Forum Discussion
Creating Custom Entra Connect Rules for Attribute Sync from Entra ID to Active Directory
Enable Entra ID Writeback
By default, Entra Connect does not write back user attributes from Entra ID to AD unless explicitly configured.
1️⃣ Open Entra Connect Synchronization Rules Editor
- Run Synchronization Rules Editor on the Entra Connect server.
- Click Inbound Rules (these define how data comes from Entra ID to AD).
2️⃣ Create a New Custom Rule
- Click Add New Rule (do NOT modify existing rules).
- Name it something meaningful like:
"Custom_EntraID_To_AD_AttributeWriteback" - Set Precedence (lower numbers execute first; use a number lower than default rules if you want priority).
- Connected System → Select Entra ID (Azure AD).
- Connected System Object Type → Choose User.
- Metaverse Object Type → Select Person.
- Scope: Define which users are affected (e.g., users belonging to a specific security group).
- Join Rules: Typically userPrincipalName or ObjectGUID.
3️⃣ Define Attribute Flow
- Click Transformations → New Attribute Flow.
- Example: To sync jobTitle from Entra ID to AD:
- Flow Direction → Entra ID → AD (Authoritative source = Entra ID).
- Source Attribute → jobTitle (from Entra ID).
- Target Attribute → title (in Active Directory).
- Mapping Type → Direct (or Expression if transformations are needed).
4️⃣ Save & Confirm the Rule
- Click Save and confirm the rule is enabled.
Thank you so much for your guide. However, we have some misunderstandings regarding certain parts:
- You mentioned defining user scope individually or within a security group. Could you please clarify the exact attributes, operators, and values I need to use for all users or specific groups? Additionally, should this configuration be set up for Entra ID or Active Directory? Is it necessary to configure this part?
- Regarding the join rules, I have configured the UPN as the source attribute on the Entra side and set the target for Active Direcotry to OnPremisesUPN, as shown in the attached screenshots.
- For the transformation configuration, I used the department attribute because I could not find the JobTitle attribute in Entra ID. The configuration is as follows:
- Flow Type: Direct
- Target Attribute: department
- Source Attribute: department
- If the rule works properly, will I be able to modify the attribute directly from Entra ID?
However, the rule is not working as expected. Could you please provide a clearer explanation for each part?
Thank you again for your assistance.
Thank you so much for your guide, we have a misunderstanding about some parts:
1- You mentioned defining user scope individually or in a security group. Can you let me know the exact (attribute) that I need to use for all users or specific groups, as well as (Operator) and (Value), please tell me if this part must be configured for Entra ID or Active Directory side. and is this part necessary to configure?
2- for join rules I have configured the UPN as the source attribute for the Entra side and for Target set it to OnpremiseUPN according to the attached screenshots.
3- For the transformation configuration I used the department attribute because I did not find the JobTitle attribute in Entra ID as below:
FlowType: direct, Target attribute: department, Source attribute: department
4- if the rule works properly, then can I modify the attribute from Entra ID?
but the rule does not work, could you please clarify a little bit more clearly for each part?
Thank you so much.
