Azure Active Directory - How Do I Provision an Account or Group to AzureAD?

How can I provision or sync an account or group from the on-prem OU to AzureAD?

This page will help IT Pros provision and sync their user and group objects from on-prem Active Directory to Azure Active Directory (AzureAD)

Background Information:

Directory information in Azure AD is synchronized from the on-premises Active Directory via AzureAD Connect. One of the criteria that the AzureAD Connect service looks for is the presence of extensionAttribute2 with the value of 'O365'. This attribute is added automatically when an account or group is mail enabled but can be added manually if an IT Pro would like an account without a mailbox to be provisioned to AzureAD.

The presence of extensionAttribute2=O365 tells the AzureAD Connect service to provision the user or group object to Azure Active Directory. AzureAD Connect will also look for any changes made to these objects since the last sync cycle. The sync cycle interval is 30 minutes, so approximately every half hour, the sync service will do a delta sync which consists of a delta import from both on-prem AD and AzureAD, synchronize the information, and export the changes to both locations.

Note: Certain configuration changes to AzureAD Connect will require full sync instead of the normal delta. A full sync cycle can typically take about 36-48 hours during which no new accounts will be provisioned from on-prem AD to AzureAD nor will any changes be synchronized. Whenever possible we will communicate this ahead of time and create a post on the status page.

How to provision your user or group object to AzureAD:

  • Add extensionAttribute2 with value of O365
  • For user objects, make sure the object's UserPrincipalName (UPN) is set, with an appropriate domain (@ad.uillinois.edu, @illinois.edu, or @uillinois.edu).

    Note: The UPN will be the account's login address.

    • Failure to set the UPN appropriately may lead to the object having a UPN with @uillinoisedu.onmicrosoft.com domain automatically added to it

The methods listed below for adding extensionAttribute2 will require the installation of RSAT: Active Directory Domain Services and Lightweight Directory Tools. Starting with the Windows 10 October 2018 Update, RSAT is included as a set of Features on Demand right from Windows 10. Simply go to Manage optional features in Settings and click Add a feature.

You will also need to have write privileges for the OU in which the object resides.

Method 1: Active Directory Users and Computers (ADUC)

You will need to enable the 'Advanced Features' option within ADUC, which is in the 'View' menu:

Screenshot showing the location of 'advanced features' checkbox within ADUC. It is in the 'view' menu

Steps:

  1. Navigate to the user object you want to edit
  2. Double-click on the object or right-click on the object and select 'Properties'
  3. Go to the 'Attribute Editor' tab
  4. Scroll down to extensionAttribute2 and double-click on it, or select it and click on 'Edit'
  5. Type in O365 in the box and click on 'OK'
  6. Click on 'Apply' to apply the changes

Screenshot showing the attribute editor box in the attribute editor tab on a user object in ADUC

The object will be provisioned to AzureAD on the next sync cycle.

Method 2: PowerShell

This is best run from a domain-joined system. While logged in as a user with sufficient permissions on the object you are editing, you can type the following command:

Set-ADUser $useracct -Add @{extensionAttribute2="O365"}

If you want to make sure it applied, or check the presence of the attribute on an account you can use the following command:

Get-ADUser $useracct -Properties * | Select-Object extensionAttribute2

If you do not have access to a domain-joined system, you will need to use the Get-Credential command and specify a server.

$c = Get-Credential("netid")
 
Set-AdUser -Credential $c -Server ad.uillinois.edu -Identity $useracct -Add @{extensionAttribute2="O365"}

In the examples above, you'll want to replace $useracct with the SamAccountName of the object you're working with.

The object will be provisioned to AzureAD on the next sync cycle.

MFA Support for manually configured user accounts:

By default, these non-person user accounts will not be enabled for MFA. If the user account needs to access MFA protected resources, you will need to email TechServices-IAMU@illinois.edu to request that the user account be enabled for MFA in Azure.



Keywordsazure active directory azuread resource service user account sync connect   Doc ID119660
OwnerID M.GroupUniversity of Illinois Technology Services
Created2022-07-13 15:37:04Updated2023-02-23 15:16:19
SitesUniversity of Illinois Technology Services
Feedback  0   0