Microsoft Azure

How to: Sync a directory extension attribute from AD to AAD

Get to know how you can sync every onpremis directory extension attribute to AAD for any purpose!

In Azure AD Connect, extensionAttribute# values gets synchronized from the on-premises Active Directory to Azure AD by default. Imagine, you want to sync one of the “msDS-cloudExtensionAttribute” attribute to AAD. To do this, follow these easy steps.

  • Open Azure AD Connect
  • Customize synchronization options
  • Optional Features, check “Directory extension attribute sync” on and click next.
  • Now you can choose an Directory Extension. For example: msDS-cloudExtensionAttribute1
  • Move “msDS-cloudExtensionAttribute1” to the “Selected Attributes” section and click next.
  • Do a full sync.
  • Open the Synchronization Rules Editor and double click on rule “Out to AAD – User DirectoryExtension” in the “Direction” outbound.
  • Under “Transformations” in the “Target Attribute” section you will find the property that we use to filter on in AAD. It is something like:
    • ‘user.extension_9a07786cb30c4b22b3f41a4f99d41189_msDS_cloudExtensionAttribute1’
  • To copy this property, go back to rule “Out to AAD – User DirectoryExtension” in the Synchronization Rules Editor and select it (single click)
  • Click on “Export”
  • In this .tmp file(opened in Notepad) you can copy the property.

Now that we have “msDS-cloudExtensionAttribute1” in sync with AAD. We can use it for an dynamic group in AAD. With a rule syntax like: (user.extension_9a07786cb30c4b22b3f41a4f99d41189_msDS_cloudExtensionAttribute1 -eq “YOUR VALUE IN AD”)

Share this: