Follow me on Twitter @AntonioMaio2

Thursday, October 20, 2016

Synchronizing Custom AD Attributes to Office 365 - Part 1

Synchronization of identities has come a long way since the early days of DirSync.  We've now seen 2 major releases of the latest generation sync tool, Azure AD Connect, and it has introduced a long list of new features.  End of support for DirSync and Azure AD Sync are scheduled for April 13, 2017 (announcement).

If you're looking for a list of the benefits of upgrading to the latest version of AD Connect, please see my blog on that topic here: Why upgrade DirSync to Azure AD Connect.  One of those great new features is the ability to synchronize directory extension attributes or even custom attributes from an on premise Active Directory environment to Azure AD within Office 365.  This post is about some of the limitations still in place around custom attributes, and some suggestions on how to deal with them once they've been synchronized.



We run across cases where clients have customized the on premise AD schema to introduce new custom attributes.  This is often due to some specialized business process or line of business application that needs to populate data for each individual user.  Perhaps you have an HR app needs to populate an employee ID or some level of manager needs to be stored for each user so that other apps can make use of it.  Personally, I prefer to use the built in AD extension attributes (extensionAttribute1, extensionAttribute2, ...extensionAttribute15) for this purpose because that's what they're there for, but some environments choose to create custom attributes.  In many cases, when a client chooses to migrate to Office 365,  these custom attributes and business processes have been in place for years, and changing those internal processes to use different, built-in attributes simply isn't practical.  In addition, often they want a workflow in SharePoint Online or an Office 365 workload to make use of them.

There are 3 high-level steps we can use to accomplish this:
  1. Configure AD Connect to Synchronize Custom Attributes
  2. Retrieve Attributes in Office 365 Using PowerShell
  3. Customize AD Connect Synchronization Rules
This blog is the second in a 3 part series that will discuss each of these steps in detail.

Step 1 - Configure AD Connect to Synchronize Custom Attributes

First, we need to upgrade to AD Connect and properly configure it to synchronize our custom attributes to Office 365.

1. You start by launching the AD Connect configuration wizard on your synchronization server.  There should be an icon on the desktop of the server where AD Connect was installed.
2. If you installed AD Connect before you customized your AD schema, you'll need to refresh the AD Connect cache.  AD Connect always uses a cache of the AD schema, which it created when it was first installed.  You can refresh this cache by selecting the 'Refresh directory schema' option when you run the AD Connect configuration wizard.  Select this option and then click Next.

3. Enter your Azure AD credentials.  This is your Office 365 global administrator username and password.

4. Select the on premise domain for which you want to refresh the schema, and click Next.

5. Click Configure to update the connector and cached schema which is responsible for synchronizing the selected on premise AD domain to Azure AD.  If you wish to start a fresh sync once this process is done then leave the 'Start the synchronization process when the configuration completes' checkbox checked.  This may not be needed at this point since we're just refreshing the schema cache in our local AD connect so you can un-check the checkbox if you wish.

So far, all we've done is refresh the internal schema for AD Connect.  The custom attributes are not yet synchronizing.  

Next we need to configure AD Connect with the custom attributes we actually want to synchronize.

1. Now we re-launch the AD Connect wizard and select 'Customize Synchronization Options'.

2. Enter your Azure AD credentials.  This is your Office 365 global administrator username and password.

3. Enter your on premise AD credentials.  This is the Domain Enterprise Administrator for the domains you wish to synchronize.

4. Select the domain(s) you wish to synchronize or any OU filtering you wish to implement.  If you're happy with your existing configuration just click Next.

5. In the Optional Features window, ensure that 'Directory extension attribute sync' is selected.

6. If the Azure AD Apps page appears, ensure that any previous settings you might have configured on this page are correct and click Next.

7. If the Azure AD Attributes page appears, ensure that any previous settings you might have configured on this page are correct and click Next.

8. When the Attribute Extensions page appears, find your custom attribute(s) in the Available Attribute list and click the right arrow to add them to the Selected Attribute list.  The selected attributes list represents the custom attributes that will be synchronized to Azure AD within Office 365.

In my example here, we can see that I've extended my AD schema to include a custom attribute called MyCustomAttribute2 and I've selected that attribute to sync to Azure AD.

9. Click Configure to update the synchronization rules used by AD Connect for synchronizing the on premise AD attributes to Azure AD so that they now include the custom attributes you just selected.  If you wish to start a fresh sync once this process is done then leave the 'Start the synchronization process when the configuration completes' checkbox checked.  In this case I recommend you leave this checkbox selected and start a fresh sync.

Our custom attributes are now synchronizing to Office 365!

Part 2 in this series can be found here: Step 2 - Retrieve Attributes in Office 365 Using PowerShell.

2 comments:

  1. Thanks for the article, however doesn't seem to work for me! I created my custom attribute, have added it to the User class, I can see it in AD Users & Computers, can edit it.

    Refreshed the directory schema through Azure AD Connect. Went to select my new attribute to sync, but its not listed???

    Can you help with where I've gone wrong?

    ReplyDelete
  2. The considerations you express are extremely magnificent, expectation you will keep in touch with some more posts, i got great information from your blog and spared it as a top pick... 192.168.l.l is an IP address used by many routers and modems as the default gateway

    ReplyDelete