The Azure Back Sync configuration wizard creates a User to User mapping pair with two mapping rules:
Active Roles userPrincipalName = Azure userPrincipalName
OR
Active Roles displayName = Azure displayName
This can result in unexpected mappings and/or ambiguity errors due to the fact that displayName does not have a uniqueness constraint.
Groups also have a displayName mapping and suffer from the same issue.
WORKAROUND
With the Active Roles Connector as the source:
Active Roles PowerShell script = Azure OnPremisesSecurityIdentifier
The value of the PowerShell script should be:
New-Object System.Security.Principal.SecurityIdentifier $srcObj["objectSID"], 0
See attached screenshots for details.
This script will convert the on-prem binary objectSID into a string value to allow for a clean comparison with the string value stored in the Azure OnPremisesSecurityIdentifier attribute for both users and groups.
STATUS
An enhancement request has been created to modify this existing functionality in Active Roles.
Product Management will evaluate the request and this feature may become available in a future release of the product.There are no guarantees that this specific enhancement request will be implemented in a future release. For more information regarding our Enhancement Request policy, refer to our Global Support Guide on the Support Portal at: https://support.oneidentity.com/essentials/support-guide/
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center