I was told that creating Guest users via AADConnect synchronization would not result in usable Guest accounts, because Azure would not know where the auth authority for the Guest account would reside. I have moved onto implementing a method for exclusion of individual objects from AADConnect sync, via custom attribute & custom AADConnect sync rule to set cloudFiltered to True.
Help with AADConnect Expressions
In our hybrid Dev environment, we have followed these instructions to add a custom attribute to on-prem AD signifying Guest/Member, and have that syncing into AADConnect & out to Azure as UserType. This works for provisioning on-prem users as Guests in Azure, but it gives them <On-Prem UPN Prefix>@<tenant name> UPNs. We would like the Guest UPNs to be provisioned like "invited" Guests are - with the Guest user's email address in the prefix (with @ replaced with _), followed by #EXT#@<tenant name>. Does anyone know how to do this? I assume we need to write some very long IIF statement. I'd also like to convert the custom AADConnect output rule from "Direct" to "Expression" where it will write the value from the custom attribute if it is populated, otherwise write "Member". Can anyone help with the need custom expression language? Thanks. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration#enable-synchronization-of-usertype