In the previous article, we showed you how to create the custom attributes in on-premises Active Directory. When using a hybrid configuration of on-premises AD and Azure AD, you may need to synchronize your custom user attribute into your Azure tenant. In this article, we will look at how to synchronize custom user attributes in Azure Active Directory using the Azure AD Connect.
Azure AD Connect is used to synchronize existing local (on-premises) directory services based on Active Directory Domain Services (AD DS) to Azure AD. Azure AD Connect is installed on one of the on-prem servers (Windows Server 2012+ is required).
Log in to the server with Azure AD Connect installed and launch the Azure AD Connect Console. Select Customize synchronization options from the Additional Tasks list and click Next.
Skip all the steps of the synchronization wizard and go to the Optional Features tab. Enable the Directory extension attribute sync option. Click Next.
In the next window, you will see a complete list of attributes in on-premises Active Directory. In the list, find the custom attribute that you want to synchronize (in our example it is vehRegCode) and move it to the right list.
Hint. You can synchronize a maximum of 100 on-prem Active Directory attributes to Azure AD (including default attributes, such as Display name, first name, surname, UPN, etc). Empty or Null fields are not synchronized.
Click Next > Finish to complete the Azure AD Connect setup wizard and apply your new settings.
Wait for synchronization to start automatically (default is every 30 minutes), or you can synchronize manually:
Import-Module adsync Start-ADSyncSyncCycle -PolicyType Delta
Hint. The following command is used to start a full synchronization to Azure AD:
Start-ADSyncSyncCycle -PolicyType Initial
To synchronize custom Attributes from on-premises AD to Azure, a special Enterprise Application is used to handle Azure AD schema extensions. You can find this Enterprise application in the Azure portal. The synchronized attribute in the name will contain the Application ID (GUID) of that application.
You can check the presence and value of the attribute on an Azure AD user using PowerShell. Connect to your Azure client using the PowerShell module and run the command:
Get-AzureADUser -SearchString b.jackson@theitbros.com | select -ExpandProperty extensionproperty
The synchronized custom attribute has the following name format: extension_{AppClientId}_vehRegCode.
To get the value of the extension attribute directly:
(Get-AzureADUserExtension -ObjectId b.jackson@theitbros.com).extension_{AppClientId}_ vehRegCodeHint. Note that (unlike Azure AD) Azure AD Extension attributes are case sensitive.
- Lens Kubernetes IDE – Opensource Lens Desktop - January 27, 2023
- Using Select-Object Cmdlet in PowerShell - January 26, 2023
- How to Turn Off Siri Suggestions on iPhone? - January 25, 2023
GOOD JOB. THANKS
I have a one question, what should i do, when i do not see custom attributes in AADC and in powershell by Get-AzureADUser command. I see them only in powershell with administrator privilages.