[Troubleshooting] Windows Azure Active Directory Connector - User Objects Not Provisioned to Azure MA Connector Space

Background

This blog is about a custom FIM Solution utilizing the new Windows Azure Active Directory Connector (WAAD).

*NOTE: Not the DirSync Appliance

Problem Statement

User objects are imported successfully from Active Directory into the connector space and projected into the metaverse.  However, the user objects are never provisioned to the Azure MA Connector Space.

Information Gathering / Troubleshooting

  • Verify the use of a Metaverse Rules Extension that are included with the Azure Connector for Multi-Forest and also available for download from the TechNet site
    • If a Metaverse Rules Extension is being utilized, there is code which checks for required attributes.
    • If the required attributes are not present on the Metaverse Object (and for some if they are not the correct value) the objects will not be provisioned to the Windows Azure Active Directory (WAAD) Connector Space
    • No error will be thrown, the objects will just not be provisioned to avoid an error on export on the Windows Azure Active Directory (WAAD) Connector Space
    • Based on the code for the metaverse rules extension included with the connector the attributes required in the metaverse for the objects:
    • Required Attributes
      • Person
        • alias
        • mail
        • accountEnable - must also have a value of "true"
      • Contact
        • mail
        • targetAddress
      • Group
        • If it is not a Security Group
        • alias
        • mail
        • proxyAddresses
      • Security Groups
        • samAccountName
        • groupType (required for all groups)
  • This is based on the code included with the connector.  If the customer has either altered the code, or if the customer has decided to write their own custom rules extension this may be different.
  • Also, regarding updating the code for the required attribute validation, customer's may ask about editing the code.  Theoretically, they could,however, this can create errors on export for the Azure connector if they are missing certain required attributes.  We might also want to try to gather more information around why we are not wanting to sync these attribute values or what the overall goal is trying to export users without all of these attributes.

Additional Resources