How to Extract Azure AD Connect Attribute Mapping

Posted on by
PowerShell Azure AD Connect Synchronization Rule

Azure AD Connect sometimes renames attributes when replicating your on-premises AD to Azure AD/Office 365. This can lead to some confusion.

I recently published this table to show exactly what user attributes are renamed.

This post will show you in detail how that table was generated using PowerShell.

How to Extract the Azure AD Connect Synchronization Rules With PowerShell

Azure AD Connect includes a Synchronization Rules Editor. It’s a great tool for quickly reviewing specific rules. But getting an overview of all user synchronization rules is not easy.

Azure AD Connect Synchronization Rules Editor

Fortunately, the Azure AD Connect synchronization engine has an extensive PowerShell API. After importing the ADSync module you can view all synchronization rules using the Get-ADSyncRule commandlet:

PS C:\Windows\system32> Get-ADSyncRule | ft Identifier,Name,Direction,Precedence Identifier Name Direction Precedence ---------- ---- --------- ---------- cf28f341-60ef-408b-b711-d8b4a2513531 In from AAD - User Join Inbound 116 d3e2c7a8-fb5a-420c-81db-5d7a28cb549d Out to AAD - User ExchangeOnline Outbound 122 f05d72d1-0314-4164-b1bf-a42235960c19 Out to AAD - User LyncOnline Outbound 125 14881dcb-b4d8-4640-b299-c2214c19b137 Out to AAD - User SharePointOnline Outbound 126 a70da87a-a43b-4d32-a48c-f161e5de5056 Out to AAD - Contact ExchangeOnline Outbound 130 baa84a18-e226-4c37-b99c-be0f03abc079 Out to AAD - Contact SharePointOnline Outbound 134 d012498f-3178-47bc-8dae-0f0a23a1c51a Out to AAD - Group Join Outbound 136 772fe7b4-9e70-4106-804d-99152e18d59b Out to AAD - Group ExchangeOnline Outbound 138 70c39e03-268f-4714-bed2-a78ffec14a7f Out to AAD - Group SharePointOnline Outbound 142 62ec510c-758a-4690-9a75-944aa2f2f49c In from AAD - Contact Join Inbound 117 5c21ad89-024b-42d8-a41b-cf154b31d740 In from AAD - Group Join Inbound 118 31a6ba6f-807d-457d-a4ed-fe145514f623 In from AAD - User NGCKey Inbound 119 be063fa9-17f4-4028-8c1d-67ab561dd319 Out to AAD - User AzureRMS Outbound 127 eda3fece-6a1a-4cb8-805b-03bba132ed8f Out to AAD - User Join Outbound 120 3bd01702-6be3-4eed-824a-f11e77d8c55c Out to AAD - User Identity Outbound 121 647ee814-6950-4641-a46e-94f9e187da83 Out to AAD - User DynamicsCRM Outbound 123 69c396b8-c952-489b-86f5-9fcf37797583 Out to AAD - User Intune Outbound 124 271a070b-5436-4d7b-86a8-443d08ba65aa Out to AAD - Contact Join Outbound 128 8934d4ec-7da7-4f7d-90e9-e52edcd6c66d Out to AAD - Contact Identity Outbound 129 8f8bb6e9-184c-4be2-90c7-af1673bd3fff Out to AAD - Contact DynamicsCRM Outbound 131 f39f59d9-0f37-4890-9620-f9cb1c272ee3 Out to AAD - Contact Intune Outbound 132 b7d100cc-f3cb-4571-b436-0d8c59d88dd9 Out to AAD - Contact LyncOnline Outbound 133 6b2a2315-6ad7-4a1f-95e3-37a7f972f799 Out to AAD - Contact AzureRMS Outbound 135 67a12db5-6970-420e-8725-a566a2b57145 Out to AAD - Group Identity Outbound 137 372e20ba-f228-4180-915d-e86c674d08b5 Out to AAD - Group DynamicsCRM Outbound 139 53c5f579-d8b5-4429-9bce-2cfb1d1cc7eb Out to AAD - Group Intune Outbound 140 365e7941-9a47-4f00-8050-195bcb1f41ac Out to AAD - Group LyncOnline Outbound 141 8fae8a95-dd3e-499a-a5e0-67a25d925d36 Out to AAD - Group AzureRMS Outbound 143 2b8804d6-d5cd-4271-ba54-6d1143ff604c Out to AAD - User OfficeProPlus Outbound 144 f99711d6-d0ac-43c7-b5f1-7d005d88e588 In from AAD - Device Common Inbound 146 9531206f-bd80-4185-b5c9-79da98b4f434 Out to AAD - Device Join SOAInAD Outbound 148 6f1296d9-881e-44da-bc27-5f9874bb00c2 In from AD - User Join Inbound 100 84754e46-c844-4005-8b8f-06c654a22f3b In from AD - User Common from Exchange Inbound 104 a4e767dd-881a-40fb-a80c-08ed7b908d50 In from AD - InetOrgPerson Common from Exchange Inbound 105 12854a4a-a20e-4872-8193-b34347f933ef In from AD - User Common Inbound 106 cffd3179-b758-4af6-9fd9-e86601e54c32 In from AD - InetOrgPerson Common Inbound 107 aebaba15-7d67-451c-a22a-60b038470da3 In from AD - User Exchange Inbound 108 64dccec2-4fad-4fb4-9763-d0c01a45b753 In from AD - InetOrgPerson Exchange Inbound 109 d16d81c4-1983-4dad-8e31-36d401f0b008 In from AD - Group Exchange Inbound 111 918b5bcb-f5c8-4a86-9a16-18f662a8e916 In from AD - Contact Common Inbound 114 697617ad-960a-4915-948e-a872841038e5 In from AD - User AccountEnabled Inbound 102 665509b8-2883-4a21-8dc1-9dd122fd6774 In from AD - InetOrgPerson AccountEnabled Inbound 103 4b4c587d-4348-449a-9fc4-820047e64afd In from AD - Group Join Inbound 110 92c27354-7c9b-469f-b58c-f41375baadc9 In from AD - InetOrgPerson Join Inbound 101 273c3494-08e3-4f0d-b4e6-ddae39801088 In from AD - Contact Join Inbound 113 07a4406f-b752-46cd-bcc1-5d64990c8fd9 In from AD - ForeignSecurityPrincipal Join User Inbound 115 15ed8d3f-eef2-449c-8cc5-355d4d14e3f5 Out to AD - User Join SOAInAD Outbound 145 aa49299c-18ef-4334-b30c-b31060b8f5b8 In from AD - Device Common Inbound 149 a3f1eb61-4d4c-4748-a64e-076906279a0b In from AD - Computer Join Inbound 147 c430b311-2e1c-4632-8312-9477e941f7c5 Out to AD - User NGCKey Outbound 150 31dcdb57-fd59-41ad-bac7-161b9d305cc1 Out to AD - Device STKKey Outbound 151 37219198-d451-4be3-aff7-18ed7d394737 Out to AD - User ImmutableId Outbound 152 447231ec-6555-45ec-98fc-4c915fa52692 In from AD - Group Common Inbound 112

The same command can of course be used to see specifics of individual synchronization rules. In this case the “In from AD – User Common” rule:

PS C:\Windows\system32> Get-ADSyncRule 12854a4a-a20e-4872-8193-b34347f933ef Identifier : 12854a4a-a20e-4872-8193-b34347f933ef InternalId : 1d5ff5cf-5c4e-46d6-9972-5a2b788848a3 Name : In from AD - User Common Version : 1 Description : ImmutableTag : Microsoft.IdentityManagement.PowerShell.ObjectModel.ImmutableTag Connector : 90f3ee83-f35e-486c-a2c7-c4d6831ba704 Direction : Inbound Disabled : False SourceObjectType : user TargetObjectType : person Precedence : 106 PrecedenceAfter : 00000000-0000-0000-0000-000000000000 PrecedenceBefore : 00000000-0000-0000-0000-000000000000 LinkType : Join EnablePasswordSync : False JoinFilter : {} ScopeFilter : {Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeConditionGroup} AttributeFlowMappings : {Destination:distinguishedName FlowType:Direct Expression: ValueMergeType: Update, Destination:accountEnabled FlowType:Expression Expression: IIF(BitAnd([userAccountControl],2)=0,True,False) ValueMergeType: Update, Destination:accountName FlowType:Direct Expression: ValueMergeType: Update, Destination:assistant FlowType:Direct Expression: ValueMergeType: Update...} SoftDeleteExpiryInterval : 00:00:00 SourceNamespaceId : 90f3ee83-f35e-486c-a2c7-c4d6831ba704 TargetNamespaceId : cc31d470-9786-447f-8594-40abe13f9f78 VersionAgnosticTag : Microsoft.InfromADUserCommon. TagVersion : 9 IsStandardRule : True IsLegacyCustomRule : False JoinHash :

The AttributeFlowMappings attribute holds the information about the mappings (or transformations) of the user attributes for this specific synchronization rule:

PS C:\Windows\system32> Get-ADSyncRule 12854a4a-a20e-4872-8193-b34347f933ef | Select-Object -ExpandProperty AttributeFlowMappings | ft Source,Destination,FlowType Source Destination FlowType ------ ----------- -------- {dn} distinguishedName Direct {userAccountControl} accountEnabled Expression {sAMAccountName} accountName Direct {assistant} assistant Direct {c} c Expression {cn} cn Direct {co} co Expression {company} company Expression {countryCode} countryCode Direct {department} department Expression {description} description Expression {displayName, cn} displayName Expression {} domainFQDN Expression {} domainNetBios Expression {employeeID} employeeID Direct {extensionAttribute1} extensionAttribute1 Expression {extensionAttribute2} extensionAttribute2 Expression {extensionAttribute3} extensionAttribute3 Expression {extensionAttribute4} extensionAttribute4 Expression {extensionAttribute5} extensionAttribute5 Expression {extensionAttribute6} extensionAttribute6 Expression {extensionAttribute7} extensionAttribute7 Expression {extensionAttribute8} extensionAttribute8 Expression {extensionAttribute9} extensionAttribute9 Expression {extensionAttribute10} extensionAttribute10 Expression {extensionAttribute11} extensionAttribute11 Expression {extensionAttribute12} extensionAttribute12 Expression {extensionAttribute13} extensionAttribute13 Expression {extensionAttribute14} extensionAttribute14 Expression {extensionAttribute15} extensionAttribute15 Expression {facsimileTelephoneNumber} facsimileTelephoneNumber Expression {} forestFQDN Expression {} forestNetBios Expression {givenName} givenName Expression {homePhone} homePhone Expression {info} info Expression {initials} initials Expression {ipPhone} ipPhone Expression {l} l Expression {mail} mail Expression {manager} manager Direct {middleName} middleName Expression {mobile} mobile Expression {objectSid} objectSid Direct {objectSid} objectSidString Expression {otherFacsimileTelephoneNumber} otherFacsimileTelephoneNumber Expression {otherHomePhone} otherHomePhone Expression {otherMobile} otherMobile Expression {otherIpPhone} otherIpPhone Expression {otherPager} otherPager Expression {otherTelephone} otherTelephone Expression {pager} pager Expression {physicalDeliveryOfficeName} physicalDeliveryOfficeName Expression {postalCode} postalCode Expression {postOfficeBox} postOfficeBox Expression {preferredLanguage} preferredLanguage Expression {} proxyAddresses Expression {pwdLastSet} pwdLastSet Expression {sn} sn Expression {msExchRecipientTypeDetails, mS-DS-ConsistencyGuid, objectGUID} sourceAnchorBinary Expression {msExchRecipientTypeDetails, mS-DS-ConsistencyGuid, objectGUID} sourceAnchor Expression {msExchRecipientTypeDetails} sourceObjectType Expression {st} st Expression {streetAddress} streetAddress Expression {telephoneNumber} telephoneNumber Expression {thumbnailPhoto} thumbnailPhoto Direct {title} title Expression {userPrincipalName, sAMAccountName} userPrincipalName Expression {url} url Expression {wWWHomePage} wWWHomePage Expression

Creating a Script to Show Attribute Names for AD, the Metaverse and AAD

We now pretty much have all the building blocks we need to create a script that will show us:

  1. The attribute name in our on-premises Active Directory (AD)
  2. The name for the same attribute in the Azure AD Connect Metaverse (Metaverse)
  3. The name for the same attribute in the Azure Active Directory (AAD)

The mapping can be done in different ways, but this is how I will do it:

  1. Create a hash list with AD to Metaverse attribute naming references
  2. Create a hash list with Metaverse to AAD attribute naming reference
  3. Pair the two to get the AD to Metaverse to AAD attribute naming reference

This is what the final script looks like:

  1. Import-Module ADSync
  2. $In = @{ }
  3. $Out = @{ }
  4. # Get all Metaverse rules for inbound replication from on-premises AD
  5. $InboundRules = Get-ADSyncRule | ? { $_.Name -like '*In from AD - User*' } | % { $_.AttributeFlowMappings | Select-Object -Property Source, Destination }
  6. ($InboundRules | Sort-Object -Property Source | Get-Unique -AsString) | % {
  7. If ([string]$_.Source -ne '' -and ([string]$_.Source).IndexOf(" ") -le 0 -and -Not $In.Contains([string]$_.Source)) {
  8. $In.Add([string]$_.Source, [string]$_.Destination)
  9. }
  10. }
  11. # Get all Metaverse rules for outbound replication to Azure AD
  12. $OutboundRules = Get-ADSyncRule | ? { $_.Name -like '*Out to AAD - User*' } | % { $_.AttributeFlowMappings | Select-Object -Property Source, Destination }
  13. ($OutboundRules | Sort-Object -Property Source | Get-Unique -AsString) | % {
  14. If (-Not $Out.Contains([string]$_.Source)) {
  15. $Out.Add([string]$_.Source, [string]$_.Destination)
  16. }
  17. }
  18. # Pair the inbound and outbound rule attributes
  19. $InOut = [System.Collections.ArrayList]@()
  20. $In.Keys | % {
  21. $InOutObject = [PSCustomObject]@{
  22. AD = $_
  23. Metaverse = $In[$_]
  24. AAD = $Out[$In[$_]]
  25. }
  26. $InOut += $InOutObject
  27. }
  28. $InOut | Sort-Object -Property AD

Depending on what schema extensions you have, the output will look similar to this:

AD Metaverse AAD -- --------- --- altRecipient altRecipient altRecipient assistant assistant assistant authOrig authOrig authOrig c c countryLetterCode cn cn commonName co co country company company company countryCode countryCode countryCode department department department description description description dLMemRejectPerms dLMemRejectPerms dLMemRejectPerms dLMemSubmitPerms dLMemSubmitPerms dLMemSubmitPerms dn distinguishedName onPremisesDistinguishedName employeeID employeeID employeeID extensionAttribute1 extensionAttribute1 extensionAttribute1 extensionAttribute10 extensionAttribute10 extensionAttribute10 extensionAttribute11 extensionAttribute11 extensionAttribute11 extensionAttribute12 extensionAttribute12 extensionAttribute12 extensionAttribute13 extensionAttribute13 extensionAttribute13 extensionAttribute14 extensionAttribute14 extensionAttribute14 extensionAttribute15 extensionAttribute15 extensionAttribute15 extensionAttribute2 extensionAttribute2 extensionAttribute2 extensionAttribute3 extensionAttribute3 extensionAttribute3 extensionAttribute4 extensionAttribute4 extensionAttribute4 extensionAttribute5 extensionAttribute5 extensionAttribute5 extensionAttribute6 extensionAttribute6 extensionAttribute6 extensionAttribute7 extensionAttribute7 extensionAttribute7 extensionAttribute8 extensionAttribute8 extensionAttribute8 extensionAttribute9 extensionAttribute9 extensionAttribute9 facsimileTelephoneNumber facsimileTelephoneNumber facsimileTelephoneNumber givenName givenName givenName homePhone homePhone homePhone info info info initials initials initials ipPhone ipPhone ipPhone l l city legacyExchangeDN legacyExchangeDN legacyExchangeDN mail mail mail mailNickname mailNickname alias manager manager manager middleName middleName middleName mobile mobile mobile mS-DS-ConsistencyGuid sourceAnchor dn msDS-HABSeniorityIndex msDS-HABSeniorityIndex msDsHabSeniorityIndex msDS-PhoneticDisplayName msDS-PhoneticDisplayName msDsPhoneticDisplayName msExchArchiveGUID msExchArchiveGUID msExchArchiveGuid msExchArchiveName msExchArchiveName msExchArchiveName msExchAssistantName msExchAssistantName msExchAssistantName msExchAuditAdmin msExchAuditAdmin msExchAuditAdmin msExchAuditDelegate msExchAuditDelegate msExchAuditDelegate msExchAuditDelegateAdmin msExchAuditDelegateAdmin msExchAuditDelegateAdmin msExchAuditOwner msExchAuditOwner msExchAuditOwner msExchBlockedSendersHash msExchBlockedSendersHash msExchBlockedSendersHash msExchBypassAudit msExchBypassAudit msExchBypassAudit msExchBypassModerationFromDLMembersBL msExchBypassModerationFromDLMembersLink msExchBypassModerationLink msExchBypassModerationLink msExchDelegateListLink msExchDelegateListLink msExchDelegateListLink msExchELCExpirySuspensionEnd msExchELCExpirySuspensionEnd msExchElcExpirySuspensionEnd msExchELCExpirySuspensionStart msExchELCExpirySuspensionStart msExchElcExpirySuspensionStart msExchELCMailboxFlags msExchELCMailboxFlags msExchElcMailboxFlags msExchEnableModeration msExchEnableModeration msExchEnableModeration msExchHideFromAddressLists msExchHideFromAddressLists msExchHideFromAddressLists msExchImmutableId msExchImmutableId msExchImmutableId msExchLitigationHoldDate msExchLitigationHoldDate msExchLitigationHoldDate msExchLitigationHoldOwner msExchLitigationHoldOwner msExchLitigationHoldOwner msExchMailboxAuditEnable msExchMailboxAuditEnable msExchMailboxAuditEnable msExchMailboxAuditLogAgeLimit msExchMailboxAuditLogAgeLimit msExchMailboxAuditLogAgeLimit msExchMailboxGuid msExchMailboxGuid msExchMailboxGuid msExchMasterAccountSid msExchMasterAccountSid msExchModeratedByLink msExchModeratedByLink msExchModeratedByLink msExchModerationFlags msExchModerationFlags msExchModerationFlags msExchRecipientDisplayType msExchRecipientDisplayType msExchRecipientDisplayType msExchRecipientTypeDetails sourceObjectType msExchRemoteRecipientType msExchRemoteRecipientType msExchRemoteRecipientType msExchRequireAuthToSendTo msExchRequireAuthToSendTo msExchRequireAuthToSendTo msExchResourceCapacity msExchResourceCapacity msExchResourceCapacity msExchResourceDisplay msExchResourceDisplay msExchResourceDisplay msExchResourceMetaData msExchResourceMetaData msExchResourceMetadata msExchResourceSearchProperties msExchResourceSearchProperties msExchResourceSearchProperties msExchRetentionComment msExchRetentionComment msExchRetentionComment msExchRetentionURL msExchRetentionURL msExchRetentionUrl msExchSafeRecipientsHash msExchSafeRecipientsHash msExchSafeRecipientsHash msExchSafeSendersHash msExchSafeSendersHash msExchSafeSendersHash msExchSenderHintTranslations msExchSenderHintTranslations msExchSenderHintTranslations msExchUsageLocation usageLocation usageLocation objectSid objectSidString otherFacsimileTelephoneNumber otherFacsimileTelephoneNumber otherFacsimileTelephoneNumber otherHomePhone otherHomePhone otherHomePhone otherIpPhone otherIpPhone otherIpPhone otherMobile otherMobile otherMobile otherPager otherPager otherPager otherTelephone otherTelephone otherTelephone pager pager pager physicalDeliveryOfficeName physicalDeliveryOfficeName physicalDeliveryOfficeName postalCode postalCode postalCode postOfficeBox postOfficeBox postOfficeBox preferredLanguage preferredLanguage preferredLanguage proxyAddresses proxyAddresses proxyAddresses publicDelegates publicDelegates publicDelegates pwdLastSet pwdLastSet lastPasswordChangeTimestamp sAMAccountName accountName onPremisesSamAccountName sn sn surname st st state streetAddress streetAddress streetAddress targetAddress targetAddress targetAddress telephoneAssistant telephoneAssistant telephoneAssistant telephoneNumber telephoneNumber telephoneNumber thumbnailPhoto thumbnailPhoto thumbnailPhoto title title title True accountEnabled accountEnabled unauthOrig unauthOrig unauthOrig url url url userAccountControl accountEnabled accountEnabled userCertificate userCertificate userSMIMECertificate userSMIMECertificate wWWHomePage wWWHomePage wWWHomePage

And that’s it, there you have the list. I hope you enjoyed this small tour of Azure AD Connect synchronization rule attribute mapping and renaming 🙂

Did you like this post? Maybe your friends will too!
Facebook
fb-share-icon
Twitter
Tweet
LinkedIn
Share