Rule description
This hybrid rule queries the specified Active Directory scope and for each returned user and create a matching Office 365 account. By enabling the ImmutableID option, each new Office 365 account will pre-mapped automatically for Azure AD Connect.
Note 1: This rule is not a replacement for the Azure AD Connect. The Azure AD Connect is deeply integrated with the Office 365 infrastructure and provides the full account synchronization and lifecycle management for hybrid environments. This rule optimizes the account provisioning flow for environments, where Azure AD Connect is not flexible enough or robust to provision required cloud services within the required timeframe and with the defined settings.
When to use this rule
Use this rule if you want to create Office 365 user accounts that match AD user accounts, and pre-map those automatically for the Azure AD Connect.
The Provision Hybrid Users runbook includes this rule as one of its steps. For more information, please see Rules and Runbooks article.
Rule configuration:
-
Query section: limit the query scope and set the query criteria.
-
Action section: verify the constructed UserPrincipalName meets your environment's requirements; as well as other provisioning settings.
Tip: For this rule, Cayosoft recommends to limit the scope to OU that is not synchronized to Office 365. Otherwise, some Office 365 accounts will be created by this rule other accounts - by Azure AD sync. It may lead to errors during rule execution.
After the rule execution, you can move the created Office 365 user accounts to the OU that is synchronized with the Office 365. So, with the next synchronization, these users will have 'Synced with Active Directory' status. Provision Hybrid Users runbook uses the same approach by default.
Rule Settings
Query Section
Setting name | Description |
---|---|
Limit AD scope to this domain or OU |
This setting defines the search query scope. To improve query performance, limit the scope to specific OU. Important: To test rule configuration, limit the rule scope to an OU that contains test accounts or objects.
|
Query criteria |
Query criteria are sent with the query and may improve query performance. Tip: For different samples on the criteria builder, see KB20180410-1
|
More options | |
Filter
|
To hide unwanted data based on criteria, not supported by Active Directory query, set the filtering conditions here. |
Returned properties
|
To display additional properties for each object found by the query, add those properties to the list.
|
Sort by | Sort result objects list. |
Action Section
Setting name | Description |
---|---|
Usage Location |
Select the usage location. |
Account |
|
UserPrincipalName
|
Usually, the user account in the AD and Office 365 have identical UserPrincipalName. Select the rule to generate UserPrincipalName. |
UPNSuffix (@domain.onmicrosoft.com)
|
You can use Default UPNSuffix from Office 365 settings or enter a domain suffix.
|
First Name Last Name Display Name |
Set the rule for generation Office 365 user account's First Name, Last Name, and Display Name. Usually, the user account in the AD and Office 365 has these attributes the same. |
Settings |
|
Set ImmutableId | Set ImmutableID to Yes to pre-map AD user account with Office 365 user account for the Azure AD Connect. |
Default Password
|
Set password for Office 365 user account. Tip: If you use this rule as a part of Provision hybrid users runbook, you should use Get password from previous rule setting's value.
|
Must change password at next logon |
|
New Account Status | Set the new Office 365 user account status: allow logon to Office 365 or prevent logon. |
Organizational |
|
Title Department Company |
Set the rule for Office 365 user account's Title, Department and Company. Usually, the user account in the AD and Office 365 has these attributes in sync. |
Contact Info |
|
Office Office Phone Mobile Phone Fax Address City State Postal Code Country |
Set the rule for Office 365 user contact info. Usually, the user account in the AD and Office 365 has these attributes in sync. |
Output Section
Administrators can get reports on existing user accounts in Active Directory.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often the mail message this is sent to the recipients defined by the query section of the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
Version | Notes |
---|---|
7.3.0 | The rule supports mapping between Active Directory user account and Cloud user account by anchor attributes. |
5.4.0 | The rule supports linking to web actions as rules to run after the web action. |
Comments
0 comments
Please sign in to leave a comment.