Forum Discussion
ImmutableID to Extensionattribute
Hello Charles,
There are two different queries in your request.
First - How to writeback Immutable ID to an Extension Attribute.
Second - ObjectID of cloud Accounts.
In Order to complete the first task,
Create and Outbound rule for AD connector that must map source anchor to extension attribute, below mentioned is an example,
Add-ADSyncAttributeFlowMapping `
-SynchronizationRule $syncRule[0] `
-Source @('sourceAnchor') `
-Destination 'msDS-cloudExtensionAttribute10' `
-FlowType 'Direct' `
-ValueMergeType 'Update' `
-OutVariable syncRule
Once the rule is created run a sync and you will find the extension attribute populated with source anchor.
For the second query, ObjectID is an attribute that belongs to Object Class and is a mandate attribute that will be populated for all the objects. (Synced or Cloud)
To check about the Object class you can run the below mentioned command on AzureAD powershell.
Get-AzureADUser | Get-Member
Let me know if you have any query.
Regards,
Rishabh
Thanks for the replies. This is a great dialogue. As I understand it, since we started this (years ago before me) without mS-DS-ConsistencyGuid it's too late to change it. It would certainly fit the bill
ThinkSync Your assessment is correct, we are working toward a better lifecycle and looking to link the user between apps and not have to visit this again for a long time! ObjectID sounds like a plan
OK so if I should start a new thread let me know but this is starting to take shape here, thanks very much!
Prompting another question in the same line. Are Azure ObjectID's truly globally unique? Meaning across any Azure AD? Or is there some chance that there is, like life on another planet, a possibility for duplication?
Hi Charles,
Apologises for the late response, work has been hectic.
ObjectID is only guaranteed unique within a specific tenant. If you need to compare objects across multiple tenants, I’d recommend cross referencing with another attribute.
ProxyAddresses is probably the best attribute to use as UPN will usually be updated to reflect name changes.
PowerShell example
$UserOID = "84214-20sb-42e-a2c7-a24520a77228"
$UserSMTP = "ThinkSync@company.com"
Get-MsolUser -All | Where {$_.ObjectId -match $UserOID -AND $_.ProxyAddresses -match $UserSMTP}
- No problem. I did get a response from a program manager at Microsoft that I had met at Ignite. He indicated to read this article: https://en.wikipedia.org/wiki/Universally_unique_identifier
Apparently the possibility for collision is so low it's likely not an issue?.
It's not specifically that we are looking to compare but to have a good way to generate an immutable ID for claims, reporting, etc, as you indicated. It would be a standard here for the lifecycle of a user across many apps and are concerned if there is someday an acquisition or need to use the ObjectID from another Azure AD in the same capacity. We didn't want to stand up another app to generate them if there is already something.Great stuff, good luck and please reach out to the community if there's anything we can help with :)
