Dynamic Security Groups based on the onpremisesDistinguishedName attribute

%3CLINGO-SUB%20id%3D%22lingo-sub-1799189%22%20slang%3D%22en-US%22%3EDynamic%20Security%20Groups%20based%20on%20the%20onpremisesDistinguishedName%20attribute%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1799189%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20to%20the%20community%3C%2FP%3E%3CP%3EGot%20an%20interesting%20question.%20I%20see%20that%20you%20can%20create%20dynamic%20security%20groups%20based%20on%20a%20large%20number%20of%20attributes%20including%20onpremisessecurityidentifier%2C%20I%20can%20see%20some%20use%20cases%20for%20that%20one%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3Ehowever%20it%20doesn't%20appear%20to%20be%20possible%20to%20create%26nbsp%3B%20dynamic%20group%20based%20on%20the%20onpremisesdistinguishedname%20%3A(%3C%2Fimg%3E%20Is%20this%20possible%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20did%20some%20reading%20about%20being%20able%20to%20consume%20custom%20attributes%20based%20on%20applicationID.%20Would%20this%20be%20a%20possible%20approach%20to%20investigate.%20If%20so%20does%20the%20AADConnect%20system%20even%20register%20an%20AppID%20and%20how%20would%20I%20go%20about%20locating%20it%3F%3C%2FP%3E%3CP%3EThanks%20for%20any%20advice%20or%20pointers%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1799189%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1799778%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Security%20Groups%20based%20on%20the%20onpremisesDistinguishedName%20attribute%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1799778%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20attribute%20itself%20is%20synced%2Fexposed%20as%20%22%3CSPAN%3EonPremisesDistinguishedName%22%2C%20however%20leveraging%20that%20for%20Dynamic%20group%20rules%20is%20not%20possible%20afaik.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1807542%22%20slang%3D%22en-US%22%3ERe%3A%20Dynamic%20Security%20Groups%20based%20on%20the%20onpremisesDistinguishedName%20attribute%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1807542%22%20slang%3D%22en-US%22%3EHi%20Vasil%3CBR%20%2F%3EI%20had%20this%20confirmed%20by%20another%20source....%20It's%20annoying%20because%20that%20ability%20would%20have%20eased%20a%20particular%20issue%20in%20where%20the%20accuracy%20of%20data%20in%20AD%20is%20questionable%20but%20the%20org%20has%20dept%2Fdivision%20based%20OU%20structure..%3C%2FLINGO-BODY%3E
Contributor

Hi to the community

Got an interesting question. I see that you can create dynamic security groups based on a large number of attributes including onpremisessecurityidentifier, I can see some use cases for that one :)

however it doesn't appear to be possible to create  dynamic group based on the onpremisesdistinguishedname :( Is this possible?

 

I did some reading about being able to consume custom attributes based on applicationID. Would this be a possible approach to investigate. If so does the AADConnect system even register an AppID and how would I go about locating it?

Thanks for any advice or pointers

 

3 Replies

The attribute itself is synced/exposed as "onPremisesDistinguishedName", however leveraging that for Dynamic group rules is not possible afaik.

Hi Vasil
I had this confirmed by another source.... It's annoying because that ability would have eased a particular issue in where the accuracy of data in AD is questionable but the org has dept/division based OU structure..