Skip to main content

Articles in this section

See more
Print

AD Users | Add to Azure AD Administrative Units

  • Updated

AD Users | Add to Azure AD Administrative Units

Rule description

This rule queries the selected AD Users scope and for each returned user, finds the corresponding cloud account and adds it to the selected Azure AD Administrative Unit, either directly or dynamically via text file mapping.

NOTE: Privileged Role Administrator is required to add Microsoft 365 users to Azure AD Admin Units if a Microsoft 365 connection account doesn't have a Global Admin role.

When to use this rule

Use this rule when you need to add hybrid users to the Azure AD Administrative unit either directly or dynamically via text file (CSV) mapping. You can use the template CSV file provided with the rule, or create a file in Microsoft Excel and export it as CSV.

Rule settings

Query section

Setting name Description
General Settings

Limit AD scope to this domain or OU

This setting defines the search query scope. To improve query performance, limit the scope to a specific OU.

IMPORTANT: To test the rule configuration, limit the rule scope to an OU that contains test accounts or objects and use the Preview feature.

AD Query criteria

Query criteria are sent with the query and may improve query performance.

TIP: For additional information on the criteria builder, see the How to use Query Builder dialog for Query Criteria and Filter rule settings.

Filter AD query results

Set the filtering conditions to hide unwanted data based on criteria not supported in the Query criteria setting.

Example: filter by the found object Distinguished Name.

TIP: For optimal performance, use the Query criteria setting above to filter objects whenever possible.

Properties to display

Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query.

To display additional columns, add the required properties to the Properties to display list.

To add extension attribute 1 that is synchronized from AD, you need to use a value like:

Copy
"OnPremisesExtensionAttributes/extensionAttribute1~Extension Attribute 1"

Exclude disabled AD users

This setting allows excluding AD-disabled users from the rule scope or including them.

Other Query Settings

LDAP filter

Set the filtering conditions to only return objects or data that need to be processed by the rule.

This filter will override the Query criteria setting.

System properties

List of properties required for this rule to be executed correctly.

Sort by

Sort result object list.

Maximum number of users

By default, all objects that you have provisioned in Microsoft Office 365 are returned.

TIP: It is possible to change the default value in the extension settings.

Initialization script

Script

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.

IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.

Example: Update AD users, created in the last ten days.

  1. Add this initialization script

    Copy
    {$global:DatePeriod = (Get-Date).AddDays(-10)}

  2. Use the $DatePeriod variable in the query criteria builder:

Action section

Setting name Description
Target AU selection mode

One of these values is possible:

  • Select a single Azure AD Administrative Unit directly from setting.

  • Select Administrative Unit dynamically based on attribute mapping in a CSV file.
Action 

Specify one of these actions:

  • Add to Admin Unit (preserve existing membership)

  • Move to Admin Unit (remove existing memberships in other Admin Units)

  • Remove from Admin Unit (preserve existing memberships)

  • Set according to Azure AD AU container configuration in Microsoft 365 extension. 

Azure AD Administrative Unit

If using the Select a single Azure AD AU mode above select the Azure AD administrative Unit. If using a dynamic mapping file select the CSV file column containing the Azure AD Administrative Unit name.
Dynamic Mapping from File Settings 
Data source

Specify the text file to be imported.

The […] (three dots) button allows the user to browse for the file and the Create/Edit button allows the creation or editing of the existing file in the built-in Data Source editor.
Separator used in file 

Specify the separator used in the source CSV file.
Active Directory anchor attribute

Select a column in the data source that contains the attribute value for identifying and mapping a computer.
CSV anchor match column Defines the column in the Data Source that will be used to determine if the user account already exists. This value is compared to the Active Directory Anchor Attribute.
Azure AD Administrative Unit column Select the CSV file column containing the Azure AD Administrative Unit name if using a dynamic mapping file. 

Output section

This section defines the output format of this rule.

To get more information about this section, please see the Rule Output section article.

Enforce/Schedule section

This section defines the schedule for how often to run the rule.

To get more information about this section, please see the Rule Enforce/Schedule section article.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.