问题
Can someone please help me with the following, thanks in advance
I setup AD Connect in a LAB and my LAB Active Directory users are syncing OK to my LAB Azure AD
I then went through the Azure AD Connect setup wizard a second time to sync 'custom sync options' and chose 'Directory Extension Attribute Sync' and chose to sync two additional attributes (for testing), I chose the Active Directory attributes 'adminCount' and 'carLicense' I have a domain admin user called Craig who has his adminCount attribute set to 1 and I added a value for carLicense
When I check Get-ADSyncGlobalSettings
I can see under Microsoft.OptionalFeature.DirectoryExtensionAttributes the carLicense and adminCount listed (among other attributes) therefore looks like AD Connect should sync these two attributes from AD to Azure AD right?
However even after restarting AD Connect and doing a delta sync too I still do not see these attributes on my Azure AD User when I do Get-AzureADUser -SearchString Graig | select -ExpandProperty extensionproperty
There is no sign of the adminCount or carLicense attributes or their values in the output
Please advise, where I am going wrong?
Do I need an Azure AD P2 license or something to sync additional built in active directory attributes?
I also set up a separate custom rule to sync an AD attribute to extension13 of the AAD user class.
The above appears in the Metaverse under AD Connect OK (with the correct values populated)
However, there are not appears in the AAD User object, as above any idea please
Thanks in advance
CXMelga
回答1:
I also set up a separate custom rule to sync an AD attribute to extension13 of the AAD user class.
If you sync the extension attribute to the extensionAttribute13, you are unable to get that via Azure AD powershell Get-AzureADUser.
The extensionAttribute13 belongs to onPremisesExtensionAttributes which is a property just for the User object in Microsoft Graph, but the AzureAD powershell calls Azure AD Graph API, the onPremisesExtensionAttributes property is not a property of the User in AAD Graph.
So if you want to get the attribute, here are two solutions for you to refer.
1.Use the Microsoft Graph - Get a user to do that, use the query as below in the Microsoft Graph Explorer. Or if you want to use powershell to do that, your option is to call the MS Graph in powershell with Invoke-RestMethod, a sample here.
GET https://graph.microsoft.com/v1.0/users/<object-id of the user>?$select=onPremisesExtensionAttributes
2.When you use the Azure AD Connect to sync, edit outbound synchronization rule like below. In your case, it should be like extension_3e2cd06ca3494546888b069a891b4bb6_adminCount. See this link for more details.
Then you will be able to get the extension attribute with the command as below(I recommend you not to use -SearchString parameter, sometimes it returns nothing.)
Get-AzureADUserExtension -ObjectId <object-id of the user>
Or
Get-AzureADUser -ObjectId <object-id of the user> | select -ExpandProperty extensionproperty
来源:https://stackoverflow.com/questions/58689822/ad-additional-attribute-synced-to-aad-extension-attribute-not-showing-up-on-aad