How to Extract Azure AD Connect Attribute Mapping

PowerShell Azure AD Connect Synchronization Rule

Azure AD Connect sometimes renames attributes when replicating your on-premises AD to Azure AD/Office 365. This can lead to some confusion.

I recently published this table to show exactly what user attributes are renamed.

This post will show you in detail how that table was generated using PowerShell.

How to Extract the Azure AD Connect Synchronization Rules With PowerShell

Azure AD Connect includes a Synchronization Rules Editor. It’s a great tool for quickly reviewing specific rules. But getting an overview of all user synchronization rules is not easy.

Azure AD Connect Synchronization Rules Editor

Fortunately, the Azure AD Connect synchronization engine has an extensive PowerShell API. After importing the ADSync module you can view all synchronization rules using the Get-ADSyncRule commandlet:

PS C:\Windows\system32> Get-ADSyncRule | ft Identifier,Name,Direction,Precedence
Identifier                           Name                                            Direction Precedence
----------                           ----                                            --------- ----------
cf28f341-60ef-408b-b711-d8b4a2513531 In from AAD - User Join                           Inbound        116
d3e2c7a8-fb5a-420c-81db-5d7a28cb549d Out to AAD - User ExchangeOnline                 Outbound        122
f05d72d1-0314-4164-b1bf-a42235960c19 Out to AAD - User LyncOnline                     Outbound        125
14881dcb-b4d8-4640-b299-c2214c19b137 Out to AAD - User SharePointOnline               Outbound        126
a70da87a-a43b-4d32-a48c-f161e5de5056 Out to AAD - Contact ExchangeOnline              Outbound        130
baa84a18-e226-4c37-b99c-be0f03abc079 Out to AAD - Contact SharePointOnline            Outbound        134
d012498f-3178-47bc-8dae-0f0a23a1c51a Out to AAD - Group Join                          Outbound        136
772fe7b4-9e70-4106-804d-99152e18d59b Out to AAD - Group ExchangeOnline                Outbound        138
70c39e03-268f-4714-bed2-a78ffec14a7f Out to AAD - Group SharePointOnline              Outbound        142
62ec510c-758a-4690-9a75-944aa2f2f49c In from AAD - Contact Join                        Inbound        117
5c21ad89-024b-42d8-a41b-cf154b31d740 In from AAD - Group Join                          Inbound        118
31a6ba6f-807d-457d-a4ed-fe145514f623 In from AAD - User NGCKey                         Inbound        119
be063fa9-17f4-4028-8c1d-67ab561dd319 Out to AAD - User AzureRMS                       Outbound        127
eda3fece-6a1a-4cb8-805b-03bba132ed8f Out to AAD - User Join                           Outbound        120
3bd01702-6be3-4eed-824a-f11e77d8c55c Out to AAD - User Identity                       Outbound        121
647ee814-6950-4641-a46e-94f9e187da83 Out to AAD - User DynamicsCRM                    Outbound        123
69c396b8-c952-489b-86f5-9fcf37797583 Out to AAD - User Intune                         Outbound        124
271a070b-5436-4d7b-86a8-443d08ba65aa Out to AAD - Contact Join                        Outbound        128
8934d4ec-7da7-4f7d-90e9-e52edcd6c66d Out to AAD - Contact Identity                    Outbound        129
8f8bb6e9-184c-4be2-90c7-af1673bd3fff Out to AAD - Contact DynamicsCRM                 Outbound        131
f39f59d9-0f37-4890-9620-f9cb1c272ee3 Out to AAD - Contact Intune                      Outbound        132
b7d100cc-f3cb-4571-b436-0d8c59d88dd9 Out to AAD - Contact LyncOnline                  Outbound        133
6b2a2315-6ad7-4a1f-95e3-37a7f972f799 Out to AAD - Contact AzureRMS                    Outbound        135
67a12db5-6970-420e-8725-a566a2b57145 Out to AAD - Group Identity                      Outbound        137
372e20ba-f228-4180-915d-e86c674d08b5 Out to AAD - Group DynamicsCRM                   Outbound        139
53c5f579-d8b5-4429-9bce-2cfb1d1cc7eb Out to AAD - Group Intune                        Outbound        140
365e7941-9a47-4f00-8050-195bcb1f41ac Out to AAD - Group LyncOnline                    Outbound        141
8fae8a95-dd3e-499a-a5e0-67a25d925d36 Out to AAD - Group AzureRMS                      Outbound        143
2b8804d6-d5cd-4271-ba54-6d1143ff604c Out to AAD - User OfficeProPlus                  Outbound        144
f99711d6-d0ac-43c7-b5f1-7d005d88e588 In from AAD - Device Common                       Inbound        146
9531206f-bd80-4185-b5c9-79da98b4f434 Out to AAD - Device Join SOAInAD                 Outbound        148
6f1296d9-881e-44da-bc27-5f9874bb00c2 In from AD - User Join                            Inbound        100
84754e46-c844-4005-8b8f-06c654a22f3b In from AD - User Common from Exchange            Inbound        104
a4e767dd-881a-40fb-a80c-08ed7b908d50 In from AD - InetOrgPerson Common from Exchange   Inbound        105
12854a4a-a20e-4872-8193-b34347f933ef In from AD - User Common                          Inbound        106
cffd3179-b758-4af6-9fd9-e86601e54c32 In from AD - InetOrgPerson Common                 Inbound        107
aebaba15-7d67-451c-a22a-60b038470da3 In from AD - User Exchange                        Inbound        108
64dccec2-4fad-4fb4-9763-d0c01a45b753 In from AD - InetOrgPerson Exchange               Inbound        109
d16d81c4-1983-4dad-8e31-36d401f0b008 In from AD - Group Exchange                       Inbound        111
918b5bcb-f5c8-4a86-9a16-18f662a8e916 In from AD - Contact Common                       Inbound        114
697617ad-960a-4915-948e-a872841038e5 In from AD - User AccountEnabled                  Inbound        102
665509b8-2883-4a21-8dc1-9dd122fd6774 In from AD - InetOrgPerson AccountEnabled         Inbound        103
4b4c587d-4348-449a-9fc4-820047e64afd In from AD - Group Join                           Inbound        110
92c27354-7c9b-469f-b58c-f41375baadc9 In from AD - InetOrgPerson Join                   Inbound        101
273c3494-08e3-4f0d-b4e6-ddae39801088 In from AD - Contact Join                         Inbound        113
07a4406f-b752-46cd-bcc1-5d64990c8fd9 In from AD - ForeignSecurityPrincipal Join User   Inbound        115
15ed8d3f-eef2-449c-8cc5-355d4d14e3f5 Out to AD - User Join SOAInAD                    Outbound        145
aa49299c-18ef-4334-b30c-b31060b8f5b8 In from AD - Device Common                        Inbound        149
a3f1eb61-4d4c-4748-a64e-076906279a0b In from AD - Computer Join                        Inbound        147
c430b311-2e1c-4632-8312-9477e941f7c5 Out to AD - User NGCKey                          Outbound        150
31dcdb57-fd59-41ad-bac7-161b9d305cc1 Out to AD - Device STKKey                        Outbound        151
37219198-d451-4be3-aff7-18ed7d394737 Out to AD - User ImmutableId                     Outbound        152
447231ec-6555-45ec-98fc-4c915fa52692 In from AD - Group Common                         Inbound        112

The same command can of course be used to see specifics of individual synchronization rules. In this case the “In from AD – User Common” rule:

PS C:\Windows\system32> Get-ADSyncRule 12854a4a-a20e-4872-8193-b34347f933ef

Identifier               : 12854a4a-a20e-4872-8193-b34347f933ef
InternalId               : 1d5ff5cf-5c4e-46d6-9972-5a2b788848a3
Name                     : In from AD - User Common
Version                  : 1
Description              :
ImmutableTag             : Microsoft.IdentityManagement.PowerShell.ObjectModel.ImmutableTag
Connector                : 90f3ee83-f35e-486c-a2c7-c4d6831ba704
Direction                : Inbound
Disabled                 : False
SourceObjectType         : user
TargetObjectType         : person
Precedence               : 106
PrecedenceAfter          : 00000000-0000-0000-0000-000000000000
PrecedenceBefore         : 00000000-0000-0000-0000-000000000000
LinkType                 : Join
EnablePasswordSync       : False
JoinFilter               : {}
ScopeFilter              : {Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeConditionGroup}
AttributeFlowMappings    : {Destination:distinguishedName FlowType:Direct Expression:  ValueMergeType: Update, Destination:accountEnabled FlowType:Expression Expression:
                           IIF(BitAnd([userAccountControl],2)=0,True,False) ValueMergeType: Update, Destination:accountName FlowType:Direct Expression:  ValueMergeType: Update, Destination:assistant
                           FlowType:Direct Expression:  ValueMergeType: Update...}
SoftDeleteExpiryInterval : 00:00:00
SourceNamespaceId        : 90f3ee83-f35e-486c-a2c7-c4d6831ba704
TargetNamespaceId        : cc31d470-9786-447f-8594-40abe13f9f78
VersionAgnosticTag       : Microsoft.InfromADUserCommon.
TagVersion               : 9
IsStandardRule           : True
IsLegacyCustomRule       : False
JoinHash                 :

The AttributeFlowMappings attribute holds the information about the mappings (or transformations) of the user attributes for this specific synchronization rule:

PS C:\Windows\system32> Get-ADSyncRule 12854a4a-a20e-4872-8193-b34347f933ef | Select-Object -ExpandProperty AttributeFlowMappings | ft Source,Destination,FlowType
Source                                                          Destination                     FlowType
------                                                          -----------                     --------
{dn}                                                            distinguishedName                 Direct
{userAccountControl}                                            accountEnabled                Expression
{sAMAccountName}                                                accountName                       Direct
{assistant}                                                     assistant                         Direct
{c}                                                             c                             Expression
{cn}                                                            cn                                Direct
{co}                                                            co                            Expression
{company}                                                       company                       Expression
{countryCode}                                                   countryCode                       Direct
{department}                                                    department                    Expression
{description}                                                   description                   Expression
{displayName, cn}                                               displayName                   Expression
{}                                                              domainFQDN                    Expression
{}                                                              domainNetBios                 Expression
{employeeID}                                                    employeeID                        Direct
{extensionAttribute1}                                           extensionAttribute1           Expression
{extensionAttribute2}                                           extensionAttribute2           Expression
{extensionAttribute3}                                           extensionAttribute3           Expression
{extensionAttribute4}                                           extensionAttribute4           Expression
{extensionAttribute5}                                           extensionAttribute5           Expression
{extensionAttribute6}                                           extensionAttribute6           Expression
{extensionAttribute7}                                           extensionAttribute7           Expression
{extensionAttribute8}                                           extensionAttribute8           Expression
{extensionAttribute9}                                           extensionAttribute9           Expression
{extensionAttribute10}                                          extensionAttribute10          Expression
{extensionAttribute11}                                          extensionAttribute11          Expression
{extensionAttribute12}                                          extensionAttribute12          Expression
{extensionAttribute13}                                          extensionAttribute13          Expression
{extensionAttribute14}                                          extensionAttribute14          Expression
{extensionAttribute15}                                          extensionAttribute15          Expression
{facsimileTelephoneNumber}                                      facsimileTelephoneNumber      Expression
{}                                                              forestFQDN                    Expression
{}                                                              forestNetBios                 Expression
{givenName}                                                     givenName                     Expression
{homePhone}                                                     homePhone                     Expression
{info}                                                          info                          Expression
{initials}                                                      initials                      Expression
{ipPhone}                                                       ipPhone                       Expression
{l}                                                             l                             Expression
{mail}                                                          mail                          Expression
{manager}                                                       manager                           Direct
{middleName}                                                    middleName                    Expression
{mobile}                                                        mobile                        Expression
{objectSid}                                                     objectSid                         Direct
{objectSid}                                                     objectSidString               Expression
{otherFacsimileTelephoneNumber}                                 otherFacsimileTelephoneNumber Expression
{otherHomePhone}                                                otherHomePhone                Expression
{otherMobile}                                                   otherMobile                   Expression
{otherIpPhone}                                                  otherIpPhone                  Expression
{otherPager}                                                    otherPager                    Expression
{otherTelephone}                                                otherTelephone                Expression
{pager}                                                         pager                         Expression
{physicalDeliveryOfficeName}                                    physicalDeliveryOfficeName    Expression
{postalCode}                                                    postalCode                    Expression
{postOfficeBox}                                                 postOfficeBox                 Expression
{preferredLanguage}                                             preferredLanguage             Expression
{}                                                              proxyAddresses                Expression
{pwdLastSet}                                                    pwdLastSet                    Expression
{sn}                                                            sn                            Expression
{msExchRecipientTypeDetails, mS-DS-ConsistencyGuid, objectGUID} sourceAnchorBinary            Expression
{msExchRecipientTypeDetails, mS-DS-ConsistencyGuid, objectGUID} sourceAnchor                  Expression
{msExchRecipientTypeDetails}                                    sourceObjectType              Expression
{st}                                                            st                            Expression
{streetAddress}                                                 streetAddress                 Expression
{telephoneNumber}                                               telephoneNumber               Expression
{thumbnailPhoto}                                                thumbnailPhoto                    Direct
{title}                                                         title                         Expression
{userPrincipalName, sAMAccountName}                             userPrincipalName             Expression
{url}                                                           url                           Expression
{wWWHomePage}                                                   wWWHomePage                   Expression

Creating a Script to Show Attribute Names for AD, the Metaverse and AAD

We now pretty much have all the building blocks we need to create a script that will show us:

  1. The attribute name in our on-premises Active Directory (AD)
  2. The name for the same attribute in the Azure AD Connect Metaverse (Metaverse)
  3. The name for the same attribute in the Azure Active Directory (AAD)

The mapping can be done in different ways, but this is how I will do it:

  1. Create a hash list with AD to Metaverse attribute naming references
  2. Create a hash list with Metaverse to AAD attribute naming reference
  3. Pair the two to get the AD to Metaverse to AAD attribute naming reference

This is what the final script looks like:

Import-Module ADSync
$In = @{ }
$Out = @{ }
# Get all Metaverse rules for inbound replication from on-premises AD
$InboundRules = Get-ADSyncRule | ? { $_.Name -like '*In from AD - User*' } | % { $_.AttributeFlowMappings | Select-Object -Property Source, Destination }
($InboundRules | Sort-Object -Property Source | Get-Unique -AsString) | % {
  If ([string]$_.Source -ne '' -and ([string]$_.Source).IndexOf(" ") -le 0 -and -Not $In.Contains([string]$_.Source)) {
    $In.Add([string]$_.Source, [string]$_.Destination)
  }
}
# Get all Metaverse rules for outbound replication to Azure AD
$OutboundRules = Get-ADSyncRule | ? { $_.Name -like '*Out to AAD - User*' } | % { $_.AttributeFlowMappings | Select-Object -Property Source, Destination }
($OutboundRules | Sort-Object -Property Source | Get-Unique -AsString) | % {
  If (-Not $Out.Contains([string]$_.Source)) {
    $Out.Add([string]$_.Source, [string]$_.Destination)
  }
}
# Pair the inbound and outbound rule attributes
$InOut = [System.Collections.ArrayList]@()
$In.Keys | % {
  $InOutObject = [PSCustomObject]@{
    AD        = $_
    Metaverse = $In[$_]
    AAD       = $Out[$In[$_]]
  }
  $InOut += $InOutObject
}
$InOut | Sort-Object -Property AD

Depending on what schema extensions you have, the output will look similar to this:

AD                                    Metaverse                               AAD
--                                    ---------                               ---
altRecipient                          altRecipient                            altRecipient
assistant                             assistant                               assistant
authOrig                              authOrig                                authOrig
c                                     c                                       countryLetterCode
cn                                    cn                                      commonName
co                                    co                                      country
company                               company                                 company
countryCode                           countryCode                             countryCode
department                            department                              department
description                           description                             description
dLMemRejectPerms                      dLMemRejectPerms                        dLMemRejectPerms
dLMemSubmitPerms                      dLMemSubmitPerms                        dLMemSubmitPerms
dn                                    distinguishedName                       onPremisesDistinguishedName
employeeID                            employeeID                              employeeID
extensionAttribute1                   extensionAttribute1                     extensionAttribute1
extensionAttribute10                  extensionAttribute10                    extensionAttribute10
extensionAttribute11                  extensionAttribute11                    extensionAttribute11
extensionAttribute12                  extensionAttribute12                    extensionAttribute12
extensionAttribute13                  extensionAttribute13                    extensionAttribute13
extensionAttribute14                  extensionAttribute14                    extensionAttribute14
extensionAttribute15                  extensionAttribute15                    extensionAttribute15
extensionAttribute2                   extensionAttribute2                     extensionAttribute2
extensionAttribute3                   extensionAttribute3                     extensionAttribute3
extensionAttribute4                   extensionAttribute4                     extensionAttribute4
extensionAttribute5                   extensionAttribute5                     extensionAttribute5
extensionAttribute6                   extensionAttribute6                     extensionAttribute6
extensionAttribute7                   extensionAttribute7                     extensionAttribute7
extensionAttribute8                   extensionAttribute8                     extensionAttribute8
extensionAttribute9                   extensionAttribute9                     extensionAttribute9
facsimileTelephoneNumber              facsimileTelephoneNumber                facsimileTelephoneNumber
givenName                             givenName                               givenName
homePhone                             homePhone                               homePhone
info                                  info                                    info
initials                              initials                                initials
ipPhone                               ipPhone                                 ipPhone
l                                     l                                       city
legacyExchangeDN                      legacyExchangeDN                        legacyExchangeDN
mail                                  mail                                    mail
mailNickname                          mailNickname                            alias
manager                               manager                                 manager
middleName                            middleName                              middleName
mobile                                mobile                                  mobile
mS-DS-ConsistencyGuid                 sourceAnchor                            dn
msDS-HABSeniorityIndex                msDS-HABSeniorityIndex                  msDsHabSeniorityIndex
msDS-PhoneticDisplayName              msDS-PhoneticDisplayName                msDsPhoneticDisplayName
msExchArchiveGUID                     msExchArchiveGUID                       msExchArchiveGuid
msExchArchiveName                     msExchArchiveName                       msExchArchiveName
msExchAssistantName                   msExchAssistantName                     msExchAssistantName
msExchAuditAdmin                      msExchAuditAdmin                        msExchAuditAdmin
msExchAuditDelegate                   msExchAuditDelegate                     msExchAuditDelegate
msExchAuditDelegateAdmin              msExchAuditDelegateAdmin                msExchAuditDelegateAdmin
msExchAuditOwner                      msExchAuditOwner                        msExchAuditOwner
msExchBlockedSendersHash              msExchBlockedSendersHash                msExchBlockedSendersHash
msExchBypassAudit                     msExchBypassAudit                       msExchBypassAudit
msExchBypassModerationFromDLMembersBL msExchBypassModerationFromDLMembersLink
msExchBypassModerationLink            msExchBypassModerationLink
msExchDelegateListLink                msExchDelegateListLink                  msExchDelegateListLink
msExchELCExpirySuspensionEnd          msExchELCExpirySuspensionEnd            msExchElcExpirySuspensionEnd
msExchELCExpirySuspensionStart        msExchELCExpirySuspensionStart          msExchElcExpirySuspensionStart
msExchELCMailboxFlags                 msExchELCMailboxFlags                   msExchElcMailboxFlags
msExchEnableModeration                msExchEnableModeration                  msExchEnableModeration
msExchHideFromAddressLists            msExchHideFromAddressLists              msExchHideFromAddressLists
msExchImmutableId                     msExchImmutableId                       msExchImmutableId
msExchLitigationHoldDate              msExchLitigationHoldDate                msExchLitigationHoldDate
msExchLitigationHoldOwner             msExchLitigationHoldOwner               msExchLitigationHoldOwner
msExchMailboxAuditEnable              msExchMailboxAuditEnable                msExchMailboxAuditEnable
msExchMailboxAuditLogAgeLimit         msExchMailboxAuditLogAgeLimit           msExchMailboxAuditLogAgeLimit
msExchMailboxGuid                     msExchMailboxGuid                       msExchMailboxGuid
msExchMasterAccountSid                msExchMasterAccountSid
msExchModeratedByLink                 msExchModeratedByLink                   msExchModeratedByLink
msExchModerationFlags                 msExchModerationFlags                   msExchModerationFlags
msExchRecipientDisplayType            msExchRecipientDisplayType              msExchRecipientDisplayType
msExchRecipientTypeDetails            sourceObjectType
msExchRemoteRecipientType             msExchRemoteRecipientType               msExchRemoteRecipientType
msExchRequireAuthToSendTo             msExchRequireAuthToSendTo               msExchRequireAuthToSendTo
msExchResourceCapacity                msExchResourceCapacity                  msExchResourceCapacity
msExchResourceDisplay                 msExchResourceDisplay                   msExchResourceDisplay
msExchResourceMetaData                msExchResourceMetaData                  msExchResourceMetadata
msExchResourceSearchProperties        msExchResourceSearchProperties          msExchResourceSearchProperties
msExchRetentionComment                msExchRetentionComment                  msExchRetentionComment
msExchRetentionURL                    msExchRetentionURL                      msExchRetentionUrl
msExchSafeRecipientsHash              msExchSafeRecipientsHash                msExchSafeRecipientsHash
msExchSafeSendersHash                 msExchSafeSendersHash                   msExchSafeSendersHash
msExchSenderHintTranslations          msExchSenderHintTranslations            msExchSenderHintTranslations
msExchUsageLocation                   usageLocation                           usageLocation
objectSid                             objectSidString
otherFacsimileTelephoneNumber         otherFacsimileTelephoneNumber           otherFacsimileTelephoneNumber
otherHomePhone                        otherHomePhone                          otherHomePhone
otherIpPhone                          otherIpPhone                            otherIpPhone
otherMobile                           otherMobile                             otherMobile
otherPager                            otherPager                              otherPager
otherTelephone                        otherTelephone                          otherTelephone
pager                                 pager                                   pager
physicalDeliveryOfficeName            physicalDeliveryOfficeName              physicalDeliveryOfficeName
postalCode                            postalCode                              postalCode
postOfficeBox                         postOfficeBox                           postOfficeBox
preferredLanguage                     preferredLanguage                       preferredLanguage
proxyAddresses                        proxyAddresses                          proxyAddresses
publicDelegates                       publicDelegates                         publicDelegates
pwdLastSet                            pwdLastSet                              lastPasswordChangeTimestamp
sAMAccountName                        accountName                             onPremisesSamAccountName
sn                                    sn                                      surname
st                                    st                                      state
streetAddress                         streetAddress                           streetAddress
targetAddress                         targetAddress                           targetAddress
telephoneAssistant                    telephoneAssistant                      telephoneAssistant
telephoneNumber                       telephoneNumber                         telephoneNumber
thumbnailPhoto                        thumbnailPhoto                          thumbnailPhoto
title                                 title                                   title
True                                  accountEnabled                          accountEnabled
unauthOrig                            unauthOrig                              unauthOrig
url                                   url                                     url
userAccountControl                    accountEnabled                          accountEnabled
userCertificate                       userCertificate
userSMIMECertificate                  userSMIMECertificate
wWWHomePage                           wWWHomePage                             wWWHomePage

And that’s it, there you have the list. I hope you enjoyed this small tour of Azure AD Connect synchronization rule attribute mapping and renaming 🙂