Forum Discussion

Michal_Z's avatar
Michal_Z
Brass Contributor
Aug 16, 2021

Can we sync private phone or private mail to AzureAD

HI, 

I'm working on a project where the goal is to give access for candidates (before they are hired) to the internal application published as Enterprise App in Azure AD. Employees use SSO to access the application.

The solution we think of is to create an AD account for the candidate with private mobile and/or mail, sync it to AzureAD and let the candidate reset the password using that security information. 

Related to the above, is there an attribute in local AD equivalent to AlternativeAuthenticationPhone or strongAuthenticationEmailAddress in AzureAD, which can be synced by Azure AD Connect and use in the SSPR process?

 

  • BilalelHadd's avatar
    BilalelHadd
    Iron Contributor
    Hi Michal,

    Why wouldn't you use Azure AD Access Packages? I have written a blog about this great feature: https://www.bilalelhaddouchi.nl/index.php/2021/07/31/get-started-with-azure-ad-access-packges/

    Regarding the attributes, you can also create a dynamic group with the hires as members of this particular group. An expression could be the Department attribute with the value "hire" or you could use the CloudExtenstionAttributes with a custom value set.

    Let me know if you still need some help or advice regarding this functionality.
    • Michal_Z's avatar
      Michal_Z
      Brass Contributor
      Hi BilalelHadd,
      Thank you for pointing me in this direction. I was not aware of this functionality and it puts a new light on the project. I am now exploring this area further. I'll let you know if I have more questions.

    • Michal_Z's avatar
      Michal_Z
      Brass Contributor
      Although we found Azure AD Access Packages interesting, after further investigation, we still need to sync private phone numbers and/or e-mails to AzureAD for SSPR/MFA. We need it for employed users, as we have this data in our HR system integrated with our AD on-prem.
      And we cannot use standard fields like a mobile phone number, to protect user's privacy, as this field is visible for other users in the company.
      So my question still stays open. Is there a field in Active Directory which directly refers to AlternativeAuthenticationPhone or strongAuthenticationEmailAddress fields in AzureAD? Or should we use custom attributes in AD for that?

Resources