Home

AADConnect cn attribute and group member count

%3CLINGO-SUB%20id%3D%22lingo-sub-354527%22%20slang%3D%22en-US%22%3EAADConnect%20cn%20attribute%20and%20group%20member%20count%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354527%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERelated%20to%20AADConnect%20i%20have%20some%20doubts%20I%20need%20help%20with%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20When%20check%20a%20group%20which%20is%20being%20synced%20member%20count%20on-premise%20is%20different%20and%20member%20count%20online%20is%20different%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20I%20have%20check%20CN%20attribute%20is%20pulled%20into%20metaverse%2C%20and%20to%20the%20point%20i%20have%20undestood%20it%20is%20synced%20to%20commonName%20attribute%20in%20Azure%20AD%20but%20it%20never%20shows%20when%20you%20dump%20user%20attributes%20from%20Azure%20AD%20%3F%20(CN%20is%20not%20available%20in%20Azure%20AD%20%3F)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-354527%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAADConnect%20cn%20attribute%20and%20group%20member%20count%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-355803%22%20slang%3D%22en-US%22%3ERe%3A%20AADConnect%20cn%20attribute%20and%20group%20member%20count%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-355803%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20can%20only%20be%20answered%20by%20the%20relevant%20folks%20at%20Microsoft...%20which%20you%20will%20not%20find%20here%20on%20these%20boards%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-355755%22%20slang%3D%22en-US%22%3ERe%3A%20AADConnect%20cn%20attribute%20and%20group%20member%20count%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-355755%22%20slang%3D%22en-US%22%3EThats%20exactly%20my%20question%20here%20why%20is%20this%20attribute%20not%20exposed%20on%20AzureAD%20whats%20the%20rationale%20behind%20not%20only%20the%20CN%20attribute%20commonName%2C%20alias%20and%20infact%20when%20you%20expand%20extensionproperty%20attribute%20you%20can%20see%20user%20identities%20that%20one%20is%20also%20empty%20and%20with%20the%20full%20dn%20value%20being%20returned%20will%20require%20tweaking%20to%20extract%20only%20the%20cn%20value%20however%20i%20am%20curious%20why%20this%20behavior%20in%20the%20first%20place%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-355492%22%20slang%3D%22en-US%22%3ERe%3A%20AADConnect%20cn%20attribute%20and%20group%20member%20count%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-355492%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20simply%20not%20exposed%20anywhere.%20But%20as%20CN%20is%20practically%20a%20part%20of%20the%20DistinguishedName%20attribute%2C%20you%20can%20get%20it%20from%20the%20value%20of%20the%20onPremisesDistinguishedName%2C%20which%20is%20available%20via%20the%20Graph%20or%20Azure%20AD%20(Get-AzureADUserExtension).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-355236%22%20slang%3D%22en-US%22%3ERe%3A%20AADConnect%20cn%20attribute%20and%20group%20member%20count%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-355236%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Vasil%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20read%20a%20lot%20of%20your%20article%20%2F%20blogs%20on%20Office%20365%20groups%20must%20say%20great%20job%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20in%20this%20case%20i%20can%20see%20this%20attribute%20is%20being%20synced%20from%20onpremises%20to%20online%20from%20cn%20to%20commonName%2C%20it%20is%20mentioned%20in%20the%20microsoft%20documentation%20also%20however%20only%20for%20AzureRMS%20not%20why%20%3F%2C%3C%2FP%3E%3CP%3EBut%20the%20issue%20is%20it%20is%20not%20visible%20either%20so%20neither%20CN%20nor%20commonName%20or%20Alias%20for%20that%20attributes%20are%20visible%20when%20AzureAD%20is%20queried%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-354987%22%20slang%3D%22en-US%22%3ERe%3A%20AADConnect%20cn%20attribute%20and%20group%20member%20count%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354987%22%20slang%3D%22en-US%22%3E%3CP%3E1)%20Are%20all%20users%20synced%3F%20Nested%20groups%3F%3C%2FP%3E%0A%3CP%3E2)%20There%20are%20multiple%20attributes%20that%20are%20synced%20to%20Azure%20AD%2C%20but%20not%20exposed%20in%20any%20of%20the%20admin%20portals.%20Some%20of%20these%20can%20be%20accessed%20via%20the%20Graph%2C%20other%20such%20as%20the%20CN%20cannot.%20But%20you%20can%20use%20something%20like%20the%20%3CSTRONG%3E%3CFONT%20face%3D%22Segoe%20UI%22%3EonPremisesDistinguishedName%3F%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Hello

 

Related to AADConnect i have some doubts I need help with

 

1. When check a group which is being synced member count on-premise is different and member count online is different ?

 

2. I have check CN attribute is pulled into metaverse, and to the point i have undestood it is synced to commonName attribute in Azure AD but it never shows when you dump user attributes from Azure AD ? (CN is not available in Azure AD ?)

5 Replies

1) Are all users synced? Nested groups?

2) There are multiple attributes that are synced to Azure AD, but not exposed in any of the admin portals. Some of these can be accessed via the Graph, other such as the CN cannot. But you can use something like the onPremisesDistinguishedName?

Hello Vasil,

 

I have read a lot of your article / blogs on Office 365 groups must say great job,

 

However in this case i can see this attribute is being synced from onpremises to online from cn to commonName, it is mentioned in the microsoft documentation also however only for AzureRMS not why ?,

But the issue is it is not visible either so neither CN nor commonName or Alias for that attributes are visible when AzureAD is queried

It's simply not exposed anywhere. But as CN is practically a part of the DistinguishedName attribute, you can get it from the value of the onPremisesDistinguishedName, which is available via the Graph or Azure AD (Get-AzureADUserExtension).

Thats exactly my question here why is this attribute not exposed on AzureAD whats the rationale behind not only the CN attribute commonName, alias and infact when you expand extensionproperty attribute you can see user identities that one is also empty and with the full dn value being returned will require tweaking to extract only the cn value however i am curious why this behavior in the first place

That can only be answered by the relevant folks at Microsoft... which you will not find here on these boards :)

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies