As pointed out in my previous post Active Directory and Azure AD user attribute naming is a bit of a mess!
When you have Office 365 and attributes are synchronized from your on-prem AD to your Azure AD (AAD) the attribute names appear to change in random:
- Some attribute names may change when replicated from AD to the Azure AD Connect Metaverse
- Some attribute names may change when replicated from the Azure AD Connect Metaverse to Azure AD
Additionally, some attribute names may change depending on what Office 365 script interface you’re using.
For reference, this is what on-premises AD <-> AAD Connect Metaverse <-> AAD replication looks like:
Make sure to read this to fully understand Azure AD Connect replication and the Metaverse.
This article will give you a complete overview of the various attribute names that are transformed during the AD to AAD replication.
Attribute Name Changes From AD to AAD Connect Metaverse to AAD (Office 365)
First, let’s get an overview of the entire attribute mapping in the AD to AAD Connect to AAD replication (I used this script to extract the information).
The following table shows you the LDAP display name of AD user attributes, the name of the attributes in the Azure AD Connect Metaverse and the name of the attributes in Azure AD (Office 365):
AD / Metaverse / AAD – Attribute Names
| AD | AAD Metaverse | AAD |
|---|---|---|
| altRecipient | altRecipient | altRecipient |
| assistant | assistant | assistant |
| authOrig | authOrig | authOrig |
| c | c | countryLetterCode |
| cn | cn | commonName |
| co | co | country |
| company | company | company |
| countryCode | countryCode | countryCode |
| department | department | department |
| description | description | description |
| dLMemRejectPerms | dLMemRejectPerms | dLMemRejectPerms |
| dLMemSubmitPerms | dLMemSubmitPerms | dLMemSubmitPerms |
| employeeID | employeeID | employeeID |
| extensionAttribute1 | extensionAttribute1 | extensionAttribute1 |
| extensionAttribute10 | extensionAttribute10 | extensionAttribute10 |
| extensionAttribute11 | extensionAttribute11 | extensionAttribute11 |
| extensionAttribute12 | extensionAttribute12 | extensionAttribute12 |
| extensionAttribute13 | extensionAttribute13 | extensionAttribute13 |
| extensionAttribute14 | extensionAttribute14 | extensionAttribute14 |
| extensionAttribute15 | extensionAttribute15 | extensionAttribute15 |
| extensionAttribute2 | extensionAttribute2 | extensionAttribute2 |
| extensionAttribute3 | extensionAttribute3 | extensionAttribute3 |
| extensionAttribute4 | extensionAttribute4 | extensionAttribute4 |
| extensionAttribute5 | extensionAttribute5 | extensionAttribute5 |
| extensionAttribute6 | extensionAttribute6 | extensionAttribute6 |
| extensionAttribute7 | extensionAttribute7 | extensionAttribute7 |
| extensionAttribute8 | extensionAttribute8 | extensionAttribute8 |
| extensionAttribute9 | extensionAttribute9 | extensionAttribute9 |
| facsimileTelephoneNumber | facsimileTelephoneNumber | facsimileTelephoneNumber |
| givenName | givenName | givenName |
| homePhone | homePhone | homePhone |
| info | info | info |
| initials | initials | initials |
| ipPhone | ipPhone | ipPhone |
| l | l | city |
| legacyExchangeDN | legacyExchangeDN | legacyExchangeDN |
| mailNickname | mailNickname | alias |
| manager | manager | manager |
| middleName | middleName | middleName |
| mobile | mobile | mobile |
| msDS-HABSeniorityIndex | msDS-HABSeniorityIndex | msDsHabSeniorityIndex |
| msDS-PhoneticDisplayName | msDS-PhoneticDisplayName | msDsPhoneticDisplayName |
| msExchArchiveGUID | msExchArchiveGUID | msExchArchiveGuid |
| msExchArchiveName | msExchArchiveName | msExchArchiveName |
| msExchAssistantName | msExchAssistantName | msExchAssistantName |
| msExchAuditAdmin | msExchAuditAdmin | msExchAuditAdmin |
| msExchAuditDelegate | msExchAuditDelegate | msExchAuditDelegate |
| msExchAuditDelegateAdmin | msExchAuditDelegateAdmin | msExchAuditDelegateAdmin |
| msExchAuditOwner | msExchAuditOwner | msExchAuditOwner |
| msExchBlockedSendersHash | msExchBlockedSendersHash | msExchBlockedSendersHash |
| msExchBypassAudit | msExchBypassAudit | msExchBypassAudit |
| msExchDelegateListLink | msExchDelegateListLink | msExchDelegateListLink |
| msExchELCExpirySuspensionEnd | msExchELCExpirySuspensionEnd | msExchElcExpirySuspensionEnd |
| msExchELCExpirySuspensionStart | msExchELCExpirySuspensionStart | msExchElcExpirySuspensionStart |
| msExchELCMailboxFlags | msExchELCMailboxFlags | msExchElcMailboxFlags |
| msExchEnableModeration | msExchEnableModeration | msExchEnableModeration |
| msExchHideFromAddressLists | msExchHideFromAddressLists | msExchHideFromAddressLists |
| msExchImmutableId | msExchImmutableId | msExchImmutableId |
| msExchLitigationHoldDate | msExchLitigationHoldDate | msExchLitigationHoldDate |
| msExchLitigationHoldOwner | msExchLitigationHoldOwner | msExchLitigationHoldOwner |
| msExchMailboxAuditEnable | msExchMailboxAuditEnable | msExchMailboxAuditEnable |
| msExchMailboxAuditLogAgeLimit | msExchMailboxAuditLogAgeLimit | msExchMailboxAuditLogAgeLimit |
| msExchMailboxGuid | msExchMailboxGuid | msExchMailboxGuid |
| msExchModeratedByLink | msExchModeratedByLink | msExchModeratedByLink |
| msExchModerationFlags | msExchModerationFlags | msExchModerationFlags |
| msExchRecipientDisplayType | msExchRecipientDisplayType | msExchRecipientDisplayType |
| msExchRemoteRecipientType | msExchRemoteRecipientType | msExchRemoteRecipientType |
| msExchRequireAuthToSendTo | msExchRequireAuthToSendTo | msExchRequireAuthToSendTo |
| msExchResourceCapacity | msExchResourceCapacity | msExchResourceCapacity |
| msExchResourceDisplay | msExchResourceDisplay | msExchResourceDisplay |
| msExchResourceMetaData | msExchResourceMetaData | msExchResourceMetadata |
| msExchResourceSearchProperties | msExchResourceSearchProperties | msExchResourceSearchProperties |
| msExchRetentionComment | msExchRetentionComment | msExchRetentionComment |
| msExchRetentionURL | msExchRetentionURL | msExchRetentionUrl |
| msExchSafeRecipientsHash | msExchSafeRecipientsHash | msExchSafeRecipientsHash |
| msExchSafeSendersHash | msExchSafeSendersHash | msExchSafeSendersHash |
| msExchSenderHintTranslations | msExchSenderHintTranslations | msExchSenderHintTranslations |
| msExchUsageLocation | usageLocation | usageLocation |
| objectSid | objectSid | onPremiseSecurityIdentifier |
| otherFacsimileTelephoneNumber | otherFacsimileTelephoneNumber | otherFacsimileTelephoneNumber |
| otherHomePhone | otherHomePhone | otherHomePhone |
| otherIpPhone | otherIpPhone | otherIpPhone |
| otherMobile | otherMobile | otherMobile |
| otherPager | otherPager | otherPager |
| otherTelephone | otherTelephone | otherTelephone |
| pager | pager | pager |
| physicalDeliveryOfficeName | physicalDeliveryOfficeName | physicalDeliveryOfficeName |
| postalCode | postalCode | postalCode |
| postOfficeBox | postOfficeBox | postOfficeBox |
| preferredLanguage | preferredLanguage | preferredLanguage |
| proxyAddresses | proxyAddresses | proxyAddresses |
| publicDelegates | publicDelegates | publicDelegates |
| pwdLastSet | pwdLastSet | lastPasswordChangeTimestamp |
| sAMAccountName | accountName | onPremisesSamAccountName |
| sn | sn | surname |
| st | st | state |
| streetAddress | streetAddress | streetAddress |
| targetAddress | targetAddress | targetAddress |
| telephoneAssistant | telephoneAssistant | telephoneAssistant |
| telephoneNumber | telephoneNumber | telephoneNumber |
| thumbnailPhoto | thumbnailPhoto | thumbnailPhoto |
| title | title | title |
| unauthOrig | unauthOrig | unauthOrig |
| url | url | url |
| userAccountControl | accountEnabled | accountEnabled |
| wWWHomePage | wWWHomePage | wWWHomePage |
(The list may differ from your installation depending on what Active Directory extensions you have made)
The keen eye will spot in the above table that some attribute names are changing during replication.
The table below lists the attributes that change their name during transit from AD via the Metaverse to Azure AD:
AD / Metaverse / AAD – Attribute Name Changes
| AD | AAD Metaverse | AAD |
|---|---|---|
| c | c | countryLetterCode |
| cn | cn | commonName |
| co | co | country |
| l | l | city |
| mailNickname | mailNickname | alias |
| msDS-HABSeniorityIndex | msDS-HABSeniorityIndex | msDsHabSeniorityIndex |
| msDS-PhoneticDisplayName | msDS-PhoneticDisplayName | msDsPhoneticDisplayName |
| msExchUsageLocation | usageLocation | usageLocation |
| objectSid | objectSid | onPremiseSecurityIdentifier |
| pwdLastSet | pwdLastSet | lastPasswordChangeTimestamp |
| sAMAccountName | accountName | onPremisesSamAccountName |
| sn | sn | surname |
| st | st | state |
| userAccountControl | accountEnabled | accountEnabled |
Summary
It’s clear from the above table that you need to address certain attributes by different naming depending on your “point of entry”. On-premises Active Directory may use different attribute names than your Azure AD!
This is further complicated by the fact that your PowerShell scripting interfaces also change some of the names as described here.