Forum Discussion
Can we sync private phone or private mail to AzureAD
HI, I'm working on a project where the goal is to give access for candidates (before they are hired) to the internal application published as Enterprise App in Azure AD. Employees use SSO to access...
Hi Michal,
Why wouldn't you use Azure AD Access Packages? I have written a blog about this great feature: https://www.bilalelhaddouchi.nl/index.php/2021/07/31/get-started-with-azure-ad-access-packges/
Regarding the attributes, you can also create a dynamic group with the hires as members of this particular group. An expression could be the Department attribute with the value "hire" or you could use the CloudExtenstionAttributes with a custom value set.
Let me know if you still need some help or advice regarding this functionality.
Why wouldn't you use Azure AD Access Packages? I have written a blog about this great feature: https://www.bilalelhaddouchi.nl/index.php/2021/07/31/get-started-with-azure-ad-access-packges/
Regarding the attributes, you can also create a dynamic group with the hires as members of this particular group. An expression could be the Department attribute with the value "hire" or you could use the CloudExtenstionAttributes with a custom value set.
Let me know if you still need some help or advice regarding this functionality.
Although we found Azure AD Access Packages interesting, after further investigation, we still need to sync private phone numbers and/or e-mails to AzureAD for SSPR/MFA. We need it for employed users, as we have this data in our HR system integrated with our AD on-prem.
And we cannot use standard fields like a mobile phone number, to protect user's privacy, as this field is visible for other users in the company.
So my question still stays open. Is there a field in Active Directory which directly refers to AlternativeAuthenticationPhone or strongAuthenticationEmailAddress fields in AzureAD? Or should we use custom attributes in AD for that?
And we cannot use standard fields like a mobile phone number, to protect user's privacy, as this field is visible for other users in the company.
So my question still stays open. Is there a field in Active Directory which directly refers to AlternativeAuthenticationPhone or strongAuthenticationEmailAddress fields in AzureAD? Or should we use custom attributes in AD for that?
- Josh Villagomez
Microsoft
The following article describes the attributes that we sync by default:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized
To answer your question, no there is no attribute in AD. It is best that you set that authentication data directly via PowerShell. See here for details:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata#set-and-read-the-authentication-data-through-powershell
I don't think you want to be in the business of synchronizing that type of data because AD is not Source of Authority (SOA). So, even if you can attempt to export it once, the moment a user updates their mobile number, you are not longer in "sync", despite attempting to update it again from AD. Hope this helps.But how can I set the strongAuthenticationEmailAddress using PowerShell? Can you provide an example?
- Josh Villagomez
MichalZiemba Did you refer to article I provided earlier?
- I was thinking about it and you are totally right. This wouldn't be a good idea to get it continuously in sync. As you suggested, it should be one-time sync so later users are able to control it.
Thank you for your answer and suggestion.
