blog.atwork.at

news and know-how about microsoft, technology, cloud and more.

SharePoint Online UserProfiles and the story about synchronizing with Azure Active Directory-Part 1

Office 365 uses Azure Active Directory for storing user information. Since SharePoint and SharePoint Online both have it´s own User Profile Service and User Store it was clear for Microsoft that some of the user properties have to be shared between these two storages.

So Microsoft built a synchronization - or at least an one way transport - between the Azure Active Directory (AAD) user objects and SharePoint Online (SPO) user profiles.

This article shows the actual state in SharePoint Online 2013 and covers the HowTo about this syncing processes.

Why two user storages?

Well, a user profile is the collection of user properties which describe a single user like UserPrincipalName (which is the login in Office 365), FirstName, LastName, WorkPhone and so on.

In Active Directory many user properties are different or simply not existent in SharePoint User Profiles and vice versa.

image

So the reason is simply historically. Both systems grew and developed. In the cloud world with Office 365 this means that we now have technically two user objects with two different user profiles - but "some properties" are transferred from AAD to SPO...

Going Hybrid

Many companies use hybrid scenarios to transport their local Active Directory (AD) into the cloud (AAD). This can be done with tools like DirSync or ADFS systems. The benefit is that end users can use their single identity also in Office 365 services like in Exchange, SharePoint and Lync. This is a great solution (which we deploy very often for customers).

In many cases DirSync is an excellent choice because it´s easy to use and doesn´t require a great server infrastructure. With that tool selected objects are copied from the local AD into the cloud AAD (to make it clear: but not vice versa).

image

If a user changes his password (with the password sync option on) it will be double hashed (which is not recoverable in any way) and copied into the AAD. Depending on the sync schedules this takes some time, but the user can work with his new password in Office 365. The same goes for other user properties changed in AD.

For more information about AD-Syncing see TechNet: Plan for directory synchronization for Office 365.

Playing around with Office 365

So let´s have a look into the user properties on each side. If you don´t have a Office 365 account for playing with, simply open a new free 30-day Office 365 tenant. Once this is done, use this tenant.

Now login as an administrator on the Office 365 portal and open browser tabs for the Office 365 users and the SharePoint users. Create some test users on the Office 365 side.

image

What is synchronized between AAD and SPO?

You can switch between the product admin site. This screenshot shows the Office 365 admin center with the menu for switching between the admin portals for each product.

image

In the SharePoint admin center open the user profiles and select Manage User Profiles.

image

The User Profile Manager follows and shows an empty list where you can search for specific users.

Search for any user and choose Edit My Profile. You can see the user account name in the form "i:0#.f|membership|m.smith@o365demo2015.onmicrosoft.com".

Hint: It can take some minutes for all users to be available in SharePoint User Profiles...!

image

The SPO Account name

If your´re interested in the parts of the Account name...

i:0#.f|membership|m.smith@o365demo2015.onmicrosoft.com

This is the whole login name. SharePoint (since 2010) uses Claims Based Authentication. The table shows the meaning of the codes.

i: is the claim identity, the "i" stands for "identity" claim
0 reserved for future claim types
#. is the claim type (# stands for Logon, 5 for e-mail, - for role, + for group, % for farm and ! for identity provider)
f is the issuer code of the token (w = windows, s = local STS, m = membership, r = role, t = trusted STS, p = personal, c = claim provider, f = forms)
membership|m.smith... is the claim value starting with the name of the issuer followed by the login name

SPO works with the full account names.

Edit the user profile

Have you ever noticed the little icons on the left of the field names like Account name, First Name, Last name, etc.? At some fields these icons are missing, like Job Title, Department, About me, etc.

Those icons are the indicators which fields are copied from AAD to SPO!

image

So properties like Job Title, Department, About me are only visible in SPO and not coming from AAD.

It can take a while till all properties from AAD are visible in SPO user profile... see below.

Exchange Properties

Of course there are also user properties in Exchange. But you can´t see them in AAD or SPO.

image

There are common properties like UPN, FirstName, LastName, etc. Custom attributes are only visible within Exchange. The common properties are the same in AAD and Exchange, f.e. see this screenshot with some fields from the Office 365 user profile:

image

Profile change in SPO

Editing an user profile in SPO can happen in three ways:

  • The admin uses the User Profile Manager and edits user properties as above:
    https://[tenant]-admin.sharepoint.com/_layouts/15/tenantprofileadmin/ProfMngr.aspx
  • The user logs in and changes his properties:
    https://[tenant]-my.sharepoint.com/PersonImmersive.aspx
    image
  • With an app (formerly known as program...). We´ll do that in the second part, but we need an Administrator to accomplish that for other users.

The direction of SPO syncing

As mentioned above: The "sync" process is a one way direction: From AAD to SPO.
This happens automatically in Office 365.

Here comes the complete picture for the syncing with DirSync from AD to AAD (and to SPO).

Diagram showing how an on-premises Active Directory uses DirSync to feed profile information to the Office 365 Directory Service, which in turns feeds the SharePoint Online profile

Picture Source and technical article see Manage SharePoint Online user profiles from the SharePoint admin center.

Can I start the synchronization and how often does it happen?

No. In Office 365 you cannot manually start the sync process between AAD and SPO.
This happens ... sometimes. Microsoft isn´t very clear about that, they only state:

"SharePoint Online receives profile information from the Office 365 directory service during regularly scheduled one-way synchronization-which should occur at least every 24 hours."

And: "Note: Automatic profile synchronization with the Office 365 directory service occurs at regular predetermined intervals. Changes may take up to 24 hours before they appear in a user's profile."

So you are dependant on that to happen. My personal experience goes from about 15 minutes after creating a user object in Office 365 to show up in SPO user profiles up to some hours.

If the syncing does not happen after 24 hours that´s ... bad luck. See Issue with profile Sync in SharePoint online and open a case with Microsoft to fix that.

Which user properties are synced?

Kindly Microsoft delivers a list of the properties which are synced from AAD to SPO:
TechNet: Default user profile property mappings in SharePoint Server 2013

Here´s the list of the 21 properties with their names on each side when using Microsoft Active Directory.

User profile property (SPO) AD DS attribute (AAD)
SPS-DistinguishedName dn
SID objectSid
Manager manager
PreferredName displayName
FirstName givenName
LastName sn
SPS-PhoneticDisplayName msDS-PhoneticDisplayName
SPS-PhoneticFirstName msDS-PhoneticFirstName
SPS-PhoneticLastName msDS-PhoneticLastName
WorkPhone telephoneNumber
WorkEmail Mail/proxyAddress
Office physicalDeliveryOfficeName
SPS-JobTitle title
Department department
UserName sAMAccountName
PublicSiteRedirect wWWHomePage
SPS-ProxyAddresses proxyAddresses
SPS-SourceObjectDN msDS-SourceObjectDN
SPS-ClaimID <specific to connection>
SPS-ClaimProviderID <specific to connection>
SPS-ClaimProviderType <specific to connection>

With other Directory systems (Novell, Tivoli, etc.) the mapping changes and there are much lesser properties. See the whole article here.

Which user properties are available in SPO user profiles?

It´s also interesting which user properties are available in SPO. Here´s the list of the 60 user properties inclusive data type taken from TechNet: Default user profile properties (SharePoint Server 2010):

Use profile property Display name User profile service data type
AboutMe About me HTML
AccountName Account name Person
ADGuid Active Directory Id binary
Assistant Assistant Person
CellPhone Mobile phone string (single-value)
Department Department string (single-value)
Fax Fax string (single-value)
FirstName First name string (single-value)
HomePhone Home phone string (single-value
LastName Last name string (single-value)
Manager Manager Person
Office Office string (single-value)
PersonalSpace Personal site URL
PictureURL Picture URL
PreferredName Name string (single-value)
PublicSiteRedirect Public site redirect URL
QuickLinks Quick links string (single-value)
SID SID binary
SPS-Birthday Birthday date no year
SPS-ClaimID Claim User Identifier string (single-value)
SPS-ClaimProviderID Claim Provider Identifier string (single-value)
SPS-ClaimProviderType Claim Provider Type string (single-value)
SPS-DataSource Data source string (single-value)
SPS-DisplayOrder Display Order integer
SPS-DistinguishedName Distinguished Name string (single-value)
SPS-DontSuggestList Don't Suggest List Person
SPS-Dotted-line Dotted-line Manager Person
SPS-EmailOptin Email Notifications integer
SPS-HireDate Hire date date
SPS-Interests Interests string (multi-value)
SPS-JobTitle Job Title string (single-value)
SPS-LastColleagueAdded Last Colleague Added date
SPS-LastKeywordAdded Last Keyword Added date
SPS-Location Office Location string (single-value)
SPS-MemberOf MemberOf string (multi-value)
SPS-MySiteUpgrade My Site Upgrade boolean
SPS-ObjectExists Object Exists string (single-value)
SPS-OWAUrl Outlook Web Access URL URL
SPS-PastProjects Past projects string (multi-value)
SPS-Peers Peers string (single-value)
SPS-PhoneticDisplayName Phonetic Display Name string (single-value)
SPS-PhoneticFirstName Phonetic First Name string (single-value)
SPS-PhoneticLastName Phonetic Last Name string (single-value)
SPS-ProxyAddresses Proxy addresses string (multi-value)
SPS-ResourceSID Resource Forest SID binary
SPS-Responsibility Ask Me About string (multi-value)
SPS-SavedAccountName Saved Account Name string (single-value)
SPS-SavedSID Saved SID binary
SPS-School Schools string (multi-value)
SPS-SipAddress SIP Address string (single-value)
SPS-Skills Skills string (multi-value)
SPS-SourceObjectDN Source Object Distinguished Name string (multi-value)
SPS-StatusNotes Status Message string (single-value)
SPS-TimeZone Time Zone time zone
Title Title string (single-value)
UserName User name string (single-value)
UserProfile_GUID Id unique identifier
WebSite Web site URL
WorkEmail Work e-mail E-mail
WorkPhone Work phone string (single-value)

I haven´t found the same list for SPO 2013, but it seems the properties are the same.
This list is important when setting values with an app (which we do later).

Security Groups

By the way: If you define security groups in AAD (f.e. with users as members)...

image

...you can of course use theses security groups in SharePoint (f.e. as members of a portal site) with the people picker. SPO knows the security groups (and of course the users).

image

This is also a best practice for defining security settings in SPO.

Why is this important?

Knowing how the synchronization happens helps for building scenarios with user information like f.i. business units, locations, department or similar important user data for SPO or Apps using AAD or SPO user profiles.

Since some user properties are automatically synced company specific user information should be put into these synced fields - even if their names maybe are not fitting perfectly, but that´s the "built-in way" without any apps doing sync-work.

So that´s what we often recommend because this is simple to configure in your own DirSync.

Sample mappings

Here are some samples for mapping user information into existing fields:

User Information AD property SPO user property
Business unit division department
Jobrole title SPS-JobTitle
Shop Number physicalDeliveryOfficeName Office
Role manager Manager

With DirSync the field mapping can be done individually, f.i. AD field "extensionAttribute1" can be mapped to AAD field "manager" and so on. Between AAD and SPO user profiles you cannot configure any mappings.

More options

Of course the AAD and the SPO user profile information can be written from an individual app (for SPO user profiles without the step of going thru AAD). That´s covered in part 2.

Quicklinks:

Comments (3) -

  • Glynn Oram

    3/17/2015 2:44:37 PM |

    Hi
    Great article - I wondered if you may be able to help with a specific issue. The memberOf property of profiles is not being populated. Although security groups are being synched from Azure AD and are making it into SharePoint (you can see that a group has members) - this is not making it as far as the actual User Profile - so if I search for a Person I don't see any of the groups they are a member of

    Any help would be greatly appreciated

    Glynn

  • CMAT Exam 2015

    4/24/2015 5:46:40 PM |

    Thanks for sharing this great post! That is very interesting  I love reading and I am always searching for informative information like this.Thank you....

  • Milton

    12/6/2015 11:08:11 PM |

    Nice detailed article.
    Would like to know if there is any possibility to change the AccountName
    from
    i:0#.f|membership|m.smith@o365demo2015.onmicrosoft.com  >>> to display as First Last name

Pingbacks and trackbacks (4)+

Loading