AD附加属性已同步到AAD扩展属性,未显示在AAD用户对象上 [英] AD additional attribute synced to AAD extension attribute not showing up on AAD user object
问题描述
有人可以在以下方面为我提供帮助吗?
Can someone please help me with the following, thanks in advance
我在LAB中设置了AD Connect,我的LAB Active Directory用户正在将OK同步到我的LAB Azure AD
I setup AD Connect in a LAB and my LAB Active Directory users are syncing OK to my LAB Azure AD
然后,我第二次通过Azure AD Connect安装向导同步自定义同步选项",并选择目录扩展属性同步",并选择同步两个其他属性(以进行测试),我选择了Active Directory属性"adminCount'和'carLicense'我有一个域管理员用户Craig,他的adminCount属性设置为1,并且为carLicense添加了一个值
I then went through the Azure AD Connect setup wizard a second time to sync 'custom sync options' and chose 'Directory Extension Attribute Sync' and chose to sync two additional attributes (for testing), I chose the Active Directory attributes 'adminCount' and 'carLicense' I have a domain admin user called Craig who has his adminCount attribute set to 1 and I added a value for carLicense
当我选中 Get-ADSyncGlobalSettings
我可以在 Microsoft.OptionalFeature.DirectoryExtensionAttributes 下看到列出的carLicense和adminCount(以及其他属性),因此AD Connect看起来应该将这两个属性从AD同步到Azure AD,对吗?
I can see under Microsoft.OptionalFeature.DirectoryExtensionAttributes the carLicense and adminCount listed (among other attributes) therefore looks like AD Connect should sync these two attributes from AD to Azure AD right?
但是,即使重新启动AD Connect并执行增量同步之后,当我执行 Get-AzureADUser -SearchString Graig |时,我仍然看不到这些属性.选择-ExpandProperty扩展属性
However even after restarting AD Connect and doing a delta sync too I still do not see these attributes on my Azure AD User when I do Get-AzureADUser -SearchString Graig | select -ExpandProperty extensionproperty
输出中没有adminCount或carLicense属性或其值的迹象
There is no sign of the adminCount or carLicense attributes or their values in the output
请告知,我要去哪里了?
Please advise, where I am going wrong?
我是否需要Azure AD P2许可证或用于同步其他内置活动目录属性的内容?
Do I need an Azure AD P2 license or something to sync additional built in active directory attributes?
我还设置了一个单独的自定义规则,以将AD属性同步到AAD用户类的extension13.
I also set up a separate custom rule to sync an AD attribute to extension13 of the AAD user class.
以上内容出现在"Metaverse"中的"AD Connect OK"下(已填充正确的值)
The above appears in the Metaverse under AD Connect OK (with the correct values populated)
但是,在AAD用户对象中没有出现任何内容,如上所述,
However, there are not appears in the AAD User object, as above any idea please
预先感谢
CXMelga
推荐答案
我还设置了一个单独的自定义规则,以将AD属性同步到AAD用户类的extension13.
I also set up a separate custom rule to sync an AD attribute to extension13 of the AAD user class.
如果将扩展属性同步到extensionAttribute13
,则无法通过Azure AD powershell Get-AzureADUser
来获取.
If you sync the extension attribute to the extensionAttribute13
, you are unable to get that via Azure AD powershell Get-AzureADUser
.
extensionAttribute13
属于 onPremisesExtensionAttributes
(仅用于 User
对象,但是AzureAD
powershell调用 User
在AAD图表中.
The extensionAttribute13
belongs to onPremisesExtensionAttributes
which is a property just for the User
object in Microsoft Graph, but the AzureAD
powershell calls Azure AD Graph API, the onPremisesExtensionAttributes
property is not a property of the User
in AAD Graph.
因此,如果要获取属性,请参考以下两种解决方案.
So if you want to get the attribute, here are two solutions for you to refer.
1 .使用Microsoft Graph- Microsoft Graph Explorer .或者,如果您要使用Powershell来执行此操作,则可以选择使用此处.
1.Use the Microsoft Graph - Get a user
to do that, use the query as below in the Microsoft Graph Explorer. Or if you want to use powershell to do that, your option is to call the MS Graph in powershell with Invoke-RestMethod
, a sample here.
GET https://graph.microsoft.com/v1.0/users/<object-id of the user>?$select=onPremisesExtensionAttributes
2 .当您使用Azure AD Connect进行同步时,请按如下所示编辑出站同步规则.在您的情况下,应类似于extension_3e2cd06ca3494546888b069a891b4bb6_adminCount
.参见链接以获取更多详细信息.
2.When you use the Azure AD Connect to sync, edit outbound synchronization rule like below. In your case, it should be like extension_3e2cd06ca3494546888b069a891b4bb6_adminCount
. See this link for more details.
然后您将可以通过以下命令获取扩展属性(我建议您不要使用-SearchString
参数,有时它什么也不返回.)
Then you will be able to get the extension attribute with the command as below(I recommend you not to use -SearchString
parameter, sometimes it returns nothing.)
Get-AzureADUserExtension -ObjectId <object-id of the user>
或
Get-AzureADUser -ObjectId <object-id of the user> | select -ExpandProperty extensionproperty
这篇关于AD附加属性已同步到AAD扩展属性,未显示在AAD用户对象上的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!