Entra ID - How Do I Provision an Account or Group to Entra ID?

How can I provision or sync an account or group from the on-prem OU to Entra ID (formerly known as Azure AD)?

This page will help IT Pros provision and sync their user and group objects from on-prem Active Directory to Entra ID (formerly known as Azure AD)

Background Information:

Directory information in Entra ID is synchronized from the on-premises Active Directory via Microsoft Entra Connect. One of the criteria that the Microsoft Entra Connect service looks for is the presence of extensionAttribute2 with the value of 'O365'. This attribute is added automatically when an account or group is mail enabled but can be added manually if an IT Pro would like an account without a mailbox to be provisioned to Entra ID.

The presence of extensionAttribute2=O365 tells the Microsoft Entra Connect service to provision the user or group object to Entra ID. Microsoft Entra Connect will also look for any changes made to these objects since the last sync cycle. The sync cycle interval is 30 minutes, so approximately every half hour, the sync service will do a delta sync which consists of a delta import from both on-prem AD and Entra ID, synchronize the information, and export the changes to both locations.

Note: Certain configuration changes to Microsoft Entra Connect will require full sync instead of the normal delta. A full sync cycle can typically take about 36-48 hours during which no new accounts will be provisioned from on-prem AD to Entra ID nor will any changes be synchronized. Whenever possible we will communicate this ahead of time and create a post on the status page.

How to provision your user or group object to Entra ID:

  • Add extensionAttribute2 with value of O365
  • For user objects, make sure the object's UserPrincipalName (UPN) is set, with an appropriate domain (@ad.uillinois.edu, @illinois.edu, or @uillinois.edu).

    Note: The UPN will be the account's login address.

    • Failure to set the UPN appropriately may lead to the object having a UPN with @uillinoisedu.onmicrosoft.com domain automatically added to it

The methods listed below for adding extensionAttribute2 will require the installation of RSAT: Active Directory Domain Services and Lightweight Directory Tools. Starting with the Windows 10 October 2018 Update, RSAT is included as a set of Features on Demand right from Windows 10. Simply go to Manage optional features in Settings and click Add a feature.

You will also need to have write privileges for the OU in which the object resides.

Method 1: Active Directory Users and Computers (ADUC)

You will need to enable the 'Advanced Features' option within ADUC, which is in the 'View' menu:

Screenshot showing the location of 'advanced features' checkbox within ADUC. It is in the 'view' menu

Steps:

  1. Navigate to the user object you want to edit
  2. Double-click on the object or right-click on the object and select 'Properties'
  3. Go to the 'Attribute Editor' tab
  4. Scroll down to extensionAttribute2 and double-click on it, or select it and click on 'Edit'
  5. Type in O365 in the box and click on 'OK'
  6. Click on 'Apply' to apply the changes

Screenshot showing the attribute editor box in the attribute editor tab on a user object in ADUC

The object will be provisioned to Entra ID on the next sync cycle.

Method 2: PowerShell

This is best run from a domain-joined system. While logged in as a user with sufficient permissions on the object you are editing, you can type the following command:

Set-ADUser $useracct -Add @{extensionAttribute2="O365"}

If you want to make sure it applied, or check the presence of the attribute on an account you can use the following command:

Get-ADUser $useracct -Properties * | Select-Object extensionAttribute2

If you do not have access to a domain-joined system, you will need to use the Get-Credential command and specify a server.

$c = Get-Credential("netid")
 
Set-AdUser -Credential $c -Server ad.uillinois.edu -Identity $useracct -Add @{extensionAttribute2="O365"}

In the examples above, you'll want to replace $useracct with the SamAccountName of the object you're working with.

The object will be provisioned to Entra ID on the next sync cycle.

MFA Support for manually configured user accounts:

By default, these non-person user accounts will not be enabled for MFA. If the user account needs to access MFA protected resources, you will need to email TechServices-IAMU@illinois.edu to request that the user account be enabled for MFA in Entra ID.



Keywordsazure active directory azuread resource service user account sync connect entra id   Doc ID119660
OwnerIdentity and Access ManagementGroupUniversity of Illinois Technology Services
Created2022-07-13 14:37:04Updated2024-04-30 13:43:42
SitesUniversity of Illinois Technology Services
Feedback  0   0