This article is the fifth in a series about Custom Attributes in Entra ID and will discuss the Resource Types that each of these approaches can use. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Lifecycle Question Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes Has Lifecycle States?
This article is the fourth in a series about Custom Attributes in Entra ID and will discuss the Resource Types that each of these approaches can use. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Resource Types Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes String Y 256 characters Y Y 64 Characters Binary N Y Y N N Boolean N Y Y N Y DateTime N Y Y N N Integer N Y Y N Y LargeInteger N Y N N N Multi-valued Attributes N Y N Y Y Strongly Typed N Y Y N Y If you need to go beyond single valued string data then Extension Attributes are out.
This article is the third in a series about Custom Attributes in Entra ID and will discuss the Resource Types that each of these approaches can use. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Resource Types Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes servicePrincipal N N N N Y user Y Y Y Y Y device Y Y Y Y N group N Y Y Y N administrative unit N Y Y N N application N Y N N N organization N Y Y Y N contact N N Y Y N event N N Y Y N message N N Y Y N post N N Y Y N todoTask N N N Y N todoTaskList N N N Y N The most startling thing this table reveals, is that the only way to extend Service Principals (aka Enterprise Applications – this also includes Managed Identities) is with Custom Security Attributes.
This article is the second in a series about Custom Attributes in Entra ID and will discuss the Naming Conventions so that you can recognize them when you see them in the wild and understand how uniqueness is enforced and guaranteed. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Names Name or ID Example Notes Extension attributes extensionAttribute1 .
Microsoft has had a lot of chefs in the Entra ID kitchen baking up solutions to different problems and now we have an array of confusing choices about where to put your data. This is the first of a series of posts to help you choose the correct one for you and your needs. In on-premises Active Directory(AD) we only had two: Extension Attributes and Schema Extensions. The Extension Attributes were not part of the AD Schema until you applied the Exchange Schema Extensions and were created to give you 15 pre-canned places to put some custom string data without having to go through the scary and irreversible process of EXTENDING THE SACRED ACTIVE DIRECTORY SCHEMA.
Microsoft Entra ID’s Cross Tenant Sync can sync users from one tenant to another. They will sync as External Members or External Guests. In Exchange Admin they will show as MailUsers. Just be sure that showInAddressList is synced to be true or better yet carries over the showInAddressList from your source tenant. GalSync done! Yeah! Wait a minute! What about Groups? What about contacts? What about internal guests? NO! They are not supported
I just discovered that a colleague had several years prior managed to get MIMWAL PowerShell Activity to run Get-ADUser and other commandlets from the Active Directory Module (which requires PowerShell 3.0 or later) without using PowerShell Remoting or starting a new Process with Start-Process. <Caution> Per Eugene Sergeev This breaks SSPR AuthN workflows. </Caution> So if you aren’t using SSPR through MIM this might be an option for you!
Everyone knows that SSL is vulnerable and we should therefore use TLS. What isn’t well understood is the options presented for Binding (authentication) when using the Generic LDAP Connector with AADConnect or the Generic LDAP ECMA 2.x with MIM. We are presented 5 options: Anonymous Basic Kerberos SSL TLS When we tested we could get the SSL option to work over port 636, and we could get the TLS option to work on port 389 but we couldn’t get the TLS option to work over port 636.
I watched through SQL Profiler to better understand what these checks do, and I found an error with check #10. It says it is “Checking Lineage Guid table for MV objects with invalid MV object ids” but the SQL query it issues is the same as the query for Check # 9 “Checking Lineage Date table for MV objects with invalid MV object ids.” It queries the Lineate Date table instead of the Lineage GUID table like it says.
On occasion you (usually with the help of PSS – Product Support Services) may need to verify the integrity of the MIM Synchronization Service Database. To do this you can use the Store Check tool, StoreChk.exe located in the bin folder under the root of your MIM Synchronization install. While the storechk tool does read the registry to find the name of the database (almost always is FIMSynchronizationService) it does not read the Server or Instance name registry values in the parameters key of the registry.
