AzureAD SyncModule FAQ

Owned by Mikko Kerava (Unlicensed)
Last updated: May 10, 2023
4 min read

This page is for older ‘pull based’ user synchronization, which reads AzureAD information via GraphAPI.

We have newer and better ‘push based’ SCIM user synchronization, which should be used if you are implementing new user data synchronization.

See: SCIM provisioning from Azure AD

General

Three are three different syncs:

  • User Sync (BenePortal)

  • Directory sync of existing users

  • Directory sync of directory entries

User Sync is used for managing users in BenePortal.

Directory sync of existing users is used for keeping directory information of users up to date. User is someone having Benemen services.

Directory sync of directory entries is used for creating, updating and removing directory entries in Benemen directory. A directory entry is just an object in the Benemen directory and does not have any Benemen services.

SyncModule reads AzureAD data via Azure GraphAPI over HTTPS connection. User data in Benemen systems is updated based on data in AzureAD.

All syncs are configured to happen as a scheduled job. The default interval is 24h.

As SyncModule use GraphAPI to read AzureAD data, mappings must be done using property names of user resource type of GraphAPI. See GraphAPI documentation for the full list user resource type - Microsoft Graph v1.0

Note, that the naming of some attributes/properties differ between On-Prem AD and AzureAD and also between AzureAD and GraphAPI. Some common examples below:

On-Prem AD Attribute (LDAP)

AzureAD Attribute

GraphAPI property

On-Prem AD Attribute (LDAP)

AzureAD Attribute

GraphAPI property

telephoneNumber

TelephoneNumber

businessPhones

mobile

Mobile

mobilePhone

sn

Surname

surname

physicalDeliveryOfficeName

PhysicalDeliveryOfficeName

officeLocation

 

 

For all Syncs:

  • App registration must be added to customers AzureAD tenant.

For User sync following must be defined:

  • AzureAD group of which members will be synced

  • Attribute mappings

  • Removal policy

  • Email address for sync reports

Directory sync of existing users:

  • Attribute mappings

Directory sync of directory entries:

  • AzureAD group of which members will be synced as directory-entires

  • Attribute mappings

Any attributes found from AzureAD can be used as a source attribute. However, not all attributes are synced from on-premises AD to AzureAD by default. Follow these instructions to sync extension attributes from on-prem AD to AzureAD: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions

The attributes are prefixed with extension_{ApplicationId}_ where {ApplicationId} is id of Tenant Schema Extension App in AzureAD.

For example to retrieve values from externsionAttribute11, and AppID is 9d98ed114c4840d298fad781915f27e4 mapping value will be extension_9d98ed114c4840d298fad781915f27e4_externsionAttribute11.

ApplicationId has the same value for all attributes in AzureAD tenant.

User Sync (From AzureAD → BenePortal)

Directory sync of existing users

Directory sync of directory entries

© Enreach, Mannerheimintie 117, 00280 Helsinki, Finland
+358 40 450 3000, www.enreach.fi