Forum Discussion

Charles Ferreira's avatar
Charles Ferreira
Copper Contributor
Nov 28, 2018
Solved

ImmutableID to Extensionattribute

Hi smart people! We are considering using Azure AD ImmutableID as our global ImmutableID for other projects. Is it possible to use ADConnect to write the Azure ImmutableID back to an extensionattrib...
Azure Active Directory (AAD)
Identity Management
  • Rishabh Srivastava's avatar
    Rishabh Srivastava
    Nov 28, 2018

    Hello Charles, 

     

    There are two different queries in your request. 

    First - How to writeback Immutable ID to an Extension Attribute. 

    Second - ObjectID of cloud Accounts. 

     

    In Order to complete the first task,

    Create and Outbound rule for AD connector that must map source anchor to extension attribute, below mentioned is an example,

    Add-ADSyncAttributeFlowMapping  `

    -SynchronizationRule $syncRule[0] `

    -Source @('sourceAnchor') `

    -Destination 'msDS-cloudExtensionAttribute10' `

    -FlowType 'Direct' `

    -ValueMergeType 'Update' `

    -OutVariable syncRule

     

    Once the rule is created run a sync and you will find the extension attribute populated with source anchor.

     

    For the second query, ObjectID is an attribute that belongs to Object Class and is a mandate attribute that will be populated for all the objects. (Synced or Cloud)

    To check about the Object class you can run the below mentioned command on AzureAD powershell.

     

    Get-AzureADUser | Get-Member

     

    Let me know if you have any query.

     

    Regards,

    Rishabh

     

     

ThinkSync's avatar
ThinkSync
Brass Contributor
Dec 03, 2018

Hello,

 

Great question and some interesting responses. Please let me share some friendly advice from my own experiences working with customers.

 

Yes, AAD C is a cutdown version of the MIM/FIM sync engine, BUT, please try and avoid adding custom rules. Custom rules adds complexity which can come back and haunt you when the time comes to upgrade.

 

In this scenario using mS-DS-ConsistencyGuid as the source anchor for both your on-prem applications and Azure AD might be the best option.

 

The big advantage of using mS-DS-ConsistencyGuid rather than GUID, is it’s writable. So, if you do need to cater for users moving between forests, it’s a simple process of copying the value between objects.

 

With regards to cloud accounts, it’s a little tricky as you need the object written back to create an on-prem “shadow” account.

 

Another option might be updating the application authentication end-points to support Azure AD or using Azure application proxies.

 

Further reading:

sourceAncor and mS-DS-ConsistencyGuid

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts

 

Hope this helps,

Matt C

Charles Ferreira's avatar
Charles Ferreira
Copper Contributor
Dec 06, 2018

Thanks for the replies. This is a great dialogue. As I understand it, since we started this (years ago before me) without mS-DS-ConsistencyGuid it's too late to change it. It would certainly fit the bill

ThinkSync  Your assessment is correct, we are working toward a better lifecycle and looking to link the user between apps and not have to visit this again for a long time! ObjectID sounds like a plan

Resources