Rule description
This rule queries the selected AD Groups scope and for each returned group, finds the corresponding cloud group by SID and then adds it to the selected Azure AD Administrative Unit, either directly or dynamically via text file mapping.
When to use this rule
Use this rule when you need to add hybrid groups to the Azure AD Administrative unit either directly or dynamically via text file (CSV) mapping. You can use the template CSV file provided with the rule, or create a file in Microsoft Excel and export it as CSV.
Query Section
Setting name | Description |
---|---|
General Settings | |
Limit AD scope to this domain or OU |
This setting defines the search query scope. To improve query performance, limit the scope to specific OU. Important: To test rule configuration, limit the rule scope to an OU that contains test accounts or objects.
|
AD Query criteria
|
Query criteria are sent with the query and may improve query performance. Tip: For different samples on the criteria builder, see KB20180410-1.
|
Filter AD query results
|
To hide unwanted data based on criteria, not supported by the Active Directory query criteria above, set the filtering conditions here. Example: Filter by the found object Distinguished Name. Tip: For optimal performance, use the Query criteria above to filter objects whenever possible.
|
Properties to display |
To display additional properties for each object found by the query, add those properties to the list. |
Group type |
Specify AD group type:
|
Display name starts with |
You can specify the group display name for the search. |
Other Query Settings |
|
LDAP filter |
Set the filtering conditions to only return objects or data that need to be processed by the rule. This filter will override the Query criteria setting. |
System properties |
List of properties required for this rule to be executed correctly. |
Sort by |
Sort result objects list. |
Maximum number of users |
Specify the maximum number of users returned from Active Directory. Tip: It is possible to change the default value in he Active Directory extension settings.
|
Initialization script |
|
Script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. Important: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.
Example: Update AD users, created in the last ten days.
{$global:DatePeriod = (Get-Date).AddDays(-10)}
|
Action Section
Setting name | Description |
---|---|
Target AU selection mode |
One of these values is possible:
|
Action |
Specify one of these actions:
|
Azure AD Administrative Unit | If using the 'Select a single Azure AD AU' mode above select the Azure AD administrative Unit. If using a dynamic mapping file select the CSV file column containing the Azure AD Administrative Unit name. |
Dynamic Mapping from File Settings | |
Data source |
This setting specifies the text file for import. The […] button allows the user to browse for the file and the Create button allows creation or editing of the file in the Cayosoft Administrator data source editor. |
Separator used in file | Use this setting to select the separator used in the file. |
Active Directory anchor attribute |
Defines the attribute in the Active Directory to which the Data Source anchor attribute specified in the 'CSV anchor match column' is to be compared. Use the default msDS-parentdistname attribute to map by OU. |
CSV anchor match column | Defines the column in the Data Source that will be used to determine if the user account already exists. This value is compared to the Active Directory Anchor Attribute. |
Azure AD Administrative Unit column | Select the CSV file column containing the Azure AD Administrative Unit name if using a dynamic mapping file. |
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
Version | Notes |
---|---|
10.2.1 | The rule has been added to the product. |
Comments
0 comments
Please sign in to leave a comment.