Azure AD Connect sync: Make a change to the default configuration |
您所在的位置:网站首页 › length of values does not › Azure AD Connect sync: Make a change to the default configuration |
|
Azure AD Connect sync: Make a change to the default configuration
Article
05/04/2023
The purpose of this article is to walk you through how to make changes to the default configuration in Azure Active Directory (Azure AD) Connect sync. It provides steps for some common scenarios. With this knowledge, you should be able to make simple changes to your own configuration based on your own business rules. Warning If you make changes to the default out-of-box sync rules then these changes will be overwritten the next time Azure AD Connect is updated, resulting in unexpected and likely unwanted synchronization results. The default out-of-box sync rules have a thumbprint. If you make a change to these rules, the thumbprint is no longer matching. You might have problems in the future when you try to apply a new release of Azure AD Connect. Only make changes the way it is described in this article. Synchronization Rules EditorThe Synchronization Rules Editor is used to see and change the default configuration. You can find it on the Start menu under the Azure AD Connect group. When you open the editor, you see the default out-of-box rules. Navigating in the editorUsing the drop-downs at the top of the editor, you can quickly find a specific rule. For example, if you want to see the rules where the attribute proxyAddresses is included, you can change the drop-downs to the following: To reset filtering and load a fresh configuration, press F5 on the keyboard. On the upper right is the Add new rule button. You use this button to create your own custom rule. At the bottom are buttons for acting on a selected sync rule. Edit and Delete do what you expect them to. Export produces a PowerShell script for re-creating the sync rule. With this procedure, you can move a sync rule from one server to another. Create your first custom ruleThe most common changes are to the attribute flows. The data in your source directory might not be the same as in Azure AD. In the example in this section, make sure the given name of a user is always in proper case. Disable the schedulerThe scheduler runs every 30 minutes by default. Make sure it is not starting while you are making changes and troubleshooting your new rules. To temporarily disable the scheduler, start PowerShell and run Set-ADSyncScheduler -SyncCycleEnabled $false. Create the rule Click Add new rule. On the Description page, enter the following: Name: Give the rule a descriptive name. Description: Give some clarification so someone else can understand what the rule is for. Connected System: This is the system in which the object can be found. In this case, select Active Directory Connector. Connected System/Metaverse Object Type: Select User and Person, respectively. Link Type: Change this value to Join. Precedence: Provide a value that is unique in the system. A lower numeric value indicates higher precedence. Tag: Leave this empty. Only out-of-box rules from Microsoft should have this box populated with a value. On the Scoping filter page, enter givenName ISNOTNULL. This section is used to define to which objects the rule should apply. If it's left empty, the rule would apply to all user objects. However, that would include conference rooms, service accounts, and other non-people user objects. On the Join rules page, leave the field empty. On the Transformations page, change FlowType to Expression. For Target Attribute, select givenName. And for Source, enter PCase([givenName]). The sync engine is case-sensitive for both the function name and the name of the attribute. If you type something wrong, you see a warning when you add the rule. You can save and continue, but you need to reopen and correct the rule. Click Add to save the rule.Your new custom rule should be visible with the other sync rules in the system. Verify the changeWith this new change, you want to make sure it is working as expected and is not throwing any errors. Depending on the number of objects you have, there are two ways to do this step: Run a full sync on all objects. Run a preview and full sync on a single object.Open the Synchronization Service from the Start menu. The steps in this section are all in this tool. Full sync on all objects Select Connectors at the top. Identify the connector that you changed in the previous section (in this case, Active Directory Domain Services), and select it. For Actions, select Run. Select Full Synchronization, and then select OK. The objects are now updated in the metaverse. Verify your changes by looking at the object in the metaverse.Preview and full sync on a single object Select Connectors at the top. Identify the connector that you changed in the previous section (in this case, Active Directory Domain Services), and select it. Select Search Connector Space. Use Scope to find an object that you want to use to test the change. Select the object and click Preview. On the new screen, select Commit Preview. The change is now committed to the metaverse.View the object in the metaverse Pick a few sample objects to make sure that the value is expected and that the rule applied. Select Metaverse Search from the top. Add any filter that you need to find the relevant objects. From the search result, open an object. Look at the attribute values, and also verify in the Sync Rules column that the rule applied as expected. Enable the schedulerIf everything is as expected, you can enable the scheduler again. From PowerShell, run Set-ADSyncScheduler -SyncCycleEnabled $true. Other common attribute flow changesThe previous section described how to make changes to an attribute flow. In this section, some additional examples are provided. The steps for how to create the sync rule is abbreviated, but you can find the full steps in the previous section. Use an attribute other than the defaultIn this Fabrikam scenario, there is a forest where the local alphabet is used for given name, surname, and display name. The Latin character representation of these attributes can be found in the extension attributes. For building a global address list in Azure AD and Microsoft 365, the organization wants to use these attributes instead. With a default configuration, an object from the local forest looks like this: To create a rule with other attribute flows, do the following: Open the Synchronization Rules Editor from the Start menu. With Inbound still selected to the left, click the Add new rule button. Give the rule a name and description. Select the on-premises Active Directory instance and the relevant object types. In Link Type, select Join. For Precedence, pick a number that is not used by another rule. The out-of-box rules start with 100, so the value 50 can be used in this example. Leave Scoping filter empty. (That is, it should apply to all user objects in the forest.) Leave Join rules empty. (That is, let the out-of-box rule handle any joins.) In Transformations, create the following flows: Click Add to save the rule. Go to Synchronization Service Manager. On Connectors, select the connector where you added the rule. Select Run, and then select Full Synchronization. A full synchronization recalculates all objects by using the current rules.This is the result for the same object with this custom rule: Length of attributesString attributes are indexable by default, and the maximum length is 448 characters. If you are working with string attributes that might contain more, make sure to include the following in the attribute flow: attributeName Synchronization Rules Editor. Set the search filter Direction to be Inbound. Click the Add new rule button to create a new inbound rule. Under the Description tab, provide the following configuration: Attribute Value Details Name Provide a name For example, In from AD – User UserType Description Provide a description Connected System Pick the on-premises AD connector Connected System Object Type User Metaverse Object Type Person Link Type Join Precedence Choose a number between 1–99 1–99 is reserved for custom sync rules. Do not pick a value that is used by another synchronization rule.Go to the Scoping filter tab and add a single scoping filter group with the following clause: Attribute Operator Value adminDescription NOTSTARTWITH User_The scoping filter determines to which on-premises AD objects this inbound synchronization rule is applied. In this example, we use the same scoping filter used in the In from AD – User Common out-of-box synchronization rule, which prevents the synchronization rule from being applied to User objects created through the Azure AD User writeback feature. You might need to tweak the scoping filter according to your Azure AD Connect deployment. Go to the Transformation tab and implement the desired transformation rule. For example, if you have designated an unused on-premises AD attribute (such as extensionAttribute1) as the source attribute for the UserType, you can implement a direct attribute flow: Flow type Target attribute Source Apply once Merge type Direct UserType extensionAttribute1 Unchecked UpdateIn another example, you want to derive the value for the UserType attribute from other properties. For example, you want to synchronize all users as Guest if their on-premises AD userPrincipalName attribute ends with domain part @partners.fabrikam123.org. You can implement an expression like this: Flow type Target attribute Source Apply once Merge type Expression UserType IIF(IsPresent([userPrincipalName]),IIF(CBool(InStr(LCase([userPrincipalName]),"@partners.fabrikam123.org")=0),"Member","Guest"),Error("UserPrincipalName is not present to determine UserType")) Unchecked UpdateClick Add to create the inbound rule. Step 5: Create an outbound synchronization rule to flow the attribute value to Azure ADThe outbound synchronization rule permits the attribute value to flow from the metaverse to the UserType attribute in Azure AD: Go to the Synchronization Rules Editor. Set the search filter Direction to be Outbound. Click the Add new rule button. Under the Description tab, provide the following configuration: Attribute Value Details Name Provide a name For example, Out to AAD – User UserType Description Provide a description Connected System Select the AAD connector Connected System Object Type User Metaverse Object Type Person Link Type Join Precedence Choose a number between 1–99 1–99 is reserved for custom sync rules. Do not pick a value that is used by another synchronization rule.Go to the Scoping filter tab and add a single scoping filter group with two clauses: Attribute Operator Value sourceObjectType EQUAL User cloudMastered NOTEQUAL TrueThe scoping filter determines to which Azure AD objects this outbound synchronization rule is applied. In this example, we use the same scoping filter from the Out to AD – User Identity out-of-box synchronization rule. It prevents the synchronization rule from being applied to User objects that are not synchronized from on-premises Active Directory. You might need to tweak the scoping filter according to your Azure AD Connect deployment. Go to the Transformation tab and implement the following transformation rule: Flow type Target attribute Source Apply once Merge type Direct UserType UserType Unchecked UpdateClick Add to create the outbound rule. Step 6: Run a full synchronization cycleIn general, a full synchronization cycle is required because we have added new attributes to both the Active Directory and Azure AD Connector schemas, and introduced custom synchronization rules. You want to verify the changes before exporting them to Azure AD. You can use the following steps to verify the changes while manually running the steps that make up a full synchronization cycle. Run a Full import on the on-premises AD Connector: Go to the Connectors tab in the Synchronization Service Manager. Right-click the on-premises AD Connector and select Run. In the pop-up dialog box, select Full Import and then click OK. Wait for the operation to finish. Note You can skip a full import on the on-premises AD Connector if the source attribute is already included in the list of imported attributes. In other words, you did not have to make any changes during Step 2: Add the source attribute to the on-premises AD Connector schema. Run a Full import on the Azure AD Connector: Right-click the Azure AD Connector and select Run. In the pop-up dialog box, select Full Import and then click OK. Wait for the operation to finish.Verify the synchronization rule changes on an existing User object: The source attribute from on-premises Active Directory and the UserType from Azure AD have been imported into their respective Connector Spaces. Before proceeding with a full synchronization, do a Preview on an existing User object in the on-premises AD Connector Space. The object you chose should have the source attribute populated. A successful Preview with the UserType populated in the metaverse is a good indicator that you have configured the synchronization rules correctly. For information about how to do a Preview, refer to the section Verify the change. Run a Full Synchronization on the on-premises AD Connector: Right-click the on-premises AD Connector and select Run. In the pop-up dialog box, select Full Synchronization and then click OK. Wait for the operation to finish.Verify Pending Exports to Azure AD: Right-click the Azure AD Connector and select Search Connector Space. In the Search Connector Space pop-up dialog box: Set Scope to Pending Export. Select all three check boxes: Add, Modify, and Delete. Click the Search button to get the list of objects with changes to be exported. To examine the changes for a given object, double-click the object. Verify that the changes are expected.Run Export on the Azure AD Connector: Right-click the Azure AD Connector and select Run. In the Run Connector pop-up dialog box, select Export and then click OK. Wait for the export to Azure AD to finish.Note These steps do not include the full synchronization and export steps on the Azure AD Connector. These steps are not required because the attribute values are flowing from on-premises Active Directory to Azure AD only. Step 7: Re-enable the sync schedulerRe-enable the built-in sync scheduler: Start a PowerShell session. Re-enable scheduled synchronization by running the cmdlet Set-ADSyncScheduler -SyncCycleEnabled $true. Next steps Read more about the configuration model in Understanding Declarative Provisioning. Read more about the expression language in Understanding Declarative Provisioning Expressions.Overview topics Azure AD Connect sync: Understand and customize synchronization Integrating your on-premises identities with Azure Active Directory |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |