Synchronizing AD attributes with security bit set (search flag 128/129) to Azure using AADC

Copper Contributor

I've got some custom attributes that are marked as confidential in Active Directory, however I need to move these attributes to Azure Active Directory with AADC.  However these attributes always come back as null.


The service account in AADC has permissions to view these attributes, however it appears that AADC ignores them out of the box based on the search flag.


Has anyone had to deal with this and if so what was the solution.






1 Reply



Hi, Chris.


Perhaps double-check that the AAD Connect service account has both of the following two rights specified within the ACE, rather than perhaps just the first one:


  • Read attribute (at a minimum; obviously you could use something higher-privileged);
  • Control access.


Here's an example when viewed using the Microsoft ldp.exe tool:




If you have the first in place but not the second, you will get null as the return value.