Search
Close this search box.
Table of Contents

How to Sync a Default User Attribute from On-Prem Active Directory to Microsoft Entra ID using Microsoft Entra Connect

4 minutes read
Sync a Default User Attribute from On-Prem Active Directory to Microsoft Entra ID
Table of Contents

In this tutorial, we will teach you how to sync a default user attribute, e.g.,  “employeeID”, from on-prem Active Directory to Entra ID in the cloud via Microsoft Entra Connect. Before we start, there are several prerequisites we should check:

  • Microsoft Entra Connect (previously known as Azure AD Connect) has been installed on a server and the version is 2 or higher
  • This server has already joined domain controller or it is the domain controller

Check the User Attribute in Active Directory

Moving forward, let’s navigate to Active Directory Users and Computers to visualize how this attribute is presented.

Sync Attribute to Entra ID | Additional Tasks

 

Sync Attribute to Entra ID | Additional Tasks

 

Then we are going to set up the Entra ID sync.

Enable Directory extension attribute sync

Here are the steps which you need to follow:

1) Open the Microsoft Entra Connect wizard, choose Tasks, and then choose Customize synchronization options.

Sync Attribute to Entra ID | Additional Tasks

 

2) Sign in as an Entra ID Global Administrator.

3) On the Optional Features page, select Directory extension attribute sync.

Sync Attribute to Entra ID | Optional Features

 

4) Select the Employee ID attribute from the list and click on Configure:

Sync Attribute to Entra ID | Directory Extensions

 

5) Complete the Wizard and run a Full Sync.

Verify the Directory Extension Replication

When this is done, you can verify that the Entra ID Connect rules have been updated by starting the Entra ID Connect Rules Editor.

 

Launch the synchronization editor from the application menu in desktop as shown below:

Sync Attribute to Entra ID | Azure AD Connect

 

Looking at inbound rules, select “In from AD – User DirectoryExtension”:

Sync Attribute to Entra ID | Sync Rules Editor

 

Clicking View will display the details of the extended replication scope:

Sync Attribute to Entra ID | View Inbound Sync Rule

 

As seen, the employeeId attribute is truncated to the leftmost 256 characters and stored in the Azure AD Connect Metaverse as “extension_employeeID”.

To see the transformation applied when the attribute is replicated from the Azure AD Connect Metaverse to Entra ID, go to Outbound replication and select “Out to AAD – User DirectoryExtension”:

Sync Attribute to Entra ID | Sync Rule Editor

 

Clicking View reveals the following details:

Sync Attribute to Entra ID | View Outbound Sync Rule

 

As (almost) seen, the extension_employeeID attribute is renamed to extension_[GUID]_employeeID. The GUID comes from the Enterprise Application responsible for handling Azure AD schema extensions. You can find this in Enterprise applications in the Azure portal:

Sync Attribute to Entra ID | Application ID

 

How to Retrieve Extension Attributes from Entra ID

Login Azure AD.

InstallModule AzureAD
Connect-AzureAD

Now that synchronization is set up let’s see how to grab the new attributes. Unlike your regular AD, you won’t find the new attributes directly on the Entra ID user object. To retrieve the extension attributes, you must use the Get-AzureADUserExtension. This command looks at the special directory handled by the Tenant Schema Extension App:

PS C:\> Get-AzureADUserExtension -ObjectId josh@datawizatest.onmicrosoft.com
Key                                                       Value
—                                                       —–
odata
.metadata                                            https://graph.windows.net/c1493961-2ba6-41ae-b462-e3e7e4dae630/$metadata#directoryObjects/@Element
odata
.type                                                Microsoft.DirectoryServices.User
createdDateTime                                          
4/14/2024 9:56:03 PM
employeeId                                                
EID_123
userIdentities                                            []
userState
userStateChangedOn
extension_48f1cddfddbd450398acd86491e59a81_employeeID    
EID_123

You will find two attributes, one is employeeId and the other one is `extension_{GUID}_employeeID`. It is normal, `employeeId` is the Entra  ID default attribute and `extension_{GUID}_employeeID` is the extension attribute.

Verify the result through Microsoft Graph Explorer

We can verify these synced values by using Microsoft Graph Explorer. More info about Microsoft Graph is available on Microsoft Graph.

In my demo environment, I am using the following to verify employeeId attribute values.

https://graph.microsoft.com/beta/users/josh@datawizatest.onmicrosoft.com

In the above, josh@datawizatest.onmicrosoft.com is the user account. We are using beta endpoint because it can return all user profiles rather than v1.0 endpoint. When I use Microsoft Graph Explorer, as expected I can see the attribute value.

Sync Attribute to Entra ID | Graph API

 

Also, it matches the value in the on-premises user object.

Summary

As we can see, it is possible to sync default attributes to Entra ID using Microsoft Entra connect. This marks the end of this blog post. If you have any questions feel free to contact us on support@datawiza.com and also follow us on Twitter @datawiza to get updates about new blog posts.

Written by the Datawiza team — hope you enjoyed! Join us if you have any questions or need any help on our Discord server.