.
- Custom attribute created in AD (e.g., “nINumber” attribute added to the user class).
To achieve this synchronization, there are two primary methods available, each offering its unique advantages and considerations.
Synchronizing attributes with PowerShell:
To extend the schema of Microsoft Entra users and ensure attribute consistency across cloud-only users, PowerShell commands can be employed.
Connect-AzureAD $App = New-AzureADApplication -DisplayName “test app name” -IdentifierUris https://testapp New-AzureADServicePrincipal -AppId $App.AppId New-AzureADApplicationExtensionProperty -ObjectId $App.ObjectId -Name “TestAttributeName” -DataType “String” -TargetObjects “User” Set-AzureADUserExtension -ObjectId <UserID> -ExtensionName “extension_<appID>_TestAttributeName” Get-AzureADUser -ObjectId <UserID> | Select -ExpandProperty ExtensionProperty
Synchronizing attributes with Azure AD Connect:
- Start by accessing the Azure AD connect server.
- Launch the Azure AD connect console.
- Select “Customize synchronisation options” from the list of options.
- Select “Synchronize all directories and devices” to synchronize user and device information.
- Click on Synchronisation options.
- Locate and enable the “Directory extension attribute sync” feature.
- Click Next to complete the process.
- Select the on-premise attribute for synchronisation.
- Once the steps are complete, verify that the attribute values from AD are successfully synced to Azure AD.
- To verify the synced attribute values, use Microsoft Graph Explorer. With graph explorer, you can make requests to the Microsoft Graph APIs to retrieve, add, delete and update data. Construct a query defining the user account and the desired attributes.
- Inspect the returned values to confirm that the custom attribute values are correctly synced from AD to Azure AD.
Synchronizing on-premises Active Directory (AD) attributes to Azure AD offers users numerous benefits by extending management capabilities into cloud environments. This synchronization facilitates seamless integration with a plethora of applications and services reliant on Azure AD for authentication and identity management. Consequently, users experience enhanced accessibility and efficiency across various platforms, ensuring a smooth and streamlined experience regardless of the service or application they interact with. This synchronization not only simplifies user management but also strengthens security measures by maintaining consistent user identities and access controls across both on-premises and cloud environments. Ultimately, users benefit from a unified experience, where their credentials and attributes are synchronized seamlessly, enhancing productivity and security alike.