Lista de Atributos sincronizados por la herramienta Windows Azure Active Directory Sync
Hola amig@s!
El post de hoy quedará dividido en las siguientes secciones para una mejor comprensión:
Tabla 1: Atributos que son sincronizados desde el entorno de On-Premises de AD DS (Active Directory Domain Services) hacia Windows Azure Active Directory (Windows Azure AD)
Tabla 2: Atributos que son sobre escritos al entorno de AD DS On-Premises desde Windows Azure Active Directory en un escenario híbrido de Exchange.
Finalmente veremos cómo la sincronización de directorio determina en qué circunstancias los atributos no serán sincronizados desde nuestro entorno On-Premises hacia Windows Azure AD.
Tabla 1: Atributos que son sincronizados desde el entorno de On-Premises de AD DS (Active Directory Domain Services) hacia Windows Azure Active Directory (Windows Azure AD)
La siguiente tabla muestra la lista de atributos que serán sincronizados desde AD DS On-Premises a Windows Azure AD.
Únicamente hay que tener en cuenta que los objetos deben contener valores en los siguientes atributos para ser considerados en el proceso de sincronización:
-cn
-member (aplica sólo a groups)
-samAccountName (aplica sólo a usuarios)
-alias (aplica sólo a grupos y contactos)
-displayName (para grupos con el atributo mail o proxyAddresses ya populado)
| Synced Object Attribute | User |
Group |
Contact (Src) |
Description |
| assistant | Read | - | Read | The name of the assistant for an account. |
| authOrig | Read | Read | Read | Relationship that indicates that the mailbox for the target object is authorized to send mail to the source object. |
| C | - | - | Read | Two-letter ISO 3166 [ISO3166] country code. |
| cn | Read | Read | Read | The common name of the object. |
| co | Read | - | Read | The country/region in which the person (user or contact) or company is located. |
| company | Read | - | Read | The person's (user or contact) company name. |
| countryCode | Read | - | Read | The country code for person's (user or contact) language of choice. |
| department | Read | - | Read | The name of the person's (user or contact) department. |
| description | Read | Read | Read | Human-readable descriptive phrases about the object. |
| displayName | Read | Read | Read | The display name for an object, usually the combination of the person's first name, middle initial, and last name. |
| dLMemRejectPerms | Read | Read | Read | Relationship that indicates that members of the target object are -t authorized to send mail to the source object. |
| dLMemSubmitPerms | Read | Read | Read | Relationship that indicates that members of the target object are authorized to send mail to the source object. |
| ExtensionAttribute1 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| ExtensionAttribute10 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| ExtensionAttribute11 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| ExtensionAttribute12 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| ExtensionAttribute13 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| ExtensionAttribute14 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| ExtensionAttribute15 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| ExtensionAttribute2 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| ExtensionAttribute3 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| ExtensionAttribute4 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| ExtensionAttribute5 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| ExtensionAttribute6 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| ExtensionAttribute7 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| ExtensionAttribute8 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| ExtensionAttribute9 | Read | Read | Read | Custom attribute that is defined in the customer on-premises directory. |
| facsimiletelephonenumber | Read | - | Read | Telephone numbers (and, optionally, the parameters) for facsimile terminals. |
| givenName | Read | - | Read | Name strings that are the part of a person's (user or contact) name that is -t their surname. |
| GroupType | - | Read | - | Flag attribute indicating the type of group (security, global, etc.) |
| hideDLMembership | - | Read | - | Hide the membership list on a distribution list from senders. |
| homephone | Read | - | Read | The person's (user or contact) main home telephone number. |
| info | Read | Read | Read | "Notes" field on "Telephone" tab of ADUC. |
| Initials | Read | - | Read | Strings of initials of some or all of an individual's names, except the surname(s). |
| ipPhone | Read | - | Read | The TCP/IP address for the telephone. |
| l | Read | - | Read | Names of a locality or place, such as a city, county, or other geographic region. |
| legacyExchangeDN | Read | Read | Read | |
| Read | Read | Read | The list of email addresses for a person (user or contact). | |
| mailnickname | Read | Read | Read | |
| managedBy | - | Read | - | Resource/owner relationship, where the source object (a group) is the resource, and the target object is the owner. |
| manager | Read | - | Read | Manager/direct report relationship between two individuals, where the source object is the direct report, and the target object is the manager. |
| member | - | Read | - | Membership of the target object (of class User, Contact, or Group) in the group that is identified as the source object. |
| middleName | Read | - | Read | Additional names for a person (user or contact), for example, middle name, patronymic, matronymic, or other names. |
| mobile | Read | - | Read | The primary mobile phone number for a person (user or contact). |
| msDS-HABSeniorityIndex | Read | Read | Read | |
| msDS-PhoneticDisplayName | Read | Read | Read | |
| MsExchArchiveGUID | Read | - | - | |
| MsExchArchiveName | Read | - | - | |
| msExchArchiveStatus | Read/Write | - | - | Created in the Exchange cloud for "write back" to on-premises when the customer has a cloud archive. |
| msExchAssistantName | Read | - | Read | The name of the assistant for an account. |
| msExchAuditAdmin | Read | - | - | |
| msExchAuditDelegate | Read | - | - | |
| msExchAuditDelegateAdmin | Read | - | - | |
| msExchAuditOwner | Read | - | - | |
| MsExchBlockedSendersHash | Read/Write | - | Read | Populated through an upgrade from Business Productivity Online Standard Suite. –t synced from on-premises. |
| msExchBypassAudit | Read | - | - | |
| MsExchBypassModerationFrom DLMembersLink | Read | Read | Read | |
| MsExchBypassModerationLink | Read | Read | Read | |
| msExchCoManagedByLink | - | Read | - | |
| msExchDelegateListLink | Read | - | - | |
| msExchELCExpirySuspensionEnd | Read | - | - | |
| msExchELCExpirySuspensionStart | Read | - | - | |
| msExchELCMailboxFlags | Read | - | - | |
| MsExchEnableModeration | Read | Read | - | |
| msExchExtensionCustomAttribute1 | Read | Read | Read | |
| msExchExtensionCustomAttribute2 | Read | Read | Read | |
| msExchExtensionCustomAttribute3 | Read | Read | Read | |
| msExchExtensionCustomAttribute4 | Read | Read | Read | |
| msExchExtensionCustomAttribute5 | Read | Read | Read | |
| MsExchGroupDepartRestriction | - | Read | - | |
| MsExchGroupJoinRestriction | - | Read | - | |
| msExchHideFromAddressLists | Read | Read | Read | Indicator to control the visibility of a mail recipient for name resolution. |
| MsExchImmutableID | Read | - | - | |
| msExchLitigationHoldDate | Read | Read | Read | |
| msExchLitigationHoldOwner | Read | Read | Read | |
| MsExchMailboxGuid | Read | - | - | The GUID of the user’s mailbox. |
| msExchMailboxAuditEnable | Read | - | - | |
| msExchMailboxAuditLogAgeLimit | Read | - | - | |
| MsExchModeratedByLink | Read | Read | Read | |
| MsExchModerationFlags | Read | Read | Read | |
| MsExchRecipientDisplayType | Read | Read | Read | |
| msExchRecipientTypeDetails | Read | Read | Read | |
| MsExchRemoteRecipientType | Read | - | - | |
| msExchRequireAuthToSendTo | Read | Read | Read | When enabled for a distribution list (DL), unauthenticated users are rejected. |
| MsExchResourceCapacity | Read | - | - | |
| MsExchResourceDisplay | Read | - | - | |
| MsExchResourceMetaData | Read | - | - | |
| MsExchResourceSearchProperties | Read | - | - | |
| msExchRetentionComment | Read | Read | Read | |
| msExchRetentionURL | Read | Read | Read | |
| MsExchSafeRecipientsHash | Read/Write | - | Read | Populated through an upgrade from Business Productivity Online Standard Suite. -t synced from on-premises. |
| MsExchSafeSendersHash | Read/Write | - | Read | Populated through an upgrade from Business Productivity Online Standard Suite. -t synced from on premises. |
| MsExchSenderHintTranslations | Read | Read | Read | |
| msExchTeamMailboxExpiration | Read | - | - | |
| msExchTeamMailboxOwners | Read | - | - | |
| msExchTeamMailboxSharePointLinkedBy | Read | - | - | |
| msExchTeamMailboxSharePointUrl | Read | - | - | |
| msExchUCVoiceMailSettings | Read/Write | - | - | |
| msExchUsageLocation | Read | - | - | |
| msExchUserHoldPolicies | Read/Write | - | - | Litigation Hold allows cloud services to determine which users are under Litigation Hold |
| msOrg-IsOrganizational | - | Read | - | |
| msRTCSIP-ApplicationOptions | Read | - | - | |
| msRTCSIP-DeploymentLocator | Read | - | Read | Fully qualified DNS name of the Microsoft Lync Server 2010 deployment, as specified in the authoritative (customer, on-premises) directory. |
| msRTCSIP-Line | Read | - | Read | The device ID (either the Session Initiation Protocol (SIP) uniform resource identifier (URI) or the TEL URI) of the telephone that the user controls. |
| msRTCSIP-OwnerUrn | Read | - | - | |
| msRTCSIP-PrimaryUserAddress | Read | - | Read | SIP URI for instant messaging, as specified in the authoritative (customer, on-premise) directory. |
| msRTCSIP-UserEnabled | Read | - | Read | Indicates whether the user is currently enabled for SIP instant messaging, as specified in the authoritative (customer, on-premises) directory. |
| msRTCSIP-OptionFlags | Read | - | Read | |
| objectGUID | Read | Read | Read | Key for the object: this key is immutable, even if the object moves from one context to another, for example, as a result of a company merge or split. |
| oOFReplyToOriginator | - | Read | - | Governs whether out-of-office -tifications should be sent to a sender of a message to this distribution list (DL). |
| otherFacsimileTelephone | Read | - | Read | A list of alternative facsimile numbers. |
| otherHomePhone | Read | - | Read | A list of alternative home telephone numbers. |
| otherIpPhone | Read | - | Read | A list of alternative TCP/IP addresses for the telephone. |
| otherMobile | Read | - | Read | A list of alternative mobile phone numbers. |
| otherPager | Read | - | Read | A list of alternative pager numbers. |
| otherTelephone | Read | - | Read | A list of alternative office telephone numbers. |
| pager | Read | - | Read | The primary pager number. |
| photo | Read | - | - | |
| physicalDeliveryOfficeName | Read | - | Read | Names that a postal service uses to identify a post office. |
| postalCode | Read | - | Read | Codes that a postal service uses to identify postal service zones. |
| postOfficeBox | Read | - | Read | Postal box identifiers that a postal service uses when a customer arranges to receive mail at a box on the premises of the postal service. |
| PreferredLanguage | Read | - | - | The preferred written or spoken language for a user. |
| proxyAddresses | Read/Write | Read/Write | Read/Write | The address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. |
| PublicDelegates | Read/Write | Read | Read | Cross-premises public delegation: allows users to specify delegates for their mailbox. |
| reportToOriginator | - | Read | - | Governs whether to send delivery reports to the message originator when a message that is sent to a group is -t delivered. The delivery report lets the group owner k-w that the message was -t delivered. |
| ReportToOwner | - | Read | - | |
| samAccountName | Read | - | - | |
| sn | Read | - | Read | Name strings for the family names of a person (user or contact). |
| st | Read | - | Read | The full names of states or provinces. |
| streetAddress | Read | - | Read | The person's (user or contact) address. |
| targetAddress | Read | - | Read | The destination address for the person (user or contact). |
| TelephoneAssistant | Read | - | Read | |
| telephoneNumber | Read | - | Read | Telephone numbers that comply with the ITU Recommendation E.123. |
| thumbnailphoto | Read | - | Read | Persons Photo - 10kb maximum size limit |
| title | Read | - | Read | The title of a person (user or contact) in the person's organizational context. |
| unauthOrig | Read | Read | Read | Relationship that indicates that the mailbox for the target object is -t authorized to send mail to the source object. |
| url | Read | - | Read | The list of alternative web pages. |
| userAccountControl | Read | - | - | Flag attribute to indicate settings. |
| userCertificate | Read | Read | - | Contains certificates used as part of the Exchange SMIME feature set. |
| UserPrincipalName | Read | Read | - | The user principal name (UPN) that is an Internet-style logon name for a user, as specified in RFC 822. |
| userSMIMECertificate | Read | Read | - | Contains certificates used as part of the Exchange SMIME feature set. |
| wWWHomePage | Read | - | Read | The primary web page. |
Tabla 2: Atributos que son sobre escritos al entorno de AD DS On-Premises desde Windows Azure Active Directory en un escenario híbrido de Exchange.
La siguiente tabla muestra la lista de atributos sincronizados que serán escritos de vuelta al entorno de AD DS desde Office 365 en un escenario con un despliegue híbrido de Exchange.
Dichos atributos únicamente serán escritos de vuelta en el caso de que tengamos la federación habilitada en nuestra organización de Exchange:
| Write-Back attribute | Exchange "full fidelity" feature |
| msExchArchiveStatus | Online Archive: Enables customers to archive mail. |
| msExchUCVoiceMailSettings | Enable Unified Messaging (UM) - Online voice mail: This new attribute is used only for UM-Microsoft Lync Server 2010 integration to indicate to Lync Server 2010 on-premises that the user has voice mail in online services. |
| msExchUserHoldPolicies | Litigation Hold: Enables cloud services to determine which users are under Litigation Hold. |
| ProxyAddresses (LegacyExchangeDN <online LegacyDn> as X500) | Enable Mailbox: Offboards an online mailbox back to on-premises Exchange. |
| PublicDelegates | Cross-premises Public Delegation: Enables users to specify delegates for their mailbox. |
| SafeSendersHash BlockedSendersHash SafeRecipientHash | Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients. |
Por último, pero no por ello menos importante, a continuación veremos cómo la sincronización de directorio determina en qué circunstancias los atributos no serán sincronizados desde nuestro entorno On-Premises hacia Windows Azure AD:
Any object is filtered if:
- Object is a conflict object (DN contains \0ACNF: )
Contact objects are filtered if:
- DisplayName contains "MSOL" AND msExchHideFromAddressLists = TRUE
- mailNickName starts with "CAS_" AND mailNickName contains "{"
SecurityEnabledGroup objects are filtered if:
- isCriticalSystemObject = TRUE
- mail is present AND DisplayName isn't present
- Group has more than 15,000 immediate members
MailEnabledGroup objects are filtered if:
- DisplayName is empty
- (ProxyAddress doesn't have a primary SMTP address) AND (mail attribute isn't present/invalid - i.e. indexof ('@') <= 0)
- Group has more than 15,000 immediate members
User objects are filtered if:
- mailNickName starts with "SystemMailbox{"
- mailNickName starts with "CAS_" AND mailNickName contains "{"
- sAMAccountName starts with "CAS_" AND sAMAccountName has "}"
- sAMAccountName equals "SUPPORT_388945a0"
- sAMAccountName equals "MSOL_AD_Sync"
- sAMAccountName isn't present
- isCriticalSystemObject is present
- msExchRecipientTypeDetails == (0x1000 OR 0x2000 OR 0x4000 OR 0x400000 OR 0x800000 OR 0x1000000 OR 0x20000000)
Como siempre, esperamos que este post os sea de utilidad.
Buen fin de semana!
Pedro Moreno