In the first part of this series, I’ve explained how Azure AD Connect version 1.1.553.0 and beyond allows you to switch from objectGUID to mS-DS-ConsistencyGuid as the source anchor attribute, the benefits of doing so and what you may and may not expect when you make the switch.
In this second part, I’ll share the changes Azure AD Connect makes in its synchronization rules, in the Active Directory Federation Services (AD FS) claims transformation rules and a PowerShell script that you can use to grant your custom-managed Azure AD Connect service account permissions to write the mS-DS-ConsistencyGuid attribute in your on-premises Active Directory Domain Services (AD DS) environments.
Determining the version of Azure AD Connect
Now, the first thing you’d want to find out is your version of Azure AD Connect, since the embrace of the mS-DS-ConsistencyGuid attribute as the source anchor is only possible on Azure AD Connect installations running version 1.1.553.0 and up. Also, versions 1.1.561.0 and up of Azure AD Connect implement the change automatically, when you perform a fresh installation of Azure AD Connect.
Perform these steps to determine your version of Azure AD Connect:
- Log on interactively to the Windows Server installation that runs Azure AD Connect.
- Right-click the Start button on the bottom left corner of your screen, or press Win + X simultaneously.
- Select Programs and Features from the top of the context menu.
- In the list below Uninstall or change a program look into the Version column for Microsoft Azure AD Connect.
Perform these steps for all Azure AD Connect installation(s) in your infrastructure. Don’t forget to check and upgrade your Staging Mode servers.
Determining the attribute used as the source anchor for user objects in Azure AD Connect
Perform these steps to determine the current attribute used as source anchor in your Azure AD Connect installation(s):
- Log on interactively to the Windows Server installation that runs Azure AD Connect.
- Open Azure AD Connect using the link on the desktop or by searching for (part of) its name in the Start Screen and then clicking it in the search results.
- Click the Configure button on the Welcome to Azure AD Connect screen.
- Click on View current configuration in the Additional tasks screen.
- Click Next.
- The attribute listed as the Source Anchor for user objects is listed underneath SOURCE ANCHOR in the Synchronization Settings area in the Review Your Solution screen.
Changes in Azure AD Connect's Configuration
The following changes are observed in Azure AD Connects synchronization rules after you switch from objectGUID to mS-DS-ConsistencyGuid as the source anchor attribute in Azure AD Connect:
Global Settings
The Microsoft.SynchronizationOption.AnchorAttribute setting is changed from objectGUID to mS-DS-ConsitencyGuid
Metaverse configuration
The Source fields for the sourceAnchor and sourceAnchorBinary attributes for the Metaverse person have been updated.
AD Connector Configuration
The import flow component for the mS-DS-ConsitencyGUID attribute is enabled next to the previously enabled export flow.
Attribute flows for the AD Connector
The end-to-end import flow for the SourceAnchorBinary attribute for the contact object has been updated.
The end-to-end import flows for the SourceAnchor and SourceAnchorBinary attributes for the inetOrgPerson object has been updated.
The end-to-end import flows for the SourceAnchor and SourceAnchorBinary attributes for the user object has been updated.
The end-to-end export flow for the mS-DS-ConsistencyGuid attribute for the user object has been added.
The inbound provisioning rules have been updated to use the mS-DS-ConsistencyGuid as the Source Attribute.
Attribute flows for the Azure AD Connector
The end-to-end export flows for the dn and sourceAnchor attributes for the contact object have been updated.
The end-to-end export flow for the dn and sourceAnchor attributes for the user object has been added.
This is achieved through changes in the following synchronization rules:
- In from AD – InetOrgPerson AccountEnabled
- In from AD – InetOrgPerson Common
- In from AD – InetOrgPerson Join
- In from AD – User AccountEnabled
- In from AD – User Common
- In from AD – User Join
- Out to AD – User ImmutableId
- Out to AD – User Join SOAInA
… and a bunch of precedence changes, of course.
Granting your Azure AD Connect Service Account permissions to write to the mS-DS-ConsistencyGuid attribute
Use the following command line to grant a custom-managed service account for Azure AD Connect the permissions to write to the mS-DS-ConsistencyGuid attribute throughout your on-premises Active Directory Domain Services (AD DS) environment, when you follow the rules for least administrative privileges for service accounts:
dsacls.exe "OU=Service Accounts,dc=my,dc=domain,dc=tld" /I:S /G "DOMAIN\sa_aadconnect:WP;mS-DS-ConsistencyGUID;user"
Replace OU=Service Accounts,dc=my,dc=domain,dc=tld with the base DN from where you'd want to propagate and replace DOMAIN\sa_aadconnect with the Azure AD Connect service account you want to grant permissions to.
Note:
Run the above command line for all OUs and containers in all Active Directory Domain Services (AD DS) environments in scope of Azure AD Connect synchronization.
Note:
If you want to granularly grant permissions to the service account, create scripts to target each of the Organizational Units (OUs) in scope of Azure AD Connect synchronization, on the highest level, or use the guidance here.
Changes in Active Directory Federation Services (AD FS) claims rules with the mS-DS-ConsistencyGUID attribute as Source Anchor
When you switch from objectGUID to mS-DS-ConsistencyGuid as the source anchor attribute, you’ll see that Azure AD Connect makes the following changes to the Active Directory Federation Services (AD FS) claims rules, when you manage AD FS through Azure AD Connect.
The following claims issuance rule when using ObjectGUID as the Source Anchor:
@RuleName = "Issue Immutable ID"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
Is replaced with the following four claims issuance rules to accommodate mS-DS-ConsistencyGuid as the Source Anchor:
@RuleName = "Query objectguid and msdsconsistencyguid for custom ImmutableId claim"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2016/02/identity/claims/objectguid", http://schemas.microsoft.com/ws/2016/02/identity/claims/msdsconsistencyguid), query = "samAccountName={0};objectGUID,mS-DS-ConsistencyGuid;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
@RuleName = "Check for the existence of msdsconsistencyguid"
NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2016/02/identity/claims/msdsconsistencyguid"])
=> add(Type = "urn:federation:tmp/idflag", Value = "useguid");
@RuleName = "Issue msdsconsistencyguid as Immutable ID if it exists"
c:[Type == "http://schemas.microsoft.com/ws/2016/02/identity/claims/msdsconsistencyguid"]
=> issue(Type = "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID", Value = c.Value);
@RuleName = "Issue objectGuidRule if msdsConsistencyGuid rule does not exist"
c1:[Type == "urn:federation:tmp/idflag", Value =~ "useguid"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2016/02/identity/claims/objectguid"]=> issue(Type = "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID", Value = c2.Value);
Concluding
Now we have a good understanding of what the switch from objectGuid to mS-DS-ConsistencyGuid as the source anchor attribute actually entails, it’s time to perform it.
Join me for Part 3, where I show you how to perform the switch, and do all the work, so you won’t forget any steps.
Thanks for This Great post. If we manual configure adfs and federate a domain, do we need to delete all claim rules on the o365 relying party and add your 4 claim rules?
I do not recommend changing the 'Office 365 Identity Platform' RPT in AD FS manually.
In troubleshooting scenarios, often the process is to recreate the RPT by deleting it and running the Convert-MSOLDomainToFederated PowerShell Cmdlet. When the RPT is 'under management' of Azure AD Connect, you can recreate the RPT using the 'Change user sign in' option in Azure AD Connect, recreating all its special rules (there are more than the ones above).
I started believing that when an organization has (recent versions of) both AD FS and Azure AD Connect, the best things you can do is to configure Azure AD Connect to manage AD FS and configure Azure AD Connect Health on the AD FS Servers and Web Application Proxies. You don't need to setup AD FS through Azure AD Connect to achieve this. You'll still be able to segregate responsibilities and duties between the two teams, but you'll need to communicate more. This way, the organization is able to achieve two goals: The AD FS functionality is extended. The AD FS infrastructure is monitored.
Thanks for your answer. Do you recommend Express over Custom setup? Cause Express configures everything for you with best recommended settings and permissions for sync account.
I feel the consultant in me rear its ugly head with an 'It depends' answer. 😉
I doubt Express Settings are the best settings for each environment. I feel they are the recommended practice for most organizations and always work, but there are some pieces of configuration you won't get when you use the Express Settings, like the ability to use a (group) Managed Service Account (gMSA), reuse current Microsoft SQL Server investments and admin privileges assigned to groups from the current delegation model.
Question: Where in the Metaverse do you view the mS-DS-ConsistencyGuid after synchronization?
Hi Michael,
You don't actually see an attribute for objects called 'mS-DS-ConsistencyGUID' in the metaverse. As you configure Azure AD Connect, you configure it to use the mS-DS-ConsistencyGUID attribute as the SourceAnchor attribute.
Under the hood, the sourceAnchor, or actually the sourceAnchorBinary attribute in the Metaverse get synchronized to the mS-DS-ConsistencyGUID attribute in Active Directory Domain Services.
To see the sourceAnchor in the metaverse, perform these steps:
To view the mS-DS-ConsistencyGUID attribute in Active Directory, perform these steps:
We actually created custom sync rules to use MS-DS-ConsitencyGUID awhile ago since a future forest migration is possible. So the Sync engine has been populating this attribute based on the OGJECTGUID at initial account creation. So our users already have values. Can we change Azure AD connect anchor now using this method? Will it just use the existing values or overwrite them? Does it really matter if it does since it was Azure AD connect that was setting the values in the first place?
Hi Rob,
Azure AD Connect's Synchronization service would detect the old value and new value to be identical, in your case.
Then, no write action would be performed, because Azure AD Connect's logic would not deem one necessary.
You can double-check this behavior when you use CSAnalyzer when combined with a Staging Mode server.
Great post, this is exactly what i have been looking for. Currently we are migrating some users from domain A to domain B, the question was how we can match the onprem users with the users in AAD after migration. We are using objectGUID as source anchor at the moment. Now i will change them to mS-DS-ConsistencyGuid asap and everything should be fine 🙂 But i need to know one thing: We are using ADFS for multiple customers, if i change the source anchor from objectGUID to mS-DS-ConsistencyGuid and Azure AD Connect reconfigures my RPT on ADFS then i need to change the source anchor for all other customers too right? Otherwise they will not be able to login, is that correct? I think all customers use the objectGUID right now.
Hi Markus,
For a while now, the AD FS claims issuance rules for AD FS accommodate the use of both objectGUID and mS-DS-ConsistencyGUID.
Pro Tip! Use the claim rules generator from ADFSHelp to get the latest claims issuance rules for your ‘Office 365 Identity Platform’ Relying Party Trust.
thanks for the great blog.
As far as i understand, claims flow from AD to ADFS to a Relying Party Trust (RPT). and pass 2 sets of claim rules;
from AD called "incoming" claim rules and to an RPT, "outgoing" claim rules.
In the solution you describe you use an outgoing claim for msdsconsistencyguid, but i dont see it anywhere in the incoming claims.
Yet, it does work, so ADFS is able to send the msdsconsistency claim
My question is how, what am i missing?
cheers
Will the PowerShell code for granting my service account permissions take into consideration the need to have the same permissions applied to the AdminSDHolder folder in AD? Otherwise I'm worried this account wouldn't be able to transition the anchor for our Domain Admins?
It will not.
I feel members of the on-premises Domain Admins and Enterprise Admins group have no role in Azure AD. If any of these accounts are compromised, then the entire Active Directory domain is compromised. I consider it a best practice to not synchronize these accounts, together with any groups and user objects in the Users and Built-in containers of any Active Directory environment. Instead, create cloud administrator account and conduct your Azure AD and Microsoft 365 services with these accounts.
For any account that was a member of any of the privileged groups (including the Print Operators and Account Operators), it's a best practice to reset AdminSDHolder to allow for proper inheritance of permissions from the parent OU.
Hi sander – this may be answered already but i'm lost and confused so hopefully you can help.
At present we use the mail attribute as Alternate login ID and have edited the 1st claim rule to this:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
query = "samAccountName={0};mail,objectGUID;{1}",
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID") ,
param = regexreplace(c.Value, "(?[^\\]+)\\(?.+)", "${user}"), param = c.Value);
How does this impact the 4 new claims rules that replace rule #1 ?
Hi Martin,
Your claim rule looks like quite an old version of the typical rule.
You can create the latest version of the claims rules using Microsoft's Azure AD RPT Claim Rules generator.
When you use the latest version, you'll see that currently the first rule in both cases would be:
@RuleName = "Issue UPN"[^\\]+)\\(?.+)", "${user}"), param = c.Value);
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN"), query = "samAccountName={0};mail;{1}", param = regexreplace(c.Value, "(?
The objectGUID logic is removed from this line.
When using objectGUID as the ImmutableID, you'll see the following claims rule:
@RuleName = "Issue Immutable ID"[^\\]+)\\(?.+)", "${user}"), param = c.Value);
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};objectGUID;{1}", param = regexreplace(c.Value, "(?
When using mS-DS-ConsistencyGUID, you'll see the following four claims rules for all the new logic, replacing the second claims rule of the objectGUID-style rules:
@RuleName = "Query objectguid and msdsconsistencyguid for custom ImmutableId claim"[^\\]+)\\(?.+)", "${user}"), param = c.Value);
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2016/02/identity/claims/objectguid", "http://schemas.microsoft.com/ws/2016/02/identity/claims/msdsconsistencyguid"), query = "samAccountName={0};objectGUID,mS-DS-ConsistencyGuid;{1}", param = regexreplace(c.Value, "(?
@RuleName = "Check for the existence of msdsconsistencyguid"
NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2016/02/identity/claims/msdsconsistencyguid"])
=> add(Type = "urn:federation:tmp/idflag", Value = "useguid");
@RuleName = "Issue msdsconsistencyguid as Immutable ID if it exists"
c:[Type == "http://schemas.microsoft.com/ws/2016/02/identity/claims/msdsconsistencyguid"]
=> issue(Type = "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID", Value = c.Value);
@RuleName = "Issue objectGuidRule if msdsConsistencyGuid rule does not exist"
c1:[Type == "urn:federation:tmp/idflag", Value =~ "useguid"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2016/02/identity/claims/objectguid"]
=> issue(Type = "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID", Value = c2.Value);
This may be a silly question, but: the service account that we need to grant permissions is the AD Connector account and not the Sync service account, right?
Hi Rajaneesh,
That is correct.
For more information, please refer tohow to properly delegate Directory permissions to Azure AD Connect service accounts.
If you're (still) synchronizing accounts with memberships in the Enterprise Admins, Schema Admins, Domain Admins, Account Operators, Server Operators, Print Operators and/or Backup Operators groups in Active Directory, please also refer to how to solve Azure AD Connect synchronization errors for objects with adminCount attributes set to 1.