AAD Connect - Create Custom Sync Rule with Powershell
Hallo zusammen,
Ich habe kürzlich einen Blog Artikel geschrieben, wie man Custom Sync Rules im AAD Connect erstellt.
Nun habe ich mir gedacht, es wäre auch noch nett, diese Sync Rules mit PowerShell zu erstellen.
Leider gibt es dazu keine so gute Dokumentation Online. Folgende zwei Webseiten haben mir aber geholfen.
Import-Module ADSync
Get-ADSyncRule | ft Identitifier, Name, Direction, Precedence
Schauen wir uns doch mal die Custom Sync Rules an (1-99) welche ich kürzlich erstellt habe
Get-ADSyncRule | where {$_.Precedence -lt 100}
Konzentrieren wir uns mal auf eine Custom Sync Rule und schauen uns die Details dazu an
$SyncRules = Get-ADSyncRule | where {$_.Precedence -lt 100}
$SyncRules[0]
$SyncRules[0].ScopeFilter.ScopeConditionList
$SyncRules[0].AttributeFlowMappings
$SyncRules[0].ScopeFilter.ScopeConditionList
$SyncRules[0].AttributeFlowMappings
Nun benötige ich noch den Connector
Get-ADSyncConnector | ft name, type, Identifier
Ich habe alle notwendigen Informationen gesammelt und kann nun das Script schreiben. Das sieht folgendermassen aus und erstellt eine deaktivierte Custom Sync Rule.
#Get the AD Connector
$ADConnector = (Get-ADSyncConnector | ? {$_.Type -eq "Extensible2"})
#Create the Scope Filter Object
$scopefilter1 = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeCondition
$scopefilter1.Attribute = "sourceObjectType"
$scopefilter1.ComparisonOperator = "EQUAL"
$scopefilter1.ComparisonValue = "User"
$scopefilter2 = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeCondition
$scopefilter2.Attribute = "cloudMastered"
$scopefilter2.ComparisonOperator = "NOTEQUAL"
$scopefilter2.ComparisonValue = "True"
$scopefilter3 = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeCondition
$scopefilter3.Attribute = "preferredLanguage"
$scopefilter3.ComparisonOperator = "EQUAL"
$scopefilter3.ComparisonValue = "BE"
#Create the Attribute Flow
$AttributeFlowMappings = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.AttributeFlowMapping
$AttributeFlowMappings.Source = "nl-BE"
$AttributeFlowMappings.Destination = "preferredLanguage"
$AttributeFlowMappings.FlowType = "Constant"
$AttributeFlowMappings.ExecuteOnce = $False
$AttributeFlowMappings.ValueMergeType = "Update"
#Add the Scope Filter to a Scope Group
$scopefiltergroup = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeConditionGroup
$scopefiltergroup.ScopeConditionList.Add($scopefilter1)
$scopefiltergroup.ScopeConditionList.Add($scopefilter2)
$scopefiltergroup.ScopeConditionList.Add($scopefilter3)
#Create the Rule
$GUID = $ADConnector.Identifier.Guid
$NAME = "Out to Azure AD – User preferredLanguageBE DEMO PS"
Add-ADSyncRule -Connector $GUID -Name $Name -SourceObjectType "person" -TargetObjectType "user" -Direction Outbound -AttributeFlowMappings $AttributeFlowMappings -LinkType "Join" -Precedence "5" -ScopeFilter $scopefiltergroup -Disabled
$ADConnector = (Get-ADSyncConnector | ? {$_.Type -eq "Extensible2"})
#Create the Scope Filter Object
$scopefilter1 = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeCondition
$scopefilter1.Attribute = "sourceObjectType"
$scopefilter1.ComparisonOperator = "EQUAL"
$scopefilter1.ComparisonValue = "User"
$scopefilter2 = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeCondition
$scopefilter2.Attribute = "cloudMastered"
$scopefilter2.ComparisonOperator = "NOTEQUAL"
$scopefilter2.ComparisonValue = "True"
$scopefilter3 = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeCondition
$scopefilter3.Attribute = "preferredLanguage"
$scopefilter3.ComparisonOperator = "EQUAL"
$scopefilter3.ComparisonValue = "BE"
#Create the Attribute Flow
$AttributeFlowMappings = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.AttributeFlowMapping
$AttributeFlowMappings.Source = "nl-BE"
$AttributeFlowMappings.Destination = "preferredLanguage"
$AttributeFlowMappings.FlowType = "Constant"
$AttributeFlowMappings.ExecuteOnce = $False
$AttributeFlowMappings.ValueMergeType = "Update"
#Add the Scope Filter to a Scope Group
$scopefiltergroup = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeConditionGroup
$scopefiltergroup.ScopeConditionList.Add($scopefilter1)
$scopefiltergroup.ScopeConditionList.Add($scopefilter2)
$scopefiltergroup.ScopeConditionList.Add($scopefilter3)
#Create the Rule
$GUID = $ADConnector.Identifier.Guid
$NAME = "Out to Azure AD – User preferredLanguageBE DEMO PS"
Add-ADSyncRule -Connector $GUID -Name $Name -SourceObjectType "person" -TargetObjectType "user" -Direction Outbound -AttributeFlowMappings $AttributeFlowMappings -LinkType "Join" -Precedence "5" -ScopeFilter $scopefiltergroup -Disabled
Schauen wir uns nun die Custom Sync Rule im Sycnronisation Rules Editor an.
Liebe Grüsse
Andres Bohren