AD Groups | Enforce App Role Assignment
Rule description
This hybrid rule queries the specified Active Directory groups and for each member of these groups assigns the selected application and role in Azure Active Directory. Users who are not members of the group are removed from the application assignment.
NOTE: This rule also supports mapping between Active Directory user account and Cloud user account by anchor attributes. For details, please see How to map Active Directory users to Office 365 cloud users article.
When to use this rule
Use this rule when you need to sync application roles assignments in Azure Active Directory with on-premise AD groups.
Rule settings
Query section
| Setting name | Description |
|---|---|
Include AD Group Members |
Specify Distinguished Names (DNs) of AD groups, which members will be assigned a role for the specified application. Groups DNs can be separated by a semicolon. |
Properties to Display |
Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query. To display additional columns, add the required properties to the Properties to display list. To add extension attribute 1 that is synchronized from AD, you need to use a value like:
Copy
|
Sort by |
Sort result objects list. |
More options | |
Exclude AD Group Members |
Specify AD groups Distinguished Names, which members will be excluded from the Azure application role assignment. TIP: Use this setting to exclude some group members from assigning Entra ID application assignments. If the group, specified in Include AD Group Members, contains the same members as the group, specified in Exclude AD Group Members, these users won't be assigned Entra ID application. |
Exclude disabled users from hybrid mapping |
Excluding disabled AD user accounts from the hybrid mapping is possible. |
Maximum number of users |
By default, all objects that you have provisioned in Microsoft Office 365 are returned. TIP: It is possible to change the default value in the extension settings. |
Stop rule if errors exceed |
Too many errors may indicate rule misconfiguration or problems with connectivity. Set this value to some integer value, indicating the number of occurred errors, when the rule execution should stop. |
Exclude cloud-only users |
When set to Yes, the rule won't revoke application roles from cloud-only users. |
Initialization Script | |
Script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: Example: Update AD users, created in the last ten days.
|
Action section
| Setting name | Description |
|---|---|
Application name |
Specify the application display name that should be assigned to Microsoft 365 users in Azure Active Directory. The application display name can be found by going into Azure Active Directory > Enterprise applications, selecting the application and clicking properties: |
Role |
The role name that should be assigned to Microsoft 365 users in the application above. The role name can be found in the Users and groups section of the application when you click Add user. |
Output section
This section defines the output format of this rule.
To get more information about this section, please see the Rule Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Rule Enforce/Schedule section article.
Comments
0 comments
Please sign in to leave a comment.