Scenario
CustomerA wants to maintain employee attributes in Active Directory (AD), yet have them available for viewing and selective editing within SharePoint Online’s (SPO) User Profile Service.
Problem
While the Microsoft Azure Active Directory (AAD) Sync Services Tool does synchronize on-premises AD attributes to AAD, it does not push all of those attributes to properties in SPO.
Solution Synopsis
Solving this problem involves extending the AD schema and writing custom code to push custom AD attribute values to custom user profile properties in SPO.
Solution Walkthrough
In this solution walkthrough, we’re going to pretend that CustomerA wants to add a custom attribute of "Favorite Color" to its on-premises AD environment and have that pushed to a custom user profile property in SPO called "Favorite Color."
Extending the AD Schema
Adding a custom attribute to AD involves extending the AD schema. This is normally frowned upon because AD typically contains unused attributes that can be leveraged, but it’s certainly possible to do. Do this at your own risk and understand that once you’ve extended the schema, there’s no going back.
- Follow the instructions in this link: http://msdn.microsoft.com/en-us/library/ms677620(v=vs.85).aspx
- Obtain a Base OID by running oidgen.vbs
- Create a base OID value for classes (add a .1 to the base OID from part a)
- Create a base OID value for attributes (add a .2 to the base OID from part a)
- Assign each class its own unique OID value (add a .1 through .N to the base OID from part b)
- Assign each attribute its own unique OID value (add a .1 through .N to the base OID from part c)
- Build out the script
- Important!
- Each attribute must have the appropriate values for:
- attributeID (based on assignments from the above step 2)
- attributeSyntax: http://msdn.microsoft.com/en-us/library/cc223177.aspx
- isSingleValued: TRUE or isSingleValued: FALSE
- Each class must have the appropriate values for:
- governsID (based on assignments from the above step 2)
- mayContain: each property that should be a part of this class (one row per property)
- .ldif file
- Ensure that the LDAP path contains the correct containers and domain configuration
- White space matters
- Partial Example Script (this is only a sample and should not be run as-is)
#Attribute definition for CompanyA-FavoriteColor
dn: CN=CompanyA-FavoriteColor,CN=Schema,CN=Configuration,DC=sp2013,DC=com
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: CompanyA-FavoriteColor
# The below "attributeID" must be changed!
attributeID: 1.2.840.113556.1.8000.2554.22192.62955.61904.17455.36579.16120863.6105657.2.3
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
adminDisplayName: CompanyA-FavoriteColor
adminDescription: CompanyA-FavoriteColor
oMSyntax: 64
searchFlags: 1
lDAPDisplayName: CompanyA-FavoriteColor
systemOnly: FALSE
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# Classes
dn: CN=CompanyAUser,CN=Schema,CN=Configuration,DC=sp2013,DC=com
changetype: ntdsschemaadd
objectClass: top
objectClass: classSchema
cn: CompanyAUser
# The below "governsID" must be changed!
governsID: 1.2.840.113556.1.8000.2554.22192.62955.61904.17455.36579.16120863.6105657.1.2
mayContain: CompanyA-FavoriteColor
rDNAttID: cn
adminDisplayName: CompanyAUser
adminDescription: CompanyAUser
objectClassCategory: 3
lDAPDisplayName: CompanyAUser
name: CompanyAUser
systemOnly: FALSE
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=User,CN=Schema,CN=Configuration,DC=sp2013,DC=com
changetype: ntdsschemamodify
add: auxiliaryClass
auxiliaryClass: CompanyAUser
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
(note that the last line in this file is blank)
- Run the script with the ldifde command-line utility (available on the domain controller from the command prompt)
- Example: ldifde -i -v -j C:\Users\Administrator\Downloads -f COMPANYA_AD_ExtendSchema.ldif
- Ensure the script ran successfully…check the log for errors
- From the Start screen, type MMC to open up a new Microsoft Management Console.
- From the File menu, click "Add/Remove Snap-in…"
- Select "Active Directory Schema," click Add, then click OK. (If you don't see this option, you can follow the steps in this article to install the Active Directory Schema snap-in: http://technet.microsoft.com/en-us/library/cc755885(v=WS.10).aspx.)
- In the AD Schema MMC tool, reload the schema and confirm that your class and attributes are in place
- Open "Active Directory Users and Computers." (If it was already open, close it and re-open it; a refresh will not show the updates.)
- Ensure that "Advanced Features" are enabled so that you'll be able to access the "Attribute Editor" tab in the next steps.
- Right-click any user object and select Properties.
- Select the "Attribute Editor" tab and confirm that the new attributes are listed and available for editing.
- Now you can edit these attributes in preparation to sync the changes to SharePoint Online.
Make Changes to SharePoint Online
- Create a new user profile property called "CompanyAFavoriteColor." Once created, change the display name to "Favorite Color."
Get the code that pushes from AD to SPO
- The code is available on GitHub here: https://github.com/OfficeDev/PnP/tree/master/Samples/Core.BulkUserProfileUpdater.
- Update the code as needed to work in your environment and with your custom properties.
Get the code that exports SPO user profile properties
- Update the code as needed to work in your environment and with your custom properties.
Get the code that writes to AD
- The code is available on CodePlex here: https://bulkupdateadcsv.codeplex.com/.
- Update the code as needed to work in your environment and with your custom properties.