Wednesday, June 14, 2017

SharePoint Online's User Profile Synchronization Process (One-way only!)

SharePoint Online's AD attribute sync process has changed quite a bit from on premise or SP 2016 Server version (understandable). However, the depth of that change was surprising to me and my collegues. While researching a solution for users at my current client Toyota of North America, to upload a photo of themselves and have that photo sync to O365 and on-premise Exchange/Skype, as well as Workday, I dug deep and have listed the changes that were pertinent to my task. Take a look and let me know your thoughts.

AD DirSync Import syncs a subset of the Azure Active Directory attributes that are synced by Azure AD Connect. The profile properties that are synced by AD Import aren't configurable.

The following are my observations after research:
  • Active Directory information only goes in one direction f rom the on-premises Active Directory server to SharePoint Online
  • Data flow:  AD on Premise -> Azure Active Directory -> SharePoint Online directory store -> SharePoint Online User Profile Service -> SharePoint Online Site Collection (one-way)
  • User Profile Synch Service’s timer job’s run frequency cannot be changed, which occurs during regularly scheduled one-way synchronization—which should occur at least every 24 hours.
  • AD Import syncs a subset of the Azure Active Directory attributes that are synced by Azure AD Connect. The profile properties that are synced by AD Import aren't configurable.
  • AD Import syncs the following 24 Azure Active Directory attributes to the User Profile Application: 
      
     
Azure Active Directory attribute
SPO User Profile property
Notes
UserPrincipalName
DisplayName: User Name
Name: UserName
The value in this property is used to create the path of a user’s OneDrive for Business site collection.
For example:
gherrera@contoso.com and /gherrera_contoso_com/
This property is replicated to the site collection by WSS Sync.
UserPrincipalName
DisplayName: Account name

Name: AccountName
This property stores the claims-encoded User Principal Name for the user.
For example: i:0#.f|membership|gherrera@contoso.com
This property is used to look up the user profile.
UserPrincipalName
DisplayName: Claim User Identifier
Name: SPS-ClaimID
This property stores the user’s claims identifier. The identifier is the User Principal Name.
For example: gherrera@contoso.com
UserPrincipalName
DisplayName: User Principal Name
Name: SPS-UserPrincipalName
This property stores the User Principal Name of the user.
For example: gherrera@contoso.com
GivenName
DisplayName: First name
Name: FirstName
This property is replicated to the site collection by WSS Sync.
For example: Gabriela
sn
DisplayName: Last name
Name: LastName
This property is replicated to the site collection by WSS Sync.
For example: Herrara
Manager
DisplayName: Manager
Name: Manager
The manager property is used to determine colleagues and will be used in the user profile and OneDrive for Business deletion process. 
For more information see: 3042522 How user profiles are deleted in SharePoint Online and OneDrive for Business.
DisplayName
DisplayName: Name
Name: PreferredName
This property is replicated to the site collection by WSS Sync.
For example: Gabriela Herrara
telephoneNumber
DisplayName: Work phone
Name: WorkPhone
This property is replicated to the site collection by WSS Sync.
For example: (123) 456-7890
proxyAddresses
DisplayName: Work email
Name: WorkEmail
Processed in this order when it's added to the profile: 
  • WorkEmail if the value in proxy address is prefixed with SMTP: (Must be in CAPS)
  • WorkEmail if the value in proxy address is prefixed with smtp: (Must be lowercase)
This property is replicated to the site collection by WSS Sync.
For example: gherrera@contoso.com
ProxyAddresses
DisplayName: SIP Address
Name: SPS-SIPAddress
SPS-SIPAddress if the value in proxy address is prefixed with sip:.
This property is replicated to the site collection by WSS Sync.
PhysicalDeliveryOfficeName
DisplayName: Office
Name: Office
This property is replicated to the site collection by WSS Sync.
Title
DisplayName: Title
Name: Title
This property is replicated to the site collection by WSS Sync
Title
DisplayName: Job Title
Name: SPS-JobTitle
SPS-JobTitle contains the same value as Title. SPS-JobTitle is connected to a Term Set.
This property isn't replicated to the site collection.
Department
DisplayName: Department
Name: Department
This property is replicated to the site collection by WSS Sync.
Department
DisplayName: Department
Name: SPS-Department
SPS-Department contains the same value as Department. SPS-Department is connected to a Term Set.
This property isn't replicated to the site collections.
WWWHomePage
DisplayName: Public site redirect
Name: PublicSiteRedirect

PreferredLanguage
DisplayName: Language Preferences
Name: SPS-MUILanguages
SPS-MUILangauges is used by SPO to determine which language a site is displayed in for the user when MUI is enabled. 
msExchHideFromAddressList
DisplayName: SPS-HideFromAddressLists
Name: SPS-HideFromAddressLists

msExchRecipientTypeDetails
DisplayName: SPS-RecipientTypeDetails
Name: SPS-RecipientTypeDetails

ObjectGuid
DisplayName: Active Directory Id
Name: ADGuid
Internal
DistinguishedName
DisplayName: Distinguished Name
Name: SPS-DistinguishedName
Internal
ObjectId
DisplayName: msonline-ObjectId
Name: msOnline-ObjectId
Internal
UserType
DisplayName: SPS-UserType
Name: SPS-UserType
Internal

There are four processes in the user synchronization pipeline in Office 365:

Sync process
Description
Azure AD Connect
Azure AD Connect syncs data from your on-premises Active Directory to Azure Active Directory. For more information, see: Integrating your on-premises identities with Azure Active Directory.
AAD to SPO Sync
Azure Active Directory syncs data from Azure Active Directory to the SPO Directory Store.
AD Import
Active Directory Import syncs data from the SPO Directory Store to the User Profile Application.
WSS Sync
WSS Sync syncs data from the User Profile Application to the SharePoint Online site collection.




Default user profile properties are fed into SharePoint Online from the Office 365 directory service. But a SharePoint Online admin can enhance the SharePoint capabilities by adding user profile properties, defining user policies, and creating audiences.
 SharePoint Online receives profile information from the Office 365 directory service during regularly scheduled one-way synchronization—which should occur at least every 24 hours.
 When your organization signs up and deploys Office 365, user accounts will either be:
·        Manually created and added to the Office 365 directory service, or
·        Synched with an on-premises Active Directory.
 If your organization manually created user accounts in the Office 365 directory service, then users will receive Microsoft Azure Active Directory credentials for signing into Office 365. These credentials are separate from other desktop or corporate credentials. You’ll use the Office 365 admin center to make changes to these user accounts.
 Your organization may choose to use the Office 365 Directory Sync (DirSync) tool to populate user information from an on-premises Active Directory. DirSync supports federated single sign-on. For information about setting up DirSync, see Set up directory synchronization for Office 365.

 The Directory Synchronization Tool (DirSync) allows on-premises Active Directory user profiles to be synchronized with the Office 365 directory service, which is then synched with SharePoint Online user profiles. Active Directory information only goes in one direction—from the on-premises Active Directory server to SharePoint Online. This ensures that user information in SharePoint Online reflects the most current and accurate state of your user data in Active Directory.
 Note:  Automatic profile synchronization with the Office 365 directory service occurs at regular predetermined intervals. Changes may take up to 24 hours before they appear in a user’s profile. Note that with Office 365 for Education, user profiles are not created or synced until a user visits a SharePoint site.
 By default, SharePoint Online user profiles are populated by the Office 365 directory service. Basic profile properties, such as a user’s first and last name, phone number, and job title, are also synchronized. If there are additional properties that you’d like to add to user profiles to enhance search and collaboration features within SharePoint, then the SharePoint Online admin can create those user profile properties. See Add and edit user profile properties for more info.
 Note:  Creating a new user profile property, by using SharePoint Online admin center, will not create that property in the Office 365 directory—this user profile data will be unique to SharePoint Online.
 As shown in the following illustration, a user’s About me page can be composed of properties that are imported from the Office 365 directory service and from custom SharePoint Online profile properties. For example, the directory service will supply default user profile information, such as users’ account names, work telephone numbers, job titles, and work email addresses. Users will not be allowed to edit this information.