Rule Description
This hybrid rule queries the specified Active Directory groups and for each member of these groups assigns the selected application and role in Azure Active Directory. Users who are not members of the group are removed from the application assignment.
When to use this rule
Use this rule when you need to sync application roles assignments in Azure Active Directory with on-premise AD groups.
Rule Settings
Query Section
| Setting name | Description |
|---|---|
|
Include AD Group Members |
Specify Distinguished Names (DNs) of AD groups, which members will be assigned a role for the specified application. Groups DNs can be separated by a semicolon. |
|
Properties to Display |
To display additional Office 365 properties for each object found by the query, add those properties to the list. |
|
Sort by |
Sort result objects list. |
|
More options |
|
|
Exclude AD Group Members |
Specify AD groups Distinguished Names, which members will be excluded from the Azure application role assignment.
Tip: Use this setting to exclude some group members from assigning Azure application assignments.
If the group, specified in Include AD Group Members, contains the same members as the group, specified in Exclude AD Group Members, these users won't be assigned Azure application. |
|
Exclude disabled users from hybrid mapping |
Excluding disabled AD user accounts from the hybrid mapping is possible. |
|
Maximum number of users |
By default, all objects that you have provisioned in Microsoft Office 365 are returned.
Tip: It is possible to change the default value in Microsoft Office 365 extension settings.
|
|
Stop rule if errors exceed |
Too many errors may indicate rule misconfiguration or problems with connectivity. Set this value to some integer value, indicating the number of occurred errors, when the rule execution should stop. |
|
Exclude cloud-only users |
When set to Yes, the rule won't revoke application roles from cloud-only users. |
|
Initialization Script |
|
|
Script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.
Important: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.
Example: Get AD groups, created in the last ten days.
{$global:DatePeriod = (Get-Date).AddDays(-10)}
|
Action Section
| Setting name | Description |
|---|---|
|
Application name |
Specify the application display name that should be assigned to Microsoft 365 users in Azure Active Directory. The application display name can be found by going into Azure Active Directory > Enterprise applications, selecting the application and clicking properties:
|
|
Role |
The role name that should be assigned to Microsoft 365 users in the application above. The role name can be found in the "Users and groups" section of the application when you click "Add user".
|
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
| Version | Notes |
|---|---|
| 7.3.0 | The rule supports mapping between Active Directory user account and Cloud user account by anchor attributes. |
| 6.3.1 | The rule is introduced in the product. |
Comments
0 comments
Please sign in to leave a comment.