Merge pull request #223812 from billmath/custom1

staging

Author: JamesJBarnett

articles/active-directory/app-provisioning/media/user-provisioning-sync-attributes-for-mapping/schema-1.png

@@ -23,7 +23,8 @@ Adding missing attributes needed for an application will start in either on-prem
 
 First, identify which users in your Azure AD tenant will need access to the application and therefore are going to be in scope of being provisioned into the application.
 
-If any of those users originate in on-premises Active Directory, then you must sync the attributes with the users from Active Directory to Azure AD. You will need to perform the following tasks before configuring provisioning to your application.
+>[!NOTE]
+> For users in on-premises Active Directory, you must sync the users to Azure AD. You can sync users and attributes using [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) or [Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md). Both of these solutions automatically synchronizes certain attributes to Azure AD, but not all attributes. Furthermore, some attributes (such as SAMAccountName) that are synchronized by default might not be exposed using the Graph API. In these cases, you can [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect) or [use Azure AD Connect cloud sync](#create-an-extension-attribute-using-cloud-sync). That way, the attribute will be visible to the Graph API and the Azure AD provisioning service.
 
   1. Check with the on-premises Active Directory domain admins whether the required attributes are part of the AD DS schema, and if they are not, extend the AD DS schema in the domains where those users have accounts.
   1. Configure [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) or Azure AD Connect cloud sync to synchronize the users with their extension attribute from Active Directory to Azure AD.   Azure AD Connect automatically synchronizes certain attributes to Azure AD, but not all attributes. Furthermore, some attributes (such as `sAMAccountName`) that are synchronized by default might not be exposed using the Graph API. In these cases, you can [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect). That way, the attribute will be visible to the Graph API and the Azure AD provisioning service.
@@ -113,6 +114,24 @@ Set-AzureADUserExtension -objectid 0ccf8df6-62f1-4175-9e55-73da9e742690 -Extensi
 Get-AzureADUser -ObjectId 0ccf8df6-62f1-4175-9e55-73da9e742690 | Select -ExpandProperty ExtensionProperty
 
 ```
+## Create an extension attribute using cloud sync
+Cloud sync will automatically discover your extensions in on-premises Active Directory when you go to add a new mapping.  Use the steps below to auto-discover these attributes and set up a corresponding mapping to Azure AD.
+
+1. Sign-in to the Azure portal with a hybrid administrator account
+2. Select Azure AD Connect
+3. Select **Manage Azure AD cloud sync**
+4. Select the configuration you wish to add the extension attribute and mapping
+5. Under **Manage attributes** select **click to edit mappings**
+6. Click **Add attribute mapping**.  The attributes will automatically be discovered.
+7. The new attributes will be available in the drop-down under **source attribute**.  
+8. Fill in the type of mapping you want and click **Apply**.
+   [![Custom attribute mapping](media/user-provisioning-sync-attributes-for-mapping/schema-1.png)](media/user-provisioning-sync-attributes-for-mapping/schema-1.png#lightbox)
+
+For more information, see [Cloud Sync Custom Attribute Mapping](../cloud-sync/custom-attribute-mapping.md)
+
+
+
+
 
 ## Create an extension attribute using Azure AD Connect
 

articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md

@@ -52,6 +52,8 @@
       href: how-to-attribute-mapping.md 
     - name: Use Single Sign-On
       href: how-to-sso.md
+    - name: Directory extensions and custom attributes
+      href: custom-attribute-mapping.md
   - name: Plan and design
     items:
     - name: Topologies and scenarios for Azure AD Connect cloud sync

articles/active-directory/cloud-sync/TOC.yml

@@ -0,0 +1,142 @@
+---
+title: 'Azure AD Connect cloud sync directory extensions and custom attribute mapping'
+description: This topic provides information on custom attribute mapping in cloud sync.
+services: active-directory
+author: billmath
+manager: amycolannino
+ms.service: active-directory
+ms.workload: identity
+ms.custom: ignite-2022
+ms.topic: conceptual
+ms.date: 01/12/2023
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+
+
+# Cloud Sync directory extensions and custom attribute mapping
+
+## Directory extensions
+You can use directory extensions to extend the schema in Azure Active Directory (Azure AD) with your own attributes from on-premises Active Directory. This feature enables you to build LOB apps by consuming attributes that you continue to manage on-premises. 
+
+For additional information on directory extensions see [Using directory extension attributes in claims](../develop/active-directory-schema-extensions.md)
+
+ You can see the available attributes by using [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). You can also use this feature to create dynamic groups in Azure AD.
+
+>[!NOTE]
+> In order to discover new Active Directory extension attributes, the provisioning agent needs to be restarted.  You should restart the agent after the directory extensions have been created.  For Azure AD extension attributes, the agent doesn't need to be restarted.
+ 
+## Syncing directory extensions for Azure Active Directory Connect cloud sync 
+
+You can use [directory extensions](https://learn.microsoft.com/graph/api/resources/extensionproperty?view=graph-rest-1.0) to extend the synchronization schema directory definition in Azure Active Directory (Azure AD) with your own attributes. 
+
+>[!Important]
+> Directory extension for Azure Active Directory Connect cloud sync is only supported for applications with the identifier URI “api://<tenantId>/CloudSyncCustomExtensionsApp” and the [Tenant Schema Extension App](../hybrid/how-to-connect-sync-feature-directory-extensions.md#configuration-changes-in-azure-ad-made-by-the-wizard) created by Azure AD Connect 
+
+### Create application and service principal for directory extension 
+
+You need to create an [application](https://learn.microsoft.com/graph/api/resources/application?view=graph-rest-1.0) with the identifier URI "api://<tenantId>/CloudSyncCustomExtensionsApp" if it doesn't exist and create a service principal for the application if it doesn't exist. 
+
+
+ 1. Check if application with the identifier URI "api://<tenantId>/CloudSyncCustomExtensionsApp" exists. 
+
+     - Using Microsoft Graph 
+
+     ```
+     GET /applications?$filter=identifierUris/any(uri:uri eq 'api://<tenantId>/CloudSyncCustomExtensionsApp')
+     ```
+
+     For more information, see [Get application](https://learn.microsoft.com/graph/api/application-get?view=graph-rest-1.0&tabs=http)
+
+     - Using PowerShell 
+     
+     ```
+     Get-AzureADApplication -Filter "identifierUris/any(uri:uri eq 'api://<tenantId>/CloudSyncCustomExtensionsApp')"
+     ```
+
+     For more information, see [Get-AzureADApplication](https://learn.microsoft.com/powershell/module/azuread/get-azureadapplication?view=azureadps-2.0)
+
+ 2. If the application doesn't exist, create the application with identifier URI “api://&LT;tenantId&GT;/CloudSyncCustomExtensionsApp.”
+
+     - Using Microsoft Graph 
+     ```
+     POST https://graph.microsoft.com/v1.0/applications
+     Content-type: application/json
+
+     {
+      "displayName": "CloudSyncCustomExtensionsApp",
+      "identifierUris": ["api://<tenant id>/CloudSyncCustomExtensionsApp"]
+     }
+     ```
+     For more information, see [create application](https://learn.microsoft.com/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http)
+
+     - Using PowerShell 
+     ```
+     New-AzureADApplication -DisplayName "CloudSyncCustomExtensionsApp" -IdentifierUris "api://<tenant id>/CloudSyncCustomExtensionsApp"
+     ```
+     For more information, see [New-AzureADApplication](https://learn.microsoft.com/powershell/module/azuread/new-azureadapplication?view=azureadps-2.0)
+
+ 
+
+ 3. Check if the service principal exists for the application with identifier URI “api://&LT;tenantId&GT;/CloudSyncCustomExtensionsApp”. 
+
+     - Using Microsoft Graph 
+     ```
+     GET /servicePrincipals?$filter=(appId eq '{appId}')
+     ```
+     For more information, see [get service principal](https://learn.microsoft.com/graph/api/serviceprincipal-get?view=graph-rest-1.0&tabs=http)
+
+     - Using PowerShell 
+     ```
+     Get-AzureADServicePrincipal -ObjectId  '<application objectid>'
+     ```
+     For more information, see [Get-AzureADServicePrincipal](https://learn.microsoft.com/powershell/module/azuread/get-azureadserviceprincipal?view=azureadps-2.0)
+ 
+
+ 4. If a service principal doesn't exist, create a new service principal for the application with identifier URI “api://&LT;tenantId&GT;/CloudSyncCustomExtensionsApp”
+
+     - Using Microsoft Graph 
+     ```
+     POST https://graph.microsoft.com/v1.0/servicePrincipals
+     Content-type: application/json
+
+     {
+     "appId": 
+     "<application appId>"
+     }
+     ```
+     For more information, see [create servicePrincipal](https://learn.microsoft.com/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=http)
+
+     - Using PowerShell 
+     
+     ```
+     New-AzureADServicePrincipal -AppId '<appId>'
+     ```
+     For more information, see [New-AzureADServicePrincipal](https://learn.microsoft.com/powershell/module/azuread/new-azureadserviceprincipal?view=azureadps-2.0)
+ 
+ 5. You can create directory extensions in Azure AD in several different ways. 
+
+|Method|Description|URL|
+|-----|-----|-----|
+|MS Graph|Create extensions using GRAPH|[Create extensionProperty](https://learn.microsoft.com/graph/api/application-post-extensionproperty?view=graph-rest-1.0&tabs=http)|
+|PowerShell|Create extensions using PowerShell|[New-AzureADApplicationExtensionProperty](https://learn.microsoft.com/powershell/module/azuread/new-azureadapplicationextensionproperty?view=azureadps-2.0)| 
+Using Cloud Sync and Azure AD Connect|Create extensions using Azure AD Connect|[Create an extension attribute using Azure AD Connect](https://learn.microsoft.com/azure/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping#create-an-extension-attribute-using-azure-ad-connect)|
+|Customizing attributes to sync|Information on customizing which attributes to synch|[Customize which attributes to synchronize with Azure AD](https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions#customize-which-attributes-to-synchronize-with-azure-ad)
+
+## Use attribute mapping to map Directory Extensions
+If you have extended Active Directory to include custom attributes, you can add these attributes and map them to users.  
+
+To discover and map attributes, click **Add attribute mapping**.  The attributes will automatically be discovered and will be available in the drop-down under **source attribute**.  Fill in the type of mapping you want and click **Apply**.
+ [![Custom attribute mapping](media/custom-attribute-mapping/schema-1.png)](media/custom-attribute-mapping/schema-1.png#lightbox)
+
+For information on new attributes that are added and updated in Azure AD see the [user resource type](https://docs.microsoft.com/graph/api/resources/user?view=graph-rest-1.0#properties) and consider subscribing to [change notifications](https://docs.microsoft.com/graph/webhooks).
+
+For more information on extension attributes, see [Syncing extension attributes for Azure Active Directory Application Provisioning](../app-provisioning/user-provisioning-sync-attributes-for-mapping.md)
+
+## Additional resources
+
+- [Understand the Azure AD schema and custom expressions](concept-attributes.md)
+- [Azure AD Connect sync: Directory extensions](../hybrid/how-to-connect-sync-feature-directory-extensions.md)
+- [Attribute mapping in Azure AD Connect cloud sync](how-to-attribute-mapping.md)

articles/active-directory/cloud-sync/custom-attribute-mapping.md

@@ -100,6 +100,9 @@ After saving, you should see a message telling you what you still need to do to
 
 For more information, see [attribute mapping](how-to-attribute-mapping.md).
 
+## Directory extensions and custom attribute mapping.
+Azure AD Connect cloud sync allows you to extend the directory with extensions and provides for custom attribute mapping.  For more information see [Directory extensions and custom attribute mapping](custom-attribute-mapping.md).
+
 ## On-demand provisioning
 Azure AD Connect cloud sync allows you to test configuration changes, by applying these changes to a single user or group.