AzureAD Provisioning Services Object matching

Question

I'm wondering how object matching by attribute is technically implemented in Azure AD outbound synchronization (Azure AD to SaaS App)
a) Are source objects technically joined when attribute matches?
Azure AD objects references immutable Id of object in SaaS App after object has been joined by a attribute matching
That would be the same implementation as in Microsoft Identity manager synchronization engine
-> With this (preferred) implementation matching attribute can be mutable / support renames

b) Are attribute-matching evaluated with every cycle?
-> With this implementation matching attribute must be immutable

Thanks for any feedback

Answer 1

@Felber Pirmin Thanks for reaching out on this and apologies for delay.

This article describes how the matching is done. The article describes the matching process in detail with respect to these main points.

Matching attributes should be unique
The value in the source and the target do not have to match exactly
Matching based on a combination of attributes is not supported
All users must have a value for at least one matching attribute
The target application must support filtering on the matching attribute

We query the target system to identify matching users based on the matching attribute.
1) If a user is matched, the target system responds back with the ID of the user that is immutable and used in all subsequent requests.
2) If the matching attribute value changes, we are able to update the existing user by using the immutable ID in future patch requests.

-----------------------------------------------------------------------------------------------------------------

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.