How to: Sync a directory extension attribute from AD to AAD

Get to know how you can sync every onpremis directory extension attribute to AAD for any purpose!

Out of the box you can only sync some attributes from AD to AAD. Imagine, you want to sync one of the “msDS-cloudExtensionAttribute” attribute to AAD. To do this, follow these easy steps.

  • Open Azure AD Connect
  • Customize synchronization options
  • Optional Features, check “Directory extension attribute sync” on and click next.
  • Now you can choose an Directory Extension. For example: msDS-cloudExtensionAttribute1
  • Move “msDS-cloudExtensionAttribute1” to the “Selected Attributes” section and click next.
  • Do a full sync.
  • Open the Synchronization Rules Editor and double click on rule “Out to AAD – User DirectoryExtension” in the “Direction” outbound.
  • Under “Transformations” in the “Target Attribute” section you will find the property that we use to filter on in AAD. It is something like:
    • ‘user.extension_9a07786cb30c4b22b3f41a4f99d41189_msDS_cloudExtensionAttribute1’
  • To copy this property, go back to rule “Out to AAD – User DirectoryExtension” in the Synchronization Rules Editor and select it (single click)
  • Click on “Export”
  • In this .tmp file(opened in Notepad) you can copy the property.

Now that we have “msDS-cloudExtensionAttribute1” in sync with AAD. We can use it for an dynamic group in AAD. With a rule syntax like: (user.extension_9a07786cb30c4b22b3f41a4f99d41189_msDS_cloudExtensionAttribute1 -eq “YOUR VALUE IN AD”)

Share this: