Forum Discussion
Michal_Z
Aug 16, 2021Brass Contributor
Can we sync private phone or private mail to AzureAD
HI,
I'm working on a project where the goal is to give access for candidates (before they are hired) to the internal application published as Enterprise App in Azure AD. Employees use SSO to access the application.
The solution we think of is to create an AD account for the candidate with private mobile and/or mail, sync it to AzureAD and let the candidate reset the password using that security information.
Related to the above, is there an attribute in local AD equivalent to AlternativeAuthenticationPhone or strongAuthenticationEmailAddress in AzureAD, which can be synced by Azure AD Connect and use in the SSPR process?
- BilalelHaddIron ContributorHi Michal,
Why wouldn't you use Azure AD Access Packages? I have written a blog about this great feature: https://www.bilalelhaddouchi.nl/index.php/2021/07/31/get-started-with-azure-ad-access-packges/
Regarding the attributes, you can also create a dynamic group with the hires as members of this particular group. An expression could be the Department attribute with the value "hire" or you could use the CloudExtenstionAttributes with a custom value set.
Let me know if you still need some help or advice regarding this functionality.- Michal_ZBrass ContributorHi BilalelHadd,
Thank you for pointing me in this direction. I was not aware of this functionality and it puts a new light on the project. I am now exploring this area further. I'll let you know if I have more questions. - Michal_ZBrass ContributorAlthough we found Azure AD Access Packages interesting, after further investigation, we still need to sync private phone numbers and/or e-mails to AzureAD for SSPR/MFA. We need it for employed users, as we have this data in our HR system integrated with our AD on-prem.
And we cannot use standard fields like a mobile phone number, to protect user's privacy, as this field is visible for other users in the company.
So my question still stays open. Is there a field in Active Directory which directly refers to AlternativeAuthenticationPhone or strongAuthenticationEmailAddress fields in AzureAD? Or should we use custom attributes in AD for that?- Josh VillagomezMicrosoftThe following article describes the attributes that we sync by default:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized
To answer your question, no there is no attribute in AD. It is best that you set that authentication data directly via PowerShell. See here for details:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata#set-and-read-the-authentication-data-through-powershell
I don't think you want to be in the business of synchronizing that type of data because AD is not Source of Authority (SOA). So, even if you can attempt to export it once, the moment a user updates their mobile number, you are not longer in "sync", despite attempting to update it again from AD. Hope this helps.