Nov 14, 2023
Attribute mapping– Implementing and Managing Identity Synchronization with Azure AD
Another customization option available involves mapping attribute values between on-premises and cloud objects. As with Azure AD Connect, you can configure how cloud attributes are populated – whether it’s from a source attribute, a constant value, or some sort of expression.
Azure AD Connect cloud sync comes with a default attribute mapping flow, as shown in Figure 4.33:
Figure 4.33 – Azure AD Connect cloud sync attribute mappings
You can select an existing attribute to modify or create a new attribute flow. One of the basic configuration features for many attributes is to configure a default value (if the on-premises value is blank), allowing you to make certain that cloud attributes are populated with values.
In Figure 4.34, the Country attribute has been selected and updated with the default value, US. This ensures that if a user’s on-premises Country attribute is blank, the corresponding cloud attribute will be populated with a valid entry.
Figure 4.34 – Edit attribute mappings in Azure AD Connect cloud sync
Azure AD Connect cloud sync also features an expression builder, allowing you to create your own custom attribute flows.
Unlike Azure AD Connect, however, attribute mappings and expressions cannot be used to merge attributes from different domains or forests, nor does Azure AD Connect cloud sync support synchronization rules or attribute flow precedence. If you require that level of customization, you should deploy Azure AD Connect instead.
Once you have finished customizing the scoping filters and attribute flows, you can return to the Overview page and enable synchronization by selecting Review and enable.
Summary
In this chapter, you built on the skills from Chapter 3 and learned how to deploy identity synchronization and authentication solutions. You learned how to configure filtering for both Azure AD Connect and Azure AD Connect cloud sync, as well as deploy and manage the health agents for diagnostics and troubleshooting.
In the next chapter, we’ll learn how to manage identities, groups, and licensing.
Knowledge check
In this section, we’ll test your knowledge of some key elements from this chapter.
Questions
- When installing Azure AD Connect cloud sync, which two roles, rights, or permissions are necessary for the on-premises Active Directory environment? Each answer represents a complete solution.
• Hybrid Identity Administrator
• Server Administrator
• Domain Administrator
• Enterprise Administrator - Azure AD Connect cloud sync supports group-based scoping filters.
• True
• False - You are trying to install the agent for Azure Active Directory Health for sync. Where is it located?
• In the Azure AD Health portal
• In the Azure AD Connect installation package
• In the Microsoft Download Center
• In the Microsoft 365 admin center - You have determined that you need to run the Azure AD Connect troubleshooting tool. Where do you launch it?
• In the Azure portal
• In the Azure AD Connect Health portal
• In the Azure AD Connect configuration wizard
• In the Azure AD Connect synchronization service - You have deployed Azure AD Connect and want to prevent it from synchronizing an organizational unit with test objects. Where can you do this easily?
• The Azure AD portal
• The Microsoft 365 admin center
• The Azure AD Synchronization Rules Editor
• The Azure AD Connect configuration wizard
Answers
C: Domain Administrator and D: Enterprise Administrator
A: True
B: In the Azure AD Connect installation package
C: The Azure AD Connect configuration wizard
D: The Azure AD Connect configuration wizard