What is the recommended way to change the sync attribute from userPrincipalName to mail eg
You only get this option when you FIRST install AD connect
As far as I can tell, its disable sync, remove and re-install.
Asked
Active
Viewed 1.8k times
4
Steve Drake
- 205
- 1
- 4
- 9
-
You’re showing a screenshot of setting the login ID but I think you are referring to the source anchor (Identifying Users tab). The new versions of AD Connect convert to ConsistencyGuid if you do a clean install. I’ve been through all of this at least once, but don’t do it enough to remember all the details. The problem is MS is changing so much all the time that documentation gets obsolete quick. Start here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-design-concepts – Appleoddity Nov 30 '17 at 04:42
-
If you clarify what you are actually trying to accomplish I may be able to provide better info. – Appleoddity Nov 30 '17 at 04:45
-
I will up update the pic, I thought I put a circle arround the option that I needed to change (copy and paste error ) but basically when you install you pick an attribute that’s used as the lookup I was wondering if this can be changed. The UI calls it UserPrincipleName and defaults it to use the UserPrincipleName attribute in AD. Personally I think the naming is confusing. – Steve Drake Nov 30 '17 at 08:31
3 Answers
6
Actually, it's possible. You have to use Synchronization Rules Editor for that. Had a similar issue and had to solve it. I've written a blog post about it.
Basically, you need to find rules that contain UserPrincipalName (as on screens below)
And finally, you replace
IIF(IsPresent([userPrincipalName]),[userPrincipalName], IIF(IsPresent([sAMAccountName]),([sAMAccountName]&"@"&%Domain.FQDN%),Error("AccountName is not present")))
To:
IIF(IsPresent([mail]),[mail], IIF(IsPresent([sAMAccountName]),([sAMAccountName]&"@"&%Domain.FQDN%),Error("AccountName is not present")))
You change it in any rules that have those (should be 2 on default connectors). Obviously, it doesn't have to be mail. It can be anything that is unique enough for you.
MadBoy
- 3,703
- 13
- 61
- 93
-
This saved me from having to do the uninstall/reinstall dance - many thanks! – noonand Jul 09 '19 at 11:10
-
Hi, I found your blog. sorry its 3 years later but hopefully you can answer. You never really say how or what to edit the Name , and Description field to. I'm having a hard time figuring that out. is it supposed to be exact copy of the originals rules fields? I saw in one image you have the word "cloned" in the name. I imagine that's before the change? Thank you – Miek Jan 21 '21 at 01:09
-
Name, Description field doesn't matter. What matters is Transformations screen and it has to be exactly as shown. Rest is strictly for you to be able to find it later on. – MadBoy Jan 21 '21 at 07:37
-
I kept getting errors for having non matching attributes in source and destination when trying to save the cloned copies. I tried the method above of uninstalling and reinstalling the sync tool and it appears to have worked. – Miek Jan 22 '21 at 03:15
1
As far as I can tell, its disable sync, remove and re-install.
Yes, you are in the configure page, you can select mail to sign in.
In your scenario, you can use Remove-AzureADUser to delete those users in Azure AD, then use this new Azure AD connect to sync them again, in this way, your users can use mail address to sign in.
Jason Ye
- 2,399
- 1
- 8
- 10
0
Still the same in 2022, you need to install and reinstall.
However, you can simplify this by exporting the ADConnect configuration and use the exported config when reinstalling; this will save you a lot of work, especially if you customized the default settings.
But there's a catch: the source attribute for generating UPNs is written in the exported config, and you can't change it when importing. You'll need to change it manually in the config file.
To use on-premises UPN:
"identityMappingPolicy": {
[...]
"userPrincipalNameAttribute": "userPrincipalName",
[...]
},
To use on-premises e-mail address:
"identityMappingPolicy": {
[...]
"userPrincipalNameAttribute": "mail",
[...]
},
Massimo
- 68,714
- 56
- 196
- 319