You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/manage-apps/customize-application-attributes.md
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -76,11 +76,12 @@ Along with this property, attribute-mappings also support the following attribut
76
76
## Matching users in the source and target systems
77
77
The Azure AD provisioning service can be deployed in both greenfield (users do not exit in the target system) and brownfield (users already exist in the target system) scenarios. To support both scenarios, the provisioning service uses the concept of matching attribute(s). Matching attribute(s) allow you to determine how to uniquely identify a user in the source and match the user in the target. As part of planning your deployment, identify the attribute that can be used to uniquely identify a user in the source and target systems. Things to note:
78
78
79
-
-**Matching attributes should be unique:** Customers often use attributes such as upn, mail, or object ID as the matching attribute.
80
-
-**Multiple attributes can be used as matching attributes:** You can define multiple attributes to be evaluated when matching users and the order in which they are evaluated (defined as matching precedence in the UI).
81
-
-**The value in the source and the target do not have to match exactly:** The value in the target can be some simple function of the value in the source. Here "simple" means the target value can be some transformation of only a single source attribute. So, one could have an emailAddress attribute in the source and the userPrincipalName in the target, and match by a function of the emailAddress attribute that replaces some characters with some constant value.
79
+
-**Matching attributes should be unique:** Customers often use attributes such as userPrincipalName, mail, or object ID as the matching attribute.
80
+
-**Multiple attributes can be used as matching attributes:** You can define multiple attributes to be evaluated when matching users and the order in which they are evaluated (defined as matching precedence in the UI). If, for example, you define three attributes as matching attributes, and a user is uniquely matched after evaluating the first two attributes, the service will not evaluat the third attribute. The service will evaluate matching attributes in the order specified and stop evaluating when a match is found.
81
+
-**The value in the source and the target do not have to match exactly:** The value in the target can be some simple function of the value in the source. So, one could have an emailAddress attribute in the source and the userPrincipalName in the target, and match by a function of the emailAddress attribute that replaces some characters with some constant value.
82
82
-**Matching based on a combination of attributes is not supported:** Most applications do not support querying based on two properties and therfore it is not possible to match based on a combination of attributes. It is possible to evaluate single properties on after another.
83
-
-**All the users must actually have a value for one matching property:** A customer can identify a number of matching attributes in priority order. So, for example, if there is a match on employeeId then that takes priority over a match on emailAddress. Each item in the hierarchy can only be the raw attribute value or a simple function of the raw attribute value.
83
+
-**All users must have a value for at least one matching attribute:** If you define one matching attribute, all users must have a value for that attribute in the source system. If, for example, you define userPrincipalName as the matching attribute, all users must have a userPrincipalName. If you define multiple matching attribute (e.g. extensionAttribute1 and mail), not all users have to have the same matching attribute. One user could have a extensionAttribute1 but not mail while another user could have mail but no extensionAttribute1.
84
+
-**The target application must support filtering on the matching attribute:** Application developers allow filtering for a subset of attributes on their user or group API. For applications in the gallery, we ensure that the default attribute mapping is for an attribute that the target application's API does support filtering on. When changing the default matching attribute for the target application, check the third party API documentation to ensure that the attribute can be filtered on.
0 commit comments