Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2016-01-24) Azure AD Connect – Identifying Users In AD And In Azure AD (Part 2)

Posted by Jorge on 2016-01-24


In previous blog post, I described the unique identification of users in AD and AAD. In this blog I will describe the unique identification of other objects in AD and AAD and how that is done through Azure AD Connect.

For the other object types (e.g. Group, Contact, ForeignSecurityPrincipal), it is not possible to make similar selections as it is possible for users. it always uses the default configuration

For the object types Group and Contact, the attribute used as the sourceAnchor attribute in Azure AD will always the objectGUID. Any objects of the object type ForeignSecurityPrincipal will only join to existing objects.

In the default sync rules “In from AD – Group Common” and “In from AD – Contact Common” the following attribute flow exists:

Expression(ConvertToBase64([objectGUID])) ===> attribute(sourceAnchor)

For the object type Group, the default sync rules “In from AD – Group Join” and “In from AD – Group Filtering” list the following to join/match/link objects.

image

Figure 1: Default Join Rules For Group Objects

For the object type Contact, the default sync rules “In from AD – Contact Join” and “In from AD – Contact Filtering” list the following to join/match/link objects.

image

Figure 2: Default Join Rules For Contact Objects

For the object type ForeignSecurityPrincipal, the default sync rules “In from AD – ForeignSecurityPrincipal Join User” lists the following to join/match/link objects.

image

Figure 3: Default Join Rules For ForeignSecurityPrincipal Objects

In the next blog post I will blog about my views, and also show you how to configure this, regarding what you should do with regards to using an Immutable ID.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

One Response to “(2016-01-24) Azure AD Connect – Identifying Users In AD And In Azure AD (Part 2)”

  1. […] « (2016-01-24) Azure AD Connect – Identifying Users In AD And In Azure AD (Part 2) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: