April 16

Import delete after adding custom rule

sometimes we might face to import deletions after adding new synchronization rule.  As you can see here are 167 incoming deletions:

 

This incoming deletions are not expected. But if we have a look on the latest changed rule we can see this:

 

 

This is in-bound rule for the on-prem Active Directory connector and as you can see the selected object type is person. And this is what causing the issue. The correct object type for the connected system object type is user:

 

Even if the object type for the connected system is changed back, the behavior is still the same and the deletions are still there.

The question how to fix this?

Here is the solution:

  1. open the Azure AD Connect Synchronization Service Manager (aka Sync Console)+
  2. Click on connector
  3. Select the on-prem AD Connector and click on properties 
  4. In the window, click on the: Select Object Types. As you will see, the object type: person is selected:
  5.  Clear the checkbox and click on OK. 
  6. The next full import will add the previously deleted user objects. 

 

Happy Troubleshooting!

Category: Uncategorized | Comments Off on Import delete after adding custom rule
February 8

Multi-valued attributes synchronized from on premises AD using AAD Connect

I saw a lot of questions and discussions about the synchronization of multivalued attributes via AAD. If we have a look on the metaverse schema of AAD Connect we can see a similar picture like this:

AADConnect MV Schema

As we can see there are a lot attributes, what are synchronized by AAD connect…..

Well there are mentioned usually Directory Extensions. The synchronization of additional attributes is configured fast and easily. See the documentation on this here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions

Here is the corresponding page of the AAD Connect Wizard:

As you can see here, there is nothing there to identify multi valued attributes here. This would be probably something for improvement….

The question is how to identify if an attribute a multi valued attribute?

1st Option: Using the Active Directory Users and Computers Console (dsa.msc)

one typical attribute is otherPhone. When we have a look on the attribute Editor, then we’ll see that a multi value attribute editor window is appearing:

2nd Option: Using the public documentation of the on-premises Active Directory schema:

https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all

 

Why is this so interesting?

Because Azure AD does not supports multi valued attributes as Directory Extensions as documented here:

 

There is an Azure Feedback to this topic: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/32622497-support-for-multi-valued-attributes-synchronized-f

Happy Troubleshooting!

Category: AAD Connect, DirectoryExtension, MultiValuedAttribute, Uncategorized | Comments Off on Multi-valued attributes synchronized from on premises AD using AAD Connect