Support-Tip: (AADCONNECT): Sync Rules - Precedence
PRODUCTION USED FOR THIS BLOG
- Azure AD Connect v1.1.281.0
- Azure AD Connect v1.1.443.0
| NOTE : In theory, unless something major changes in the product, this will work for pretty much any version of Azure AD Connect. The versions above are just what I utilized during the course of this blog. |
SCENARIO DESCRIPTION / PURPOSE OF THE BLOG
The scenario that I would like to cover in this blog post on Azure AD Connect Synchronization Rules is Sync Rule Precedence. The goal here is to help provide a clear understanding of the order in which Synchronization Rules are executed and who wins in an Attribute Flow conflict.
| NOTE : Snapshots and testing have been done based on the two products documented above |
You ever write a customized synchronization rule and attempt to determine the best place to place the synchronization rule. My hope here is to provide clarify around the topic of Sync Rule Precedence so that you can write a good synchronization rule and have it executed where you need it to be executed based on your internal business rules.
The Azure AD Connect Sync rule around Sync Rule Precedence is the lower numeric value wins in an Attribute Flow Conflict.
| What is an attribute flow conflict? |
| An attribute flow conflict is where you have two or more synchronization rules that are updating the same attribute during a synchronization. |
Now, let's take a look at some test scenario cases.
Review the below snapshot. I created three Synchronization Rules, that are all Inbound Synchronization Rules for the purpose of this blog.
- 2 Provision Sync Rules
- 1 Join Sync Rule
I will be updating only the displayName attribute on the Transformations page with information to identify which Synchronization Rule is winning the attribute flow conflict. The illustration will show that the lower numeric value for Sync Rule Precedence is what controls the resolution for attribute flow conflicts.
- In from AD - Sync Rule Precedence - Provision Rule - Filter = Bob Provision Rule - True
- Transformation: Constant: displayName = Bob Provision Rule - True
- In from AD - Sync Rule Precedence - Provision Rule - Filter = Bob Provision Rule - False
- Transformation: Constant: displayName = Bob Provision Rule - False
- In from AD - Sync Rule Precedence - Join Rule - Filter = Bob Join Rule
- Transformation: Constant: displayName = Bob Join Rule
Based on the above snapshot and knowledge of the rule, we should expect to see the displayName attribute equal "Bob Provision Rule - True". We can utilize the Preview Feature to confirm our thinking.
| NOTE: Previewing Inbound Synchronization Rules, the focus should be on the Import Attribute Flow page of the Preview Feature Dialog. This is because Inbound Synchronization Rules purpose is to take information from Connector Space to the Metaverse. |
The below snapshot displays the "In from AD - Sync Rule Precedence - Provision Rule - Filter = Bob Provision Rule - True" winning the attribute flow conflict.
Ok. Let's move "In from AD - Sync Rule Precedence - Join Rule - Filter = Bob Join Rule" to a lower precedence. Here we give "In from AD - Sync Rule Precedence - Join Rule - Filter = Bob Join Rule" a Sync Rule Precedence of 44, making it the lowest of the three Synchronization Rules in question.
Let's confirm using the Preview Feature - Import Attribute Flow. The below snapshot displays the "In from AD - Sync Rule Precedence - Join Rule - Filter = Bob Join Rule" wins the attribute flow conflict by having the displayName of "Bob Join-Rule".
Understanding now, that the type of Sync Rule (Provision, Join or StickyJoin) does not matter. The Azure AD Connect Sync Rule Precedence for attribute flow conflict is based on the lower numeric value.
In writing this article, I noticed something I found interesting on the Import Attribute Flow page of the Preview Feature Dialog. Based on the below snapshot, it is understood that the "In from AD - Sync Rule Precedence - Join Rule - cloudFiltered = True" would win the attribute flow conflict.
An initial review of the below snapshot taken from the Import Attribute Flow page of the Preview Feature Dialog, would indicate that the "In from AD - Sync Rule Precedence - Provision Rule - Filter = True" Synchronization Rule would be the last one to be executed.
However, this is not quite true.
The listing of Synchronization Rules on the Import Attribute Flow page and/or the Export Attribute Flow page of the Preview Feature Dialog is displayed in the following order grouping:
- Inbound Synchronization Rules - Provision Rule Type
- Inbound Synchronization Rules - Join Rule Type
- Outbound Synchronization Rules
From the above snapshot, one cannot decipher immediately unless you are familiar with the default out-of-the-box Synchronization Rules which is a Provision or Join Synchronization Rule.
Let's explain essentially what we are seeing:
| Provision Sync Rules |
The Provision Synchronization Rules are grouped together and listed at the top of this window. This would indicate that Provision Synchronization Rules will write/update the object last during a Synchronization. The reason for this, is that Azure AD Connect focuses on its ability to work with the existing Joins. If Azure AD Connect Sync is not able to join to an existing object than it will Project/Provision the object to the Metaverse and possibly to the target connector space. I say possibly, because one might set the attribute cloudFiltered to true and allow the object to get to the Metaverse, but not to the Azure AD Connector Connector Space.
 |
| Join Sync Rules |
The Join Rules are grouped together under the Provision Sync Rules. The one with the lower numeric precedence is listed at the top.
 |
| Outbound Sync Rules |
In this particular snapshot, we only have one Outbound Synchronization Rule. I have seen it both ways, to where we have Outbound Synchronization Rules at the top or at the bottom.
|
Questions and Feedback are always welcome. Feel free to reach out to me.
ADDITIONAL REFERENCES
AZURE AD CONNECT DOCS
- Azure AD Connect Sync: Best Practices for changing the default configuration: /en-us/azure/active-directory/connect/active-directory-aadconnectsync-best-practices-changing-default-configuration
- Azure AD Connect Sync: Understanding the default configuration: /en-us/azure/active-directory/connect/active-directory-aadconnectsync-understanding-default-configuration
- Staging Mode: /en-us/azure/active-directory/connect/active-directory-aadconnectsync-operations#staging-mode
AZURE AD CONNECT EXAMPLE CUSTOM SYNC RULES
- How to create a custom AADSync Synchronization Rule for attribute flow (transformation flow): https://blogs.technet.microsoft.com/iamsupport/2016/02/04/aadconnect-sync-rule-info-how-to-create-a-custom-aadsync-synchronization-rule-for-attribute-flow-transformation-flow/
- Filter provisioned CNF Objects: https://blogs.technet.microsoft.com/iamsupport/2016/03/02/aadconnect-sync-rule-info-filter-provisioned-cnf-objects/
- How to deprovision an Azure AD CS Object: https://blogs.technet.microsoft.com/iamsupport/2017/02/09/support-tip-how-to-deprovision-an-azure-ad-cs-object/
AZURE AD SYNC FILTERING
- AADSync – Configure Filtering – Part 1: http://blogs.technet.com/b/steady/archive/2015/01/08/aadsync-configure-filtering-part-1.aspx
- AADSync – Configure Filtering – Part 2: http://blogs.technet.com/b/steady/archive/2015/01/09/aadsync-configure-filtering-part-2.aspx
TERMINOLOGY
- Inbound Synchronization Rules: Takes an object from a Connector Space to the Metaverse. In a common single On-Premise AD to a single Azure Tennant, we will find most, not all, of the Inbound Synchronization Rules to be for On-Premise AD to the Metaverse.
- Outbound Synchronization Rules: Takes an object from the Metaverse to the Target Connector Space.