cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can we sync private phone or private mail to AzureAD

Michal_Z
Brass Contributor

‎Aug 16 2021 02:01 PM - last edited on ‎Jan 14 2022 03:25 PM by

‎Aug 16 2021 02:01 PM - last edited on ‎Jan 14 2022 03:25 PM by

Can we sync private phone or private mail to AzureAD

HI, 

I'm working on a project where the goal is to give access for candidates (before they are hired) to the internal application published as Enterprise App in Azure AD. Employees use SSO to access the application.

The solution we think of is to create an AD account for the candidate with private mobile and/or mail, sync it to AzureAD and let the candidate reset the password using that security information. 

Related to the above, is there an attribute in local AD equivalent to AlternativeAuthenticationPhone or strongAuthenticationEmailAddress in AzureAD, which can be synced by Azure AD Connect and use in the SSPR process?

 

3,497 Views
1 Like
9 Replies
Reply
9 Replies
BilalelHadd

‎Aug 16 2021 02:09 PM

‎Aug 16 2021 02:09 PM

Re: Can we sync private phone or private mail to AzureAD

Hi Michal,

Why wouldn't you use Azure AD Access Packages? I have written a blog about this great feature: https://www.bilalelhaddouchi.nl/index.php/2021/07/31/get-started-with-azure-ad-access-packges/

Regarding the attributes, you can also create a dynamic group with the hires as members of this particular group. An expression could be the Department attribute with the value "hire" or you could use the CloudExtenstionAttributes with a custom value set.

Let me know if you still need some help or advice regarding this functionality.
0 Likes
Reply
Michal_Z

‎Aug 16 2021 11:45 PM

‎Aug 16 2021 11:45 PM

Re: Can we sync private phone or private mail to AzureAD

Hi BilalelHadd,
Thank you for pointing me in this direction. I was not aware of this functionality and it puts a new light on the project. I am now exploring this area further. I'll let you know if I have more questions.

1 Like
Reply
Michal_Z

‎Aug 18 2021 11:51 PM

‎Aug 18 2021 11:51 PM

Re: Can we sync private phone or private mail to AzureAD

Although we found Azure AD Access Packages interesting, after further investigation, we still need to sync private phone numbers and/or e-mails to AzureAD for SSPR/MFA. We need it for employed users, as we have this data in our HR system integrated with our AD on-prem.
And we cannot use standard fields like a mobile phone number, to protect user's privacy, as this field is visible for other users in the company.
So my question still stays open. Is there a field in Active Directory which directly refers to AlternativeAuthenticationPhone or strongAuthenticationEmailAddress fields in AzureAD? Or should we use custom attributes in AD for that?
0 Likes
Reply
Josh Villagomez

‎Aug 19 2021 04:23 PM

‎Aug 19 2021 04:23 PM

Re: Can we sync private phone or private mail to AzureAD

The following article describes the attributes that we sync by default:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-syn...

To answer your question, no there is no attribute in AD. It is best that you set that authentication data directly via PowerShell. See here for details:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-authenticationdata...

I don't think you want to be in the business of synchronizing that type of data because AD is not Source of Authority (SOA). So, even if you can attempt to export it once, the moment a user updates their mobile number, you are not longer in "sync", despite attempting to update it again from AD. Hope this helps.
0 Likes
Reply
Michal_Z

‎Aug 19 2021 11:35 PM

‎Aug 19 2021 11:35 PM

Re: Can we sync private phone or private mail to AzureAD

I was thinking about it and you are totally right. This wouldn't be a good idea to get it continuously in sync. As you suggested, it should be one-time sync so later users are able to control it.
Thank you for your answer and suggestion.
0 Likes
Reply
Michal_Z

‎Aug 25 2021 10:15 AM

‎Aug 25 2021 10:15 AM

Re: Can we sync private phone or private mail to AzureAD

@Josh Villagomez 

But how can I set the strongAuthenticationEmailAddress using PowerShell? Can you provide an example?

 

0 Likes
Reply
Josh Villagomez

‎Aug 25 2021 04:09 PM

‎Aug 25 2021 04:09 PM

Re: Can we sync private phone or private mail to AzureAD

@Michal_Z Did you refer to article I provided earlier? 

0 Likes
Reply
Michal_Z

‎Aug 26 2021 03:17 AM

‎Aug 26 2021 03:17 AM

Re: Can we sync private phone or private mail to AzureAD

Yes. And I didn't find the parameter strongAuthenticationEmailAddress working on the Set-AzureADUser command.
0 Likes
Reply
Josh Villagomez

‎Aug 26 2021 04:07 PM

‎Aug 26 2021 04:07 PM

Re: Can we sync private phone or private mail to AzureAD

I see. That specific attribute is not meant to be read or modified directly. Its values come through a claim type and there is no exposed PowerShell or Graph API to modify it directly. From what I understand, it can only be modified through custom user flow policies. I would check this documentation:

https://github.com/azure-ad-b2c/samples
https://github.com/azure-ad-b2c/samples/tree/master/policies/username-signup-or-signin

I've never tried this, but this is the best I provide for you. Hope this helps.
0 Likes
Reply