Configuration for additional attributes

Edit online

The Azure Active Directory adapter is configured to support all the standard user account attributes provided by the Azure. Since collecting additional attributes during reconciliation might have a negative impact on performance, support for additional attributes can be activated using a configuration file. This file must include the additional attributes that are required by your organization.

About this task

The additional attributes that currently are supported needs to be added to the configuration file. Follow the provided steps to set up and configure the path of additional attribute file.

Procedure

  1. A sample AzureAd-Attributes.properties file, in which all the supported additional attributes are specified, is available in the adapter package. In the Adapter Connector or Service form details, you can find Configuration File Path.
  2. Specify the file location in the configuration file path.
    For example, C:\Program Files\IBM\TDI\V7.2\timsol\properties\AzureAD-Attributes.properties
    • The file must be in .properties format (Follow steps of setting up the AzureAD-Attributes.properties file).
    • The file must be located in the same machine where the dispatcher is running. For example, <SDI_Solution_Directory>\properties\AzureAD-Attributes.properties.
    • You must provide the full path of the file in the Configuration File Path section of the service form. See Service/Target form details.
  3. Restart the dispatcher service and perform reconciliation.
    Note: Additional Attribute Configuration file
    • The Additional Attributes Configuration file (AzureAD-Attributes.properties) must be a list of comma separated values.
    • Attribute names are case sensitive.
    • A warning message is generated in the SDI log for attributes that can't be processed.
    • If you try to modify any Additional attribute and it is successfully executed, however, the attribute is not modified at the target. In such a case verify if this attribute exists in the additional attribute configuration file, and the name matches as provided in the Additional User Attributes table.
    • If you update the contents of the configuration file, then it is required to restart the dispatcher and perform a reconciliation.
    • Review the provided list of additional attributes. Determine which attributes are essential, retain only those, and eliminate the rest from the list. Superfluous attributes may cause performance delay.
    Sample File Data
    For example, you can provide attribute in a file in the following way and attributes can be included or excluded as needed.
    additionalAttributes=createdDateTime,ageGroup,businessPhones,companyName,consentProvidedForMinor,creationType,employeeHireDate,employeeId,employeeType,legalAgeGroupClassification,lastPasswordChangeDateTime,onPremisesDistinguishedName,onPremisesDomainName,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,onPremisesSyncEnabled,onPremisesUserPrincipalName,passwordPolicies,preferredDataLocation,proxyAddresses,securityIdentifier,signInSessionsValidFromDateTime,imAddresses,provisionedPlans,licenseAssignmentStates,assignedPlans,onPremisesProvisioningErrors,deletedDateTime,signInActivity,division,costCenter,refreshTokensValidFromDateTime,employeeLeaveDateTime,employeeOrgData,manager,manager_FULLSUPPORT
    On Premises Attributes:
    • onPremisesDistinguishedName: Contains the on-premises Azure Active Directory distinguished name or DN.
    • onPremisesDomainName: Contains the on-premises domainFQDN, also called dnsDomainName synchronized from the on-premises directory.
    • onPremisesImmutableId: This property is used to associate an on-premises Azure Active Directory user account to their Azure AD user object.
    • onPremisesLastSyncDateTime: Indicates the last time at which the object was synced with the on-premises directory.
    • onPremisesSamAccountName: Contains the on-premises samAccountName synchronized from the on-premises directory.
    • onPremisesSecurityIdentifier: Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud.
    • onPremisesSyncEnabled: True, if this user object is currently being synced from an on-premises Active Directory (AD). Otherwise the user isn't being synced and can be managed in Azure Active Directory.
    • onPremisesUserPrincipalName: Contains the on-premises userPrincipalName synchronized from the on-premises directory.
    • ageGroup and consentProvidedForMinor: These are optional properties used by Azure Active Directory administrators to help ensure the use of an account is handled correctly based on the age-related regulatory rules governing the user's country or region. The value of some attributes is dependent on other attributes, so once you update such attributes perform reconciliation to fetch dependent attribute value.
    • legalAgeGroupClassification: This property is read-only and calculated based on ageGroup and consentProvidedForMinor properties.
    • manager: This property does not support full reconciliation.
    • manager_FULLSUPPORT: To enable full reconciliation in manager property, use this property in additional attribute configuration file.
    • SignIn Activity attributes (Last Interactive Sign In Date and Time, Request Identifier of the Last Interactive Sign In, Last Non Interactive Sign In Date and Time, Request Identifier of the Last Non Interactive Sign In): To get details for this property require an Azure AD Premium P1/P2 license and the AuditLog.Read.All permission.
    Note: In case of IBM Security Verify Governance Identity Manager, for Employee Leave Date Time and Employee Hire Date Time attributes, if its date and time values are empty, then by default the Never check-box is enabled.
    The following attributes are not included as they require various license and few are just in beta of Graph APIs:
    • aboutMe - requires a SPO license
    • birthday - requires a SPO license
    • hireDate - requires a SPO license
    • interests - requires a SPO license
    • mySite - requires a SPO license
    • pastProjects - requires a SPO license
    • preferredName - requires a SPO license
    • responsibilities - requires a SPO license
    • schools - requires a SPO license
    • skills - requires a SPO license
    • showInAddressList - Do not use in Microsoft Graph. Manage this property through the Microsoft 365 admin centre instead
  4. Steps to update Design form in IBM Security Verify Governance Identity Manager
    • Select Configure system > Design forms.
    • Configure the form and include the additional attributes that you want to include and/or remove the unneeded attributes. (Account > Azure Account > $erazureadditionaldetails)
    • Click Save. Ensure to include the list of attributes in Attribute Additional file.