Syncing custom security attributes with Azure AD Provisioning Service

David Jones 20 Reputation points
2023-03-14T15:31:20.8733333+00:00

I've assigned some custom security attributes to users and now I'd like to sync those users (along with their custom security attributes) with an enterprise application. Is it possible to sync custom security attributes with Azure AD Provisioning Service?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,410 questions
0 comments No comments
{count} votes

Accepted answer
  1. James Hamil 21,546 Reputation points Microsoft Employee
    2023-03-14T21:43:08.31+00:00

    Hi @David Jones yes, it is possible to sync custom security attributes with Azure AD Provisioning Service. You can use the directory extension feature to add source attributes that aren't synchronized by default. You will need to perform the following tasks before configuring provisioning to your application:

    1. Check with the on-premises Active Directory domain admins whether the required attributes are part of the AD DS schema, and if they are not, extend the AD DS schema in the domains where those users have accounts.
    2. Open the Azure AD Connect wizard, choose Tasks, and then choose Customize synchronization options.
    3. Sign in as an Azure AD Global Administrator.On the Optional Features page, select Directory extension attribute sync.
    4. Select the attribute(s) you want to extend to Azure AD.
      1. Finish the Azure AD Connect wizard and allow a full synchronization cycle to run.When the cycle is complete, the schema is extended and the new values are synchronized between your on-premises AD and Azure AD.
    5. In the Azure portal, while you’re editing user attribute mappings, the Source attribute list will now contain the added attribute in the format <attributename> (extension_<appID>_<attributename>), where appID is the identifier of a placeholder application in your tenant. Select the attribute and map it to the target application for provisioning.

    For more information, you can refer to the following link: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md <sup>[2]</sup>

    Please let me know if you have any questions and I can help you further.

    If this answer helped you please mark it as "Verified" so other users can reference it.

    Thank you,

    James


0 additional answers

Sort by: Most helpful