Certificate user IDs
Users in Microsoft Entra ID can have a multivalued attribute named certificateUserIds. The attribute allows up to four values, and each value can be of 120-character length. It can store any value and doesn't require email ID format. It can store non-routable User Principal Names (UPNs) like bob@woodgrove or bob@local.
Supported patterns for certificate user IDs
The values stored in certificateUserIds should be in the format described in the following table.
Certificate mapping Field | Examples of values in CertificateUserIds |
---|---|
PrincipalName | “X509:<PN>bob@woodgrove.com” |
PrincipalName | “X509:<PN>bob@woodgrove” |
RFC822Name | “X509:<RFC822>user@woodgrove.com” |
X509SKI | “X509:<SKI>123456789abcdef” |
X509SHA1PublicKey | “X509:<SHA1-PUKEY>123456789abcdef” |
Roles to update certificateUserIds
For cloud-only users, only users with roles Global Administrators, Privileged Authentication Administrator can write into certificateUserIds. Cloud-only users can use both UX and MSGraph to write into certificateUserIds. For synched users, AD users with role Hybrid Identity Administrator can write into the attribute. Only Azure ADConnect can be used to update CertificateUserIds by syncing the value from on-prem for synched users.
Note
Active Directory Administrators (including accounts with delegated administrative privilege over synched user accounts as well as administrative rights over the Azure >AD Connect Servers) can make changes that impact the certificateUserIds value in Microsoft Entra ID for any synched accounts.
Update certificate user IDs
Tenant admins can use the following steps to update certificate user IDs for a user account:
Sign in to the Microsoft Entra admin center as at least a User Administrator. Search for and select All users.
Click a user, and click Edit Properties.
Next to Authorization info, click View.
Click Edit certificate user IDs.
Click Add.
Enter the value and click Save. You can add up to four values, each of 120 characters.
Update certificateUserIds using Microsoft Graph queries
Look up certificateUserIds
Authorized callers can run Microsoft Graph queries to find all the users with a given certificateUserId value. On the Microsoft Graph user object, the collection of certificateUserIds is stored in the authorizationInfo property.
To retrieve all user objects that have the value 'bob@contoso.com' in certificateUserIds:
GET https://graph.microsoft.com/v1.0/users?$filter=authorizationInfo/certificateUserIds/any(x:x eq 'bob@contoso.com')&$count=true
ConsistencyLevel: eventual
You can also use the not
and startsWith
operators to match the filter condition. To filter against the certificateUserIds object, the request must include the $count=true
query string and the ConsistencyLevel header set to eventual
.
Update certificateUserIds
Run a PATCH request to update the certificateUserIds for a given user.
Request body:
PATCH https://graph.microsoft.com/v1.0/users/{id}
Content-Type: application/json
{
"authorizationInfo": {
"certificateUserIds": [
"X509:<PN>123456789098765@mil"
]
}
}
Update certificateUserIds using PowerShell commands
For the configuration, you can use the Azure Active Directory PowerShell Version 2:
Start PowerShell with administrator privileges.
Install and Import the Microsoft Graph PowerShell SDK
Install-Module Microsoft.Graph -Scope AllUsers Import-Module Microsoft.Graph.Authentication Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Connect to the tenant and accept all
Connect-MGGraph -Scopes "Directory.ReadWrite.All", "User.ReadWrite.All" -TenantId <tenantId>
List CertificateUserIds attribute of a given user
$results = Invoke-MGGraphRequest -Method get -Uri 'https://graph.microsoft.com/v1.0/users/<userId>?$select=authorizationinfo' -OutputType PSObject -Headers @{'ConsistencyLevel' = 'eventual' } #list certificateUserIds $results.authorizationInfo
Create a variable with CertificateUserIds values
#Create a new variable to prepare the change. Ensure that you list any existing values you want to keep as this operation will overwrite the existing value $params = @{ authorizationInfo = @{ certificateUserIds = @( "X509:<SKI>eec6b88788d2770a01e01775ce71f1125cd6ad0f", "X509:<PN>user@contoso.com" ) } }
Update CertificateUserIds attribute
$results = Invoke-MGGraphRequest -Method patch -Uri 'https://graph.microsoft.com/v1.0/users/<UserId>/?$select=authorizationinfo' -OutputType PSObject -Headers @{'ConsistencyLevel' = 'eventual' } -Body $params
Update CertificateUserIds using user object
Get the user object
$userObjectId = "6b2d3bd3-b078-4f46-ac53-f862f35e10b6" $user = get-mguser -UserId $userObjectId -Property AuthorizationInfo
Update the CertificateUserIds attribute of the user object
$user.AuthorizationInfo.certificateUserIds = @("X509:<SKI>eec6b88788d2770a01e01775ce71f1125cd6ad0f", "X509:<PN>user1@contoso.com") Update-MgUser -UserId $userObjectId -AuthorizationInfo $user.AuthorizationInfo
Update certificate user IDs using Microsoft Entra Connect
To update certificate user IDs for federated users, configure Microsoft Entra Connect to sync userPrincipalName to certificateUserIds.
On the Microsoft Entra Connect server, find and start the Synchronization Rules Editor.
Click Direction, and click Outbound.
Find the rule Out to Microsoft Entra ID – User Identity, click Edit, and click Yes to confirm.
Enter a high number in the Precedence field, and then click Next.
Click Transformations > Add transformation. You may need to scroll down the list of transformations before you can create a new one.
Synchronize X509:<PN>PrincipalNameValue
To synchronize X509:<PN>PrincipalNameValue, create an outbound synchronization rule, and choose Expression in the flow type. Choose the target attribute as certificateUserIds, and in the source field, add the following expression. If your source attribute isn't userPrincipalName, you can change the expression accordingly.
"X509:\<PN>"&[userPrincipalName]
Synchronize X509:<RFC822>RFC822Name
To synchronize X509:<RFC822>RFC822Name, create an outbound synchronization rule and choose Expression in the flow type. Choose the target attribute as certificateUserIds, and in the source field, add the following expression. If your source attribute isn't userPrincipalName, you can change the expression accordingly.
"X509:\<RFC822>"&[userPrincipalName]
Click Target Attribute, select CertificateUserIds, click Source, select UserPrincipalName, and then click Save.
Click OK to confirm.
Note
Make sure you use the latest version of Microsoft Entra Connect.
For more information about declarative provisioning expressions, see Microsoft Entra Connect: Declarative Provisioning Expressions.
Synchronize alternativeSecurityId attribute from AD to Microsoft Entra CBA CertificateUserIds
AlternativeSecurityId isn't part of the default attributes. An administrator needs to add the attribute to the person object, and then create the appropriate synchronization rules.
Open Metaverse Designer, and select alternativeSecurityId to add it to the person object.
Create an inbound synchronization rule to transform from altSecurityIdentities to alternateSecurityId attribute.
In the inbound rule, use the following options.
Option Value Name Descriptive name of the rule, such as: In from AD - altSecurityIdentities Connected System Your on-premises AD domain Connected System Object Type user Metaverse Object Type person Precedence Choose a random high number not currently used Then proceed to the Transformations tab and do a direct mapping of the target attribute of alternativeSecurityId to altSecurityIdentities as shown below.
Create an outbound synchronization rule to transform from alternateSecurityId attribute to certificateUserIds alt-security-identity-add.
Option Value Name Descriptive name of the rule, such as: Out to Microsoft Entra ID - certificateUserIds Connected System Your Microsoft Entra domain Connected System Object Type user Metaverse Object Type person Precedence Choose a random high number not currently used Then proceed to the Transformations tab and change your FlowType option to Expression, the target attribute to certificateUserIds and then input the below expression in to the Source field.
To map the pattern supported by certificateUserIds, administrators must use expressions to set the correct value.
You can use the following expression for mapping to SKI and SHA1-PUKEY:
IIF(IsPresent([alternativeSecurityId]),
Where($item,[alternativeSecurityId],BitOr(InStr($item, "x509:<SKI>"),InStr($item, "x509:<SHA1-PUKEY>"))>0),[alternativeSecurityId]
)
Next steps
Feedback
Submit and view feedback for