February 12

Create a Solution to Synchronize Account Expiry : Step 1 – Add a new custom synchronization rule

The very fist thing what you need to plan and decide what is the metaverse attribute, what will contains the date time value for accountExpires. The accountExpires attribute contains ticks, what needs to be converted to date time. For this, we can use the following expression:

IF(IsNull([accountExpires]),NULL,IIF([accountExpires]<9223372036854775807,CStr(DateFromNum([accountExpires])),NULL))

 

You can configure this using the AAD Connect Synchronization Rules editor. Launch this, and click on new:

 

1st_AADC_SREditor_AddNewRule

 

As next a new window appears and you need to select the on-premises Active Directory Connector (account forest) as connected system, select the object type user in the source system and person as metaverse object type. I’d suggest a name as Convert AccountExpires to Date or: In from AD – User AccountExpires conversion. I’d suggest here a low precedence.

 

2nd_AADC_SREditor_Description

 

Click on next to see the scoping filter, what you can either leave empty or you can scope of the users you whish to handle:

3rd_AADC_SREditor_Scoping

 

after clicking on next, you can configure the join rules, but I’d suggest to keep this empty:

 

4th_AADC_SREditor_Join

 

and the last most important part is the conversion it self. You need to select Expression as FlowType and the attribute what you identified to keep the converted value. I’d recommend here a single valued string attribute, e.g. extensionAttribute10

 

5th_AADC_SREditor_Transformation

 

 

After clicking on next a full synchronization on this connector is required to get this attribute filled.

 

An alternative method is to use PowerShell to create this synchronization rule. Here is the rule itself, but you need to replace the id of the connector:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
New-ADSyncRule  `
-Name 'Convert AccountExpires to Date' `
-Identifier 'b6da9d89-b9bc-451c-9b6a-f46256620f50' `
-Description '' `
-Direction 'Inbound' `
-Precedence 90 `
-PrecedenceAfter '00000000-0000-0000-0000-000000000000' `
-PrecedenceBefore '00000000-0000-0000-0000-000000000000' `
-SourceObjectType 'user' `
-TargetObjectType 'person' `
-Connector '<replace with connector guid>'`
-LinkType 'Join' `
-SoftDeleteExpiryInterval 0 `
-ImmutableTag '' `
-OutVariable syncRule


Add-ADSyncAttributeFlowMapping  `
-SynchronizationRule $syncRule[0] `
-Destination 'extensionAttribute10' `
-FlowType 'Expression' `
-ValueMergeType 'Update' `
-Expression 'IIF(IsNull([accountExpires]),NULL,IIF([accountExpires]<9223372036854775807,CStr(DateFromNum([accountExpires])),NULL))' `
-OutVariable syncRule


Add-ADSyncRule  `
-SynchronizationRule $syncRule[0]


Get-ADSyncRule  `
-Identifier 'b6da9d89-b9bc-451c-9b6a-f46256620f50'

 

next step: https://happyts.tech/create-a-solution-to-synchronize-account-expiry-step-2-create-a-new-connector-aka-managementagent/

Related posts:

  1. AccountExpire is not synchronized by AAD Connect
  2. Create a Solution to Synchronize Account Expiry : Step 2 – Build a new connector (aka ManagementAgent)
  3. Create a Solution to Synchronize Account Expiry : Step 3 – Add the new connector to AAD Connect
  4. Create a Solution to Synchronize Account Expiry : Step 5 – Add new run profile


Copyright 2021. All rights reserved.

Posted February 12, 2021 by akos.regi in category "AAD Connect", "AccountExpires