Sync Azure AD extension attribute with User Profile service custom property in Office 365

Office 365 is a line of subscription services launched by Microsoft in year 2011. Microsoft has provided so much new services and features in this cloud-based subscription. Many organizations have moved their business in cloud-based subscription and remove On-premise servers to reduce the maintenance cost. These organizations have local AD server which they require to sync with Azure AD for further use and Server Administrators are responsible to set sync process from local AD to Azure AD. In SharePoint On-premise server, an administrator can configure the synchronization process from Active Directory (AD) to SharePoint User Profile Service Application (UPA). But in SharePoint Online, the process of synchronization is quite different.

Let see, How Office 365 user synchronization pipeline works:

There are four processes in User Profile synchronization from local Active Directory to SharePoint Online:

• Azure AD Connect

  Azure AD Connect syncs data from your On-premise Active Directory to Azure Active Directory. 

• AAD to SPO Sync

  Syncs data from Azure Active Directory to SPO directory Store.

• AD Import

  AD Import syncs data from the SPO Directory Store to User Profile Service Application.

• WSS Sync

  WSS Sync data from User Profile Application to the SharePoint Online site collection.

As the synchronization process is handled by timer job and managed by Microsoft, first question comes in mind that when will I expect to see my changes in User Profile Application?

The Answer is: The changes are processed in batches, and the timer job runs until the changes from the SPO Directory are synced to User Profile Application. The required time will totally depend on number of changes. However, the Service Level Agreement (SLA) states that a change to a user in SPO Directory will be reflected within 24 hours in User Profile Service. The properties synced by this process pipeline are very limited to some pre-defined properties like UserPrincipalName, DisplayName, telephoneNumber, proxyAddress, Title, Department, PreferredLanguage, etc to guarantee consistent performance of the timer job. You can see complete list of properties here. So, if you want to sync custom properties from local AD, an administrator will have to set up process for the same.

Let’s sync Azure Active Directory extension attribute with SharePoint Online User Profile Service Application custom property:

You can sync AD extension attribute with SharePoint Online User Profile Service custom property using PowerShell. Once this property is synced with Azure Active Directory from your local Active Directory, you can write CSOM code with PowerShell to sync properties.

PowerShell script:

Import-Module MSOnline  
Import-Module Microsoft.Online.SharePoint.PowerShell  
 
# add SharePoint CSOM libraries  
Import-Module 'C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll'  
Import-Module 'C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll'  
Import-Module 'C:\Program Files\Common Files\Microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.UserProfiles.dll'  
 
# Defaults  
$spoAdminUrl = https://tenant-admin.sharepoint.com  
 
# Get credentials of account that is AzureAD Admin and SharePoint Online Admin  
$credential = Get-Credential  
Try {  
    # Connect to AzureAD  
    Connect-AzureAD -Credential $credential  
 
    # Get credentials for SharePointOnline  
    $spoCredentials=New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($credential.GetNetworkCredential().Username, (ConvertTo-SecureString $credential.GetNetworkCredential().Password -AsPlainText -Force))  
    $ctx = New-Object Microsoft.SharePoint.Client.ClientContext($spoAdminUrl)  
    $ctx.Credentials = $spoCredentials  
    $spoPeopleManager = New-Object Microsoft.SharePoint.Client.UserProfiles.PeopleManager($ctx)  
 
    # Get all AzureAD Users  
    Get-AzureADUser -All $true | ForEach-Object {

You can also sync custom property using PnP-PowerShell commands. You can see we can reduce the code by using PnP-PowerShell script:

PnP-PowerShell script:

$appSiteUrl = "<SharePoint Online URL>"
$credential = Get-Credential 
Connect-PnPOnline -Url $appSiteUrl -Credentials $credential
Connect-AzureAD -Credential $credential
$conn = Get-PnPConnection
 
Get-AzureADUser -All $true | ForEach-Object {
    if ($_.ExtensionProperty.ContainsKey("<extension attribute key>")) {
        $adValue = $_.ExtensionProperty.Item("<extension attribute key>")
        Set-PnPUserProfileProperty -Account $_.UserPrincipalName.ToString() -PropertyName "CustomPropertyInternalName" -Value $adValue
    }
}

Conclusion

You can migrate required user data from your local Azure AD to SharePoint Online site for further use by syncing property from local AD to SharePoint Online User Profile Service custom property. You can also set automation function in MS Azure to sync property recursively.