question

TonyOJalali-5525 avatar image
0 Votes"
TonyOJalali-5525 asked ZollnerD commented

Unable to save assigned manager in Azure AD when the sync is enabled

The manager field within Azure AD can be changed, but it fails to save for any user in Azure AD if sync is enabled!

We are using Azure AD along with on-prem AD. Out of 2000 users in AAD, about 150 of them are synced (using AAD Connect). For the sync users while we can change the manager information in Azure AD (such as assigning to a different manager), but unable to save the changes (due to account being synced).
Is there a fix if this is an issue?
Is there a way to have sync enabled for "Identity" fields, but for others such as "Job info" and "Profile info" categories to be changed in Azure AD even when the sync is enabled?
If we are not updating for instance the Manager information from On-Prem to Azure AD, then why we cannot modify it in Azure AD?
Why is the field appeared to be read only?

I have heard that as long as “Identify” fields are untouched, we can modify “Job info” and/or “Profile info” fields in Azure AD. I guess when sync is enabled for a user all fields are greyed out and become Read only!
Can someone to please provide a reason or link to a solution?
I do not have permission to access to on-prem to change the manager in on-prem to be replicated to Azure AD.
In a nutshell, I am using Power Apps to change the attribute of Azure AD without any issues, however for synced users I am unable to save the changes.

azure-ad-connect
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AndyDavid avatar image
1 Vote"
AndyDavid answered ZollnerD commented

Thats by design yes.

Manager is a sycned attribute and therefore can only be changed on-prem.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TonyOJalali-5525 avatar image TonyOJalali-5525 ·

Hi Andy,
Thank you for your response.
I know that the manager is a synced record by default, but the question remains:
Is it possible to change the default setting and remove Manager from being a sync attribute and not to be updated from On-Prem to Azure AD, thus, to allow manager field to be updated in Azure AD?
It appears that once a sync in enabled, no attributes can be changed in Azure AD, even if the default is changed, we still cannot update manager field or any other fields in Azure AD as long as the sync is enabled!


0 Votes 0 ·
ZollnerD avatar image ZollnerD TonyOJalali-5525 ·

With only a few exceptions (i.e.: the mobile phone number attribute and UPN) any attribute that can be synced from on-premises AD must be sourced from on-premises AD. The behaviors are locked and can't be customized. The only way to allow a user's manager to be edited in Azure AD would be for that user to be fully Azure AD managed, rather than synced from on-premises AD.

1 Vote 1 ·