How to map Active Directory users to Office 365 cloud users

Summary: When performing various hybrid actions in Web Portal for an Active Directory user, a corresponding Cloud user can be found even if UPN does not match between on-premise and cloud user accounts.

Applies to: Cayosoft Administrator 7.3.0 or later

ID: KB20200825-1

Configuration

There are situations when UserPrincipalNames can be different in on-premise and cloud user accounts. For example, if you configure Azure AD Connect to use any attribute other then UserPrincipalName for the name of AzureAD user. In this case, you should complete additional configuration in Cayosoft Admin Console: navigate to Active Directory extension > Advanced Settings and set Map cloud users by UPN to No (try anchor attributes first).

How user account is looked up in Cloud

When Map cloud users by UPN is set to No, to search for a user account in Cloud these attributes pairs will be used:

msDS-ExternalDirectoryObjectID/msDS-ConsistencyGUID attributes in Active Directory
ObjectId/ImmutableID attributes in Cloud

At first, msDS-ExternalDirectoryObjectID of the user in Active Directory is matched with the ObjectId of the corresponding user account in Cloud.

If msDS-ExternalDirectoryObjectID attribute is not in the schema or not set, msDS-ConsistencyGUID of the same user in Active Directory is matched with the ImmutableID of its account in Cloud.

If msDS-ConsistencyGUID attribute of Active directory user is empty, the user account will be looked up in Cloud by its UserPrincipalName.

If the user account is still not found the error will be reported: Cloud user was not found for this Active Directory user by its external directory ID or anchor.

Note: Please keep in mind that when Map cloud users by UPN is set to No, Cayosoft Administrator makes additional calls to cloud to find the corresponding Office 365 user and hybrid web actions and rules work slower than default mapping settings are used.

List of rules and web actions that support users with mismatched UserPrincipalName

Here is the list of rules and web actions that support users with mismatched UserPrincipalName:

Automation Rules and reports:

Analytics collection | Microsoft Office 365

Analytics collection | Quota Information

AD Groups | Enforce License
AD Groups | Validate License

AD Users | Assign Teams Policy

AD Users | Set Office 365 Mailbox Settings

AD Users | Process Scheduled Suspends

AD Users | Suspend Expired AD Users

AD Users | Suspend Users

AD Users | Process Scheduled Undo Suspends

AD Users Inactive | Suspend Accounts

AD Users Expired Office 365 Linked User Status

AD Users with Office 365 Licenses

New User | Create Office 365 User

New User | Office 365 User Enforce License
New User | Office 365 Mailbox post creation tasks
New User | Office 365 Skype post creation tasks
New User | Office 365 OneDrive post creation tasks

Import SQL Data | Suspend AD Users

Import Oracle Data | Suspend AD Users

Office 365 Users | Change selected license option by AD Group
Office 365 Users | Enforce Skype Settings by AD Group Membership
Office 365 Users Billing Count by AD Group (Roll-up)
Office 365 Users Billing Count by AD Group Membership
Office 365 Users Inactive by AD Group Membership

Text file | Suspend AD Users

Suspend | Office 365 User

Undo Suspend | Office 365 User