Support-Tip: (AADCONNECT): Provisioning non-mail enabled user when joining on mail
Hey All,
Tim Macaulay here from Microsoft Support for FIM/MIM/AADCONNECT SYNC.
Interesting issue I worked on yesterday that I wanted to share with everybody.
PRODUCTS INVOLVED
- Azure AD Connect
PROBLEM SCENARIO DESCRIPTION
- In this scenario, Azure AD Connect was installed/configured to join on the mail attribute. However, we wanted to synchronize non-mail enabled user objects to Office 365 (Azure) and it would not synchronize. All we would see is "Source Object Details".
DISPLAYED ISSUE TEXT
- Preview shows "Source Object Details", no errors are thrown. The object would not project.
INFORMATION
Review the In from AD - User Join Synchronization Rule. On the Join Rules, you will see that the Join condition is specified to be mail to mail.
NOTE: This is an out of the box, default synchronization rule and it is not recommended to modify this synchronization rule as upgrades will overwrite this synchronization rule if modified.
Next review the Active Directory Object.
- Drill down to the actual objects location as the Properties Tab (Attribute Editor) is not available when doing a find. Review the attribute in question. For the purpose of this blog, I am focused on the mail attribute.
- NOTE: While this is specific to the mail attribute in this scenario, it is important to note that you can receive the same affect by joining on an attribute that you are not flowing information.
- Next review the On-Premise Active Directory Connector Space Object. You will see no attribute listed for the mail attribute.
- NOTE: Standard Sync Engine, if there is no value being brought in from a selected attribute, then you will not see the attribute listed on the connector space object.
- If there is no attribute value for Azure AD Connect to join, then we will not do anything with the object and all you will get is Source Object Details tab in the Preview window.
CAUSE
- The Object did not have a value in the mail attribute
RESOLUTION
- In resolving this specific issue, we need to remember that we need to synchronize both mail-enabled and non-mail-enabled user objects. To do this, we did the following:
- Cloned the Out of the Box Default Sync Rule: In from AD - User Join
- Review the Connector Space Object Properties and find another attribute to join on. The recommendation is to find something unique.
- Click the Add Group button
- Set it to ObjectGUID = SourceAnchorBinary
- Click Save and then Preview your object
ADDITIONAL INFORMATION / RESOURCES
- Microsoft FIM/MIM Team Support Blog: http://blogs.technet.microsoft.com/iamsupport
- Azure AD Connect Blogs on our Team site: https://blogs.technet.microsoft.com/iamsupport/tag/aadconnect/