azure ad connect sync rule

Question

Hello,

There is one important statement in the AAD-connect architecture that
An object should only have one single sync rule with join rule in scope.

I am trying to interpret this statement.
Is it correct the interpret like

when the object enters into the connector-space from on-prem-AD and when the attribute-based scoping filter of every sync-rule is evaluated one-by-one on that object , the expected end result is that not more then one sync-rule's scoping filter should satisfy that object.

Thanks.

Answer

@testuser7 Thanks for reaching out.

The statement from this AAD Connect architecture article actually talks about the SYNC Rule which contains Scoping filters and Join rules to not contain more than 1 join rule for each unique Connector object. You can have multiple scoping filter and join rules within 1 sync rule and they will work just fine with clauses. Its just that when it comes to the main connector object, if we create another join that will throw error.

lets try to understand that with an example :

In this screenshot you can see multiple sync rules :

If you notice, the object type user has actually 3 sync rules now (I cloned one just for testing) if you go to the cloned one, you will find the Link type which has been set to "JOIN" this means no other sync rule for user object under for AAD connector should have join type otherwise this will result in error. You can have other link types like provision.

Within this cloned sync rule, you can have multiple scoping filter and join rules clubbed with different clauses and all will be evaluated.

Also An object must have a join rule in scope for attributes to flow with the same inbound/outbound direction.

Let me know if you have any questions or need any clarification.

-----------------------------------------------------------------------------------------------------------------

If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.

Answer

Thanks @VipulSparsh-MSFT
It makes sense.

Just to be very specific, if there are 3 sync-rules sr1, sr2 and sr3 and all 3 are with LINK-TYPE=JOIN
now All 3 are sync-rules of LINK-TYPE=JOIN are in the scope of object o1
Only one sync-rule can have the join-rule defined in its configuration.
Let's say join-rule definition is empty in all the 3 rules.

In above case , attributes will flow with the same inbound/outbound direction. Meaning, metaverse object will be updated.
Of course precedence will decide whether attribute A1 of sr1, sr2 or sr3 wins.

I just want to confirm ,
if sr1 has a join-rule defined but that join-definition is not resolving to the same metaverse object then THOUGH THIS RULE IS MEETING THE SCOPING CRITERIA OF THE OBJECT O1, I BELIEVE THE ATTRIBUTES WILL NOT FLOW.

Answer

@testuser7

The logic used behind no join rule under sync rules is as follow :
A Synchronization Rule without any join rules defined applies the attribute flows when another Synchronization Rule joined the objects together or provisioned a new object in the target.

If the join definition is not matching the same metaverse object, no object will be processed.

-----------------------------------------------------------------------------------------------------------------

If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.

Answer

Perfect @VipulSparsh-MSFT
Appreciate you quick response.

I have requested one more clarification at https://video2.skills-academy.com/en-us/answers/questions/58001/azure-ad-connect-group-sync.html
Please look into it.

Thanks.

Share via

azure ad connect sync rule

4 answers

Your answer