Support-Tip: (AADCONNECT) How to create a custom sychronization rule for attribute flow (transformation flow)

In support we see many cases come through looking to create a customized synchronization rule to adhere to different business rules utilizing the Azure AD Connect (Azure AD Sync Services (AADSync)) Tool.  Here, I am creating this blog to provide some guidance on how to create a custom synchronization rule inside of the Azure AD Sync Services (AADSync) tool.  This blog is a sample illustration of how to take givenName and sn and flow those values into the displayName attribute.

STEPS TO CREATE CUSTOM SYNCHRONIZATION RULE

1. Open the Synchronization Rules Editor
2. Select InboundInbound Synchronization Rule: Takes data from Source Connector Space to Metaverse
   Outbound Synchronization Rule: Takes data from the Metaverse to the Target Connector Space
3. Click the Add New Rule button in the upper right
4. Edit Inbound Synchronization Rule
   1. Description Page

      1. Name: In from AD - Update displayName attribute *NOTE: I like to try and stay in sync with the naming format used in the Synchronization Rules Editor.  You can provide any name that you desire here.  The key is to remember that you want to understand the purpose of this synchronization rule.

      2. Description: Updates the displayName attribute with the values of givenName and sn

      3. Connected System: <On Premise Active Directory>

      4. Connected System Object: user

      5. Metaverse Object Type: person

      6. Link Type: Join

      7. Precedence: 93 *NOTE: I chose a lower number so that it would have the higher precedence.

         Synchronization Rule

         A Synchronization Rule is a configuration object with a set of attributes flowing when a condition is satisfied. It is also used to describe how an object in a connector space is related to an object in the metaverse, known as join or match. The Synchronization Rules have a precedence indicating how they relate to each other. A Synchronization Rule with a lower numeric value in precedence has a higher precedence and in case of an attribute flow conflict, higher precedence will win the conflict resolution.

         As an example we will look at the Synchronization Rule “In from AD – User AccountEnabled”. We will mark this line in the SRE and select Edit.A Synchronization Rule has four configuration sections: Description, Scoping filter, Join rules, and Transformations.

         

   2. For the purpose of this custom synchronization rule, we are not going to have any Scoping Filter and/or Join Rules.
      For more information on these two items, please review the Understanding the default configuration page.
   3. Transformations Page
      1. Click the Add Transformation button
      2. Flow Type: Expression
      3. Target Attribute: displayName
      4. Source: [givenName]&" "&[sn]
      5. Apply Once: <empty>
      6. Merge Type: Update
   4. Click the Save Button

ADDITIONAL INFORMATION

• Understanding the default configuration: https://msdn.microsoft.com/en-us/library/azure/dn800963.aspx

• AADSync - Configure Filtering - Part 1: http://blogs.technet.com/b/steady/archive/2015/01/08/aadsync-configure-filtering-part-1.aspx

• AADSync - Configure Filtering - Part 2: http://blogs.technet.com/b/steady/archive/2015/01/09/aadsync-configure-filtering-part-2.aspx

• Azure AD Sync Release Notes: http://social.technet.microsoft.com/wiki/contents/articles/24062.azure-ad-sync-release-notes.aspx

Comments

• Anonymous
  October 17, 2016
  Thanks for an excellent article. Is it a supported to transform employeeid to extentionattribute1 using AADConnect?
  • Anonymous
    December 23, 2016
    @Bob. Yes. That is a supported scenario. I remember doing something like this recently. I think the Extension Attributes in Office 365/Exchange Online show up as a different attribute. Forget exactly what that is currently, but it can be done.
• Anonymous
  December 26, 2016
  Thanks for the write up, Tim. Can you elaborate on the Outbound rule? My goal is to pull the email address from my Active Directory to the UPN value in Azure (so user's may logon with email address, instead of the domain user name). I'm taking the on-premise Active Directory mail attribute to join to the Metaverse Attribute userPrincipalName value. Then I must create an outbound rule to join the Metaverse userPrincipalName value to the Azure AD userPrincipalName value, correct? Can you please assist with the outbound rule transformation value for the source field? Thanks.
  • Anonymous
    January 04, 2017
    Hey Robert... Sorry for the late reply. On vacation. :-D If you have an inbound rule that joins the On-Premise mail attribute to the MV userPrincipleName attribute, than i would utilize the Preview feature and confirm that everything is working as expected. If it is not updating correctly, than you may have to clone and disable the default inbound rule which flows the userPrincipleName to the MV then modify it so that it reflects what you want in order to accomplish your business goal.