Introduction
During one of my engages, the Customer asked me to change the attribute they used as identity source for alternateLoginID from “mail” to another arbitrary attribute. Customer already had in place Azure AD Tenant with a federated domain. At the time of implementation, they choose to implement alternateLoginID using email address as identity so, they deployed AD Connect tool and configured ADFS accordingly. At a certain point, they decided to change the attribute used as identity source for alternateLoginID, because they would not expose their email addresses. I then wrote this guide to help them in changing such configuration, providing script and step-by-step instructions. This guide assumes changing alternateLoginID from “mail” attribute to “extensionattribute12“.
Content
The steps provided in this guide are the following:
- Generate the Powershell script to modify the attribute to be used as new alternateLoginID source (optional)
- Modification of AD Connect configuration
- Uninstallation of AD Connect
- Reinstallation of AD Connect
- Modification of ADFS configuration
This guide is based on ADFS 3.0 (WS 2012 R2).
Generating PowerShell script
The following Powershell script will set into an arbitrary attribute a new value derived from email address. Copy it to a file and give it a name (i.e. set_attribute.ps1).
#### START set_attribute.ps1 SCRIPT ####
param (
[Parameter(Mandatory=$true, HelpMessage="Insert operation type to execute: set/clear.")]
[ValidateSet("set","clear")]
[string]
$Operation,
[Parameter(Mandatory=$true, HelpMessage="Insert the start DN (the DN the search will start from).")]
[string]
$SearchBase,
[Parameter(Mandatory=$true, HelpMessage="Insert attribute to modify (i.e. ExtensionAttribute12).")]
[string]
$Attribute
)
function AssignAttribute{
$logfile = ".\set_attribute.log"
$Users_to_Modify = get-aduser -Filter 'mail -like "*"' -SearchBase $SearchBase -Properties mail | select userprincipalname, distinguishedname, mail
Write-Host
Write-Host -ForegroundColor Yellow ("Setting Attribute " + $Attribute + " to " + $Users_to_Modify.count + " Users")
Write-Host
Write-Host -ForegroundColor Yellow -NoNewline("Confirm ")
$confirmation=Read-Host -Prompt "(Y/N)?"
if($confirmation.ToUpper() -ne "Y") {
Write-Host ("Operation interrupted by user.")
return
}
Add-Content -Path $logfile -Value ("--------------------------- Start -----------------------------------")
foreach ($User in $Users_to_Modify){
$mail_val = $User.mail.split("@") # extract username from email address
$mail_val_new = $mail_val[0] + ".office" + "@" + $mail_val[1] # new address: <user>.office@<domain>
Write-Host -ForegroundColor Green ("Setting Attribute " + $Attribute + " - User: " + $User.userprincipalname + " - Value: " + $mail_val_new)
Add-Content -Path $logfile -Value ($User.userprincipalname + ";" + $mail_val_new)
Set-ADUser -Identity $User.distinguishedname -Add @{$Attribute=$mail_val_new}
$mail_val = $Null
$mail_val_new = $Null
}
Add-Content -Path $logfile -Value ("---------------------------- End ------------------------------------")
}
function RemoveAttribute{
$logfile = ".\clear_attribute.log"
$Users_to_Modify = get-aduser -Filter 'mail -like "*"' -SearchBase $SearchBase -Properties mail | select userprincipalname, distinguishedname, mail
Write-Host
Write-Host -ForegroundColor Yellow("Clearing Attribute " + $Attribute + " to " + $Users_to_Modify.count + " Users")
Write-Host
Write-Host -ForegroundColor Yellow -NoNewline("Confirm ")
$confirmation=Read-Host -Prompt "(Y/N)?"
if($confirmation.ToUpper() -ne "Y") {
Write-Host ("Operation interrupted by user.")
return
}
Add-Content -Path $logfile -Value ("--------------------------- Start -----------------------------------")
foreach ($User in $Users_to_Modify){
Write-Host -ForegroundColor Green ("Clearing Attribute " + $Attribute + " from User: " + $User.userprincipalname)
Add-Content -Path $logfile -Value ($User.userprincipalname)
Set-ADUser -Identity $User.distinguishedname -Clear $Attribute
}
Add-Content -Path $logfile -Value ("---------------------------- End ------------------------------------")
}
cls
$schemaPath = (Get-ADRootDSE).schemaNamingContext
if ( ([adsi]::Exists("LDAP://$searchbase")) -and (Get-ADObject -searchbase $schemaPath -Filter 'ldapdisplayname -like $Attribute')){
Switch ($Operation)
{
set { AssignAttribute }
clear { RemoveAttribute }
}
} else {
Write-Host
Write-Host -ForegroundColor Yellow ("Error in validating the Search Base DN or the attribute to modify")
Write-Host
Write-Host -ForegroundColor Magenta ("Inserted Values - Search Base = " + $SearchBase + " - Attribute: " + $Attribute)
Write-Host
}
#### END set_attribute.ps1 SCRIPT ####
To use the script do the following:
- Copy the script on a machine on which is installed the Active Directory Powershell module (i.e. a domain controller or the AD Connect server);
- Log in to the server with domain admin privileges;
- Open an administrative powershell, go to the folder containing the script and execute the following command:
.\set_attribute.ps1 -Operation Set -SearchBase “OU=OU1,DC=test,DC=contoso,DC=com” -Attribute ExtensionAttribute12
In the previous command replace values for SearchBase and Attribute as needed.
To verify the execution of script is possible to view the attribute of a User within the scope of change, accessing its properties using several tools (i.e. ADUC, ADSIEDIT, etc.).
If needed, it’s possible to clear the value from the attribute executing the following command:
.\set_attribute.ps1 -Operation Clear -SearchBase "OU=OU1,DC=Test,DC=Contoso,DC=Com" -Attribute ExtensionAttribute12
Modification of Azure AD Connect
At the time of writing this guide it was not possible to change in AD Connect the attribute used as alternateLoginID directly: one possible solution was to uninstall and reinstall AD Connect.
Uninstallation of Azure AD Connect
- Connect to the Azure AD Connect server with admin privileges;
- Open the Services console and note the service account used by Azure AD Connect;
- Open the Control Panel, then “Programs and Features”;
- Select the voice “Microsoft Azure AD Connect”, then press Uninstall;
- Select the checkbox “Also uninstall supporting components”, then press Remove;
- At the end press Exit.
Reinstallation of Azure AD Connect
Is recommended to install the updated version of Azure AD Connect available from https://www.microsoft.com/en-us/download/details.aspx?id=47594
- Login to the AD Connect Server with admin privileges;
- Execute the installation package of Azure AD Connect;
- Press Continue in the Welcome Screen;
- Press Customize;
- Insert informations related to the service user account of Azure AD Connect (insert the same account used previously) then press Install;
- Select “Do not configure” then press Next;
- Insert admin credentials of Azure AD / Office 365 tenant and press Next;
- Select the AD forest to sync and press Add Directory;
- Press Next;
- Select as USER PRINCIPAL NAME extensionAttribute12 and press Next;
- Select domain and OU to sync then press next;
- Leave the default and press Next;
- Leave the default and press Next;
- Leave the default and press Next;
- Verify that both checkboxes are NOT selected then press Install;
- At the end press Exit.
Modification of alternateLoginID in ADFS
Now is time to instruct the ADFS to use the new attribute as source for Altenate Login ID… this change is performed with the following steps:
- Connect with admin credentials to the primary ADFS server;
- Open a powershell with admin privileges;
- Verify the present configuration of the AlternateLoginID with the following command:
Get-AdfsClaimsProviderTrust | Select Identifier, AlternateLoginID
The output shows that the used attribute is mail;
- Modify the configuration using the following command:
Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID ExtensionAttribute12
- Verify the configuration of AlternateLoginID repeating the command:
Get-AdfsClaimsProviderTrust | Select Identifier, AlternateLoginID
- The output should now indicate extensionAttribute12;
- Open the ADFS admin console;
- In the left part select “Trust Relationship” then “Relying Party Trusts”;
- In the center select “Microsoft Office 365 Identity Platform”;
- In the right part select “Edit Claim Rules…”;
- Select the rule # 1 then press Edit Rule…
- In the Claim Rule, replace the highlighted voice (userPrincipalName) with extensionAttribute12;
Old Claim Rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
New Claim Rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = “Active Directory”, types = (“http://schemas.xmlsoap.org/claims/UPN”, "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};extensionAttribute12,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
Enable Sync in AD Connect
During the re-installation of AD Connect the sync was not enabled, to have the time to perform the other configuration steps related with alternateLoginID: is now time to enable it.
- Login with Admin credentials to the AD Connect server;
- Open a powershellwith admin privileges and execute the following command:
Set-ADSyncScheduler -SyncCycleEnabled $true
- To verify the correct execution, use the following command:
Get-ADSyncScheduler
- Execute the sync cycle with the following command:
Start-ADSyncSyncCycle -PolicyType Initial
Conclusion
This end the guide: I hope it’ll be usefull to someone looking for changing the “alternateLoginID” configuration.
You must log in to post a comment.