Azure AD Connect: Understanding Sync Rules
Published: October 26, 2023
Azure AD Connect uses synchronization rules to determine how objects (users, groups, contacts) flow between your on-premises Active Directory and Azure Active Directory. Understanding and managing these rules is crucial for a successful hybrid identity implementation.
What are Sync Rules?
Synchronization rules are the core logic of Azure AD Connect. They define:
- Scoping: Which objects the rule applies to.
- Attribute Flow: Which attributes are synchronized and how they are transformed.
- Precedence: The order in which rules are applied.
Rule Types and Precedence
Sync rules are divided into two categories:
- Inbound Rules: These rules define how objects and attributes flow from a connected directory (e.g., on-premises AD) into the metaverse.
- Outbound Rules: These rules define how objects and attributes flow from the metaverse to a connector space (e.g., Azure AD).
Each rule has a precedence value. Lower numbers indicate higher precedence. Azure AD Connect processes rules in order of precedence. If multiple rules apply to an object, the rule with the lowest precedence value (highest priority) is applied.
Default Rules vs. Custom Rules
Azure AD Connect comes with a set of default synchronization rules that cover common scenarios. These rules are essential for the basic functioning of synchronization.
Important Note:
It is highly recommended to not modify the default synchronization rules directly. Instead, you should create custom rules that extend or override the default behavior. This makes troubleshooting and upgrades much simpler.
Creating Custom Sync Rules
You can create custom synchronization rules using the Synchronization Rules Editor tool, which is installed with Azure AD Connect.
Steps to Create a Custom Rule:
- Open the Synchronization Rules Editor from the Start Menu.
- On the menu bar, select Add new rule.
- Fill in the details for your new rule, including:
- Description: A clear, descriptive name for your rule.
- Connected System: The source directory (e.g., `your_domain.com`).
- Connected System Object Type: The type of object (e.g., `user`).
- Metaverse Object Type: The corresponding object type in the metaverse (e.g., `user`).
- Link Type: Usually `Join` or `Provision`.
- Precedence: A unique number higher than the default rules (e.g., 100 or higher).
- Define the Scoping Filter to specify which objects the rule should apply to.
- Define the Join Rules (if applicable) to link objects between directories.
- Define the Transformations to specify attribute flow and any necessary transformations.
Common Use Cases for Custom Rules
- Filtering specific users or groups from synchronization.
- Transforming attribute values (e.g., concatenating first and last names for the `displayName` attribute).
- Setting default values for attributes that are not populated in the source.
- Synchronizing custom attributes.
Key Concepts
- Metaverse: A central, unified data store where objects from all connected directories are provisioned and de-duplicated.
- Connector Space: A staging area for objects that are imported from or exported to a connected directory.
- Attribute Flow: The process of copying attribute values from one object to another, potentially with transformations.
Tip:
Before making changes to synchronization rules, always back up your Azure AD Connect configuration. Use the Azure AD Connect troubleshooting tools to validate your rules after implementation.
By mastering the concepts of synchronization rules, you gain fine-grained control over your hybrid identity environment, ensuring data accuracy and efficient synchronization between your on-premises Active Directory and Azure Active Directory.