AD Users | Create Office 365 Accounts (Cloud) rule
This hybrid rule queries the specified Active Directory scope and for each returned user and create a matching Microsoft 365 account. By enabling the ImmutableID option, each new Office 365 account will pre-mapped automatically for Entra ID Connect.
NOTE: This rule is not a replacement for the Entra ID Connect. The Entra ID Connect is deeply integrated with the Microsoft 365 infrastructure and provides the full account synchronization and lifecycle management for hybrid environments. This rule optimizes the account provisioning flow for environments, where Azure AD Connect is not flexible enough or robust to provision required cloud services within the required timeframe and with the defined settings.
NOTE: This rule supports mapping between Active Directory user account and Cloud user account by anchor attributes. For details, please see How to map Active Directory users to Office 365 cloud users.
When to use this rule
Use this rule if you want to create Microsoft 365 user accounts that match AD user accounts, and pre-map those automatically for the Entra ID Connect.
The Provision Hybrid Users runbook includes this rule as one of its steps. For more information, please see Rules and runbooks article.
Rule configuration:
Query section: limit the query scope and set the query criteria.
Action section: verify the constructed UserPrincipalName meets your environment's requirements; as well as other provisioning settings.
TIP: For this rule, Cayosoft recommends to limit the scope to OU that is not synchronized to Microsoft 365. Otherwise, some Microsoft 365 accounts will be created by this rule other accounts - by Azure AD sync. It may lead to errors during rule execution.
After the rule execution, you can move the created Office 365 user accounts to the OU that is synchronized with the Microsoft 365. So, with the next synchronization, these users will have 'Synced with Active Directory' status. The Provision Hybrid Users runbook uses the same approach by default.
Rule Settings
| Setting name | Description |
|---|---|
| Query Section | |
| Limit scope to this domain or OU |
This setting defines the search query scope. To improve query performance, limit the scope to a specific OU. IMPORTANT: To test the rule configuration, limit the rule scope to an OU that contains test accounts or objects and use the Preview feature. |
| Query criteria |
Query criteria are sent with the query and may improve query performance. TIP: For additional information on the criteria builder, see the How to use Query Builder dialog for Query Criteria and Filter rule settings. |
| More options | |
| Filter |
Set the filtering conditions to hide unwanted data based on criteria not supported in the Query criteria setting. Example: filter by the found object Distinguished Name. TIP: For optimal performance, use the Query criteria setting above to filter objects whenever possible. |
| Returned properties | To display additional properties for each object found by the query, add those properties to the list. |
| Sort by | Sort result object list. |
| Action section | |
| Usage Location | Select the usage location. |
| Account | |
| UserPrincipalName |
Usually, the user account in the AD and Office 365 have identical UserPrincipalName. Select the rule to generate UserPrincipalName. |
| UPNSuffix (@domain.onmicrosoft.com) | You can use Default UPNSuffix from Office 365 settings or enter a domain suffix. |
|
First Name Last Name Display Name |
Set the rule for generation Office 365 user account's First Name, Last Name, and Display Name. Usually, the user account in the AD and Office 365 has these attributes the same. |
| Settings | |
| Set ImmutableId | Set ImmutableID to Yes to pre-map AD user account with Office 365 user account for the Azure AD Connect. |
| Default Password |
Set password for Office 365 user account. TIP: If you use this rule as a part of the Provision hybrid users runbook, you should use the Get password from previous rule setting's value. |
| Must change password at next logon | |
| New Account Status | Set the new Office 365 user account status: allow logon to Office 365 or prevent logon. |
| Organizational | |
|
Title Department Company |
Set the rule for Office 365 user account's Title, Department and Company. Usually, the user account in the AD and Office 365 has these attributes in sync. |
| Contact Info | |
|
Office Office Phone Mobile Phone Fax Address City State Postal Code Country |
Set the rule for Office 365 user contact info. Usually, the user account in the AD and Office 365 has these attributes in sync. |
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Rule Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Rule Enforce/Schedule section article.
Change History
| Version | Notes |
|---|---|
| 7.3.0 | The rule supports mapping between Active Directory user account and Cloud user account by anchor attributes. |
| 5.4.0 | The rule supports linking to web actions as rules to run after the web action. |
Comments
0 comments
Please sign in to leave a comment.