Forum Discussion
Can we sync private phone or private mail to AzureAD
HI, I'm working on a project where the goal is to give access for candidates (before they are hired) to the internal application published as Enterprise App in Azure AD. Employees use SSO to access...
Although we found Azure AD Access Packages interesting, after further investigation, we still need to sync private phone numbers and/or e-mails to AzureAD for SSPR/MFA. We need it for employed users, as we have this data in our HR system integrated with our AD on-prem.
And we cannot use standard fields like a mobile phone number, to protect user's privacy, as this field is visible for other users in the company.
So my question still stays open. Is there a field in Active Directory which directly refers to AlternativeAuthenticationPhone or strongAuthenticationEmailAddress fields in AzureAD? Or should we use custom attributes in AD for that?
And we cannot use standard fields like a mobile phone number, to protect user's privacy, as this field is visible for other users in the company.
So my question still stays open. Is there a field in Active Directory which directly refers to AlternativeAuthenticationPhone or strongAuthenticationEmailAddress fields in AzureAD? Or should we use custom attributes in AD for that?
Josh Villagomez
Microsoft
MicrosoftThe following article describes the attributes that we sync by default:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized
To answer your question, no there is no attribute in AD. It is best that you set that authentication data directly via PowerShell. See here for details:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata#set-and-read-the-authentication-data-through-powershell
I don't think you want to be in the business of synchronizing that type of data because AD is not Source of Authority (SOA). So, even if you can attempt to export it once, the moment a user updates their mobile number, you are not longer in "sync", despite attempting to update it again from AD. Hope this helps.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized
To answer your question, no there is no attribute in AD. It is best that you set that authentication data directly via PowerShell. See here for details:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata#set-and-read-the-authentication-data-through-powershell
I don't think you want to be in the business of synchronizing that type of data because AD is not Source of Authority (SOA). So, even if you can attempt to export it once, the moment a user updates their mobile number, you are not longer in "sync", despite attempting to update it again from AD. Hope this helps.
But how can I set the strongAuthenticationEmailAddress using PowerShell? Can you provide an example?
- Josh Villagomez
MichalZiemba Did you refer to article I provided earlier?
- Yes. And I didn't find the parameter strongAuthenticationEmailAddress working on the Set-AzureADUser command.
- I was thinking about it and you are totally right. This wouldn't be a good idea to get it continuously in sync. As you suggested, it should be one-time sync so later users are able to control it.
Thank you for your answer and suggestion.