![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 85%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,568 questions
To succinctly summarize the below: Not all attributes are available for Azure AD Provisioning, and there may not always be a workaround. The longer explanation is:
The Azure AD Provisioning service uses AAD Graph API to read data from Azure AD, and that API has a limited set of attributes that can be read. This is documented here (https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#editing-the-list-of-supported-attributes) specifically with the link in this bullet point:
Azure Active Directory (Azure AD Graph API default attributes and custom directory extensions are supported). Learn more about creating extensions and known limitations.
onPremisesDistinguishedName can only be read via MS Graph, and is therefore not usable by AAD Provisioning.
Multi-valued directory/schema extensions can be populated by Azure AD Connect, but cannot be read by most(or all? not sure on the current state) services, including AAD Provisioning.
You also cannot use the Azure AD Connect Directory Extensions feature to extend distinguishedName into Azure AD, as the DN attribute is referential and therefore not eligible for extending.
Specific to the distinguishedName problem, you should be able to create a custom sync rule in Azure AD Connect to flow the string value of the DN into an empty string attribute - something like ExtensionAttribute15 for instance, and then consume that with Azure AD Provisioning. .
