- Article
This topic lists the attributes that are synchronized by Azure AD Connect sync.
The attributes are grouped by the related Azure AD app.
Attributes to sync
A common question iswhat is the list of minimum attributes to sync. The default and recommended approach is to keep the default attributes so that a full GAL (Global Address List) can be built in the cloud and get all the features in Microsoft 365 workloads. In some cases, there are some attributes that your organization does not want synced to the cloud, as these attributes contain sensitive personal data, such as in this example:
See Also
How to charge car ACIn this case, start with the list of attributes in this topic and identify those attributes that would contain personal data and cannot be synced. Then deselect those attributes during installation usingAzure AD app and attribute filtering.
Warning
When deselecting attributes, be careful to deselect only those attributes that absolutely cannot be synchronized. Deselecting other attributes can have a negative impact on features.
Microsoft 365 Apps for enterprise
| attribute name | User | Remark |
|---|---|---|
| accountEnabled | X | Defines whether an account is enabled. |
| cn | X | |
| Display name | X | |
| objectSID | X | mechanical property. AD user ID used to maintain synchronization between Azure AD and AD. |
| pwdLastSet | X | mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash synchronization, pass-through authentication, and federation. |
| sameAccountname | X | |
| almostAnker | X | mechanical property. Immutable ID to maintain the relationship between ADDS and Azure AD. |
| useLocation | X | mechanical property. The country/region of the user. Used for license assignment. |
| userPrincipalnaam | X | UPN is the login ID for the user. Usually the same as [mail] value. |
Exchange online
| attribute name | User | Contact | Group | Remark |
|---|---|---|---|---|
| accountEnabled | X | Defines whether an account is enabled. | ||
| altRecipient | X | Vereist Azure AD Connect build 1.1.552.0 of later. | ||
| authorize | X | X | X | |
| C | X | X | ||
| cn | X | X | ||
| co | X | X | ||
| company | X | X | ||
| Landcode | X | X | ||
| department | X | X | ||
| description | X | |||
| Display name | X | X | X | |
| dLMemRejectPerms | X | X | X | |
| dLMemSubmitPerms | X | X | X | |
| extensionAttribuut1 | X | X | X | |
| extensionAttribuut10 | X | X | X | |
| extensionAttribuut11 | X | X | X | |
| extensionAttribuut12 | X | X | X | |
| extensionAttribuut13 | X | X | X | |
| extensionAttribuut14 | X | X | X | |
| extensionAttribuut15 | X | X | X | |
| extensionAttribuut2 | X | X | X | |
| extensionAttribuut3 | X | X | X | |
| extensionAttribuut4 | X | X | X | |
| extensionAttribuut5 | X | X | X | |
| extensionAttribuut6 | X | X | X | |
| extensionAttribuut7 | X | X | X | |
| extensionAttribuut8 | X | X | X | |
| extensionAttribuut9 | X | X | X | |
| fax phone number | X | X | ||
| given name | X | X | ||
| homePhone | X | X | ||
| information | X | X | X | This attribute is not currently used for groups. |
| initials | X | X | ||
| I | X | X | ||
| legacyExchangeDN | X | X | X | |
| mailNickname | X | X | X | |
| managed by | X | |||
| manager | X | X | ||
| lid | X | |||
| mobile | X | X | ||
| msDS-HABSeniorityIndex | X | X | X | |
| msDS-PhoneticDisplayName | X | X | X | |
| msExchArchiveGUID | X | |||
| msExchArchiveName | X | |||
| msExchAssistantName | X | X | ||
| msExchAuditAdmin | X | |||
| msExchAuditDelegate | X | |||
| msExchAuditDelegateAdmin | X | |||
| msExchAuditOwner | X | |||
| msExchBlockedSendersHash | X | X | ||
| msExchBypassAudit | X | |||
| msExchBypassModerationLink | X | Available in Azure AD Connect version 1.1.524.0 | ||
| msExchCoManagedByLink | X | |||
| msExchDelegateListLink | X | |||
| msExchELCExpirySuspensionEnd | X | |||
| msExchELCExpirySuspensionStart | X | |||
| msExchELCMailboxFlags | X | |||
| msExchEnableModeration | X | X | ||
| msExchExtensionCustomAttribute1 | X | X | X | This attribute is not currently used by Exchange Online. |
| msExchExtensionCustomAttribute2 | X | X | X | This attribute is not currently used by Exchange Online. |
| msExchExtensionCustomAttribute3 | X | X | X | This attribute is not currently used by Exchange Online. |
| msExchExtensionCustomAttribute4 | X | X | X | This attribute is not currently used by Exchange Online. |
| msExchExtensionCustomAttribute5 | X | X | X | This attribute is not currently used by Exchange Online. |
| msExchHideFromAddressLists | X | X | X | |
| msExchImmutableID | X | |||
| msExchLitigationHoldDate | X | X | X | |
| msExchLitigationHoldOwner | X | X | X | |
| msExchMailboxAuditEnable | X | |||
| msExchMailboxAuditLogAgeLimit | X | |||
| msExchMailboxGuid | X | |||
| msExchModeratedByLink | X | X | X | |
| msExchModerationFlags | X | X | X | |
| msExchRecipientDisplayType | X | X | X | |
| msExchRecipientTypeDetails | X | X | X | |
| msExchRemoteRecipientType | X | |||
| msExchRequireAuthToSendTo | X | X | X | |
| msExchResourceCapacity | X | |||
| msExchResourceDisplay | X | |||
| msExchResourceMetaData | X | |||
| msExchResourceSearchProperties | X | |||
| msExchRetentionComment | X | X | X | |
| msExchRetentie-URL | X | X | X | |
| msExchSafeRecipientsHash | X | X | ||
| msExchSafeSendersHash | X | X | ||
| msExchSenderHintTranslations | X | X | X | |
| msExchTeamMailboxExpiry date | X | |||
| msExchTeamMailboxOwners | X | |||
| msExchTeamMailboxSharePointUrl | X | |||
| msExchUserHoldPolicies | X | |||
| msOrg-IsOrganizational | X | |||
| objectSID | X | X | mechanical property. AD user ID used to maintain synchronization between Azure AD and AD. | |
| oOFReplyToOriginator | X | |||
| other facsimile phone | X | X | ||
| andereHomePhone | X | X | ||
| other phone | X | X | ||
| semaphore | X | X | ||
| physicalDeliveryOfficeName | X | X | ||
| Postcode | X | X | ||
| proxyAdressen | X | X | X | |
| public delegates | X | X | X | |
| pwdLastSet | X | mechanical property. Used to know when to invalidate already issued tokens. Used by both password sync and federation. | ||
| reportToOriginator | X | |||
| reportToOwner | X | |||
| sn | X | X | ||
| almostAnker | X | X | X | mechanical property. Immutable ID to maintain the relationship between ADDS and Azure AD. |
| st | X | X | ||
| Address | X | X | ||
| destination address | X | X | ||
| phoneAssistant | X | X | ||
| phone number | X | X | ||
| thumbnail photo | X | X | Periodically synced with M365 profile picture. Administrators can set the frequency of synchronization by changing the Azure AD Connect value. Please note that if users change their photo both on-premises and in the cloud within a time span shorter than the Azure AD Connect value, we cannot guarantee that the latest photo will be displayed. | |
| title | X | X | ||
| unauthorizedOrig | X | X | X | |
| useLocation | X | mechanical property. The country/region of the user. Used for license assignment. | ||
| user certificate | X | X | ||
| userPrincipalnaam | X | UPN is the login ID for the user. Usually the same as [mail] value. | ||
| userSMIMECertificates | X | X | ||
| wWWStart page | X | X |
| attribute name | User | Contact | Group | Remark |
|---|---|---|---|---|
| accountEnabled | X | Defines whether an account is enabled. | ||
| authorize | X | X | X | |
| C | X | X | ||
| cn | X | X | ||
| co | X | X | ||
| company | X | X | ||
| Landcode | X | X | ||
| department | X | X | ||
| description | X | X | X | |
| Display name | X | X | X | |
| dLMemRejectPerms | X | X | X | |
| dLMemSubmitPerms | X | X | X | |
| extensionAttribuut1 | X | X | X | |
| extensionAttribuut10 | X | X | X | |
| extensionAttribuut11 | X | X | X | |
| extensionAttribuut12 | X | X | X | |
| extensionAttribuut13 | X | X | X | |
| extensionAttribuut14 | X | X | X | |
| extensionAttribuut15 | X | X | X | |
| extensionAttribuut2 | X | X | X | |
| extensionAttribuut3 | X | X | X | |
| extensionAttribuut4 | X | X | X | |
| extensionAttribuut5 | X | X | X | |
| extensionAttribuut6 | X | X | X | |
| extensionAttribuut7 | X | X | X | |
| extensionAttribuut8 | X | X | X | |
| extensionAttribuut9 | X | X | X | |
| fax phone number | X | X | ||
| given name | X | X | ||
| hide DL membership | X | |||
| house phone | X | X | ||
| information | X | X | X | |
| initials | X | X | ||
| ipPhone | X | X | ||
| I | X | X | ||
| X | X | X | ||
| mail nickname | X | X | X | |
| managed by | X | |||
| manager | X | X | ||
| lid | X | |||
| Middle name | X | X | ||
| mobile | X | X | ||
| msExchTeamMailboxExpiry date | X | |||
| msExchTeamMailboxOwners | X | |||
| msExchTeamMailboxSharePointLinkedBy | X | |||
| msExchTeamMailboxSharePointUrl | X | |||
| objectSID | X | X | mechanical property. AD user ID used to maintain synchronization between Azure AD and AD. | |
| oOFReplyToOriginator | X | |||
| other facsimile phone | X | X | ||
| andereHomePhone | X | X | ||
| otherIpPhone | X | X | ||
| otherMobile | X | X | ||
| other pagers | X | X | ||
| other phone | X | X | ||
| semaphore | X | X | ||
| physicalDeliveryOfficeName | X | X | ||
| Postcode | X | X | ||
| mailbox | X | X | This attribute is not currently used by SharePoint Online. | |
| Preferred Language | X | |||
| proxyAdressen | X | X | X | |
| pwdLastSet | X | mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash synchronization, pass-through authentication, and federation. | ||
| reportToOriginator | X | |||
| reportToOwner | X | |||
| sn | X | X | ||
| almostAnker | X | X | X | mechanical property. Immutable ID to maintain the relationship between ADDS and Azure AD. |
| st | X | X | ||
| Address | X | X | ||
| destination address | X | X | ||
| phoneAssistant | X | X | ||
| phone number | X | X | ||
| thumbnail photo | X | X | Periodically synced with M365 profile picture. Administrators can set the frequency of synchronization by changing the Azure AD Connect value. Please note that if users change their photo both on-premises and in the cloud within a time span shorter than the Azure AD Connect value, we cannot guarantee that the latest photo will be displayed. | |
| title | X | X | ||
| unauthorizedOrig | X | X | X | |
| url | X | X | ||
| useLocation | X | mechanical property. The country/region of the user | ||
| . Used for license assignment. | ||||
| userPrincipalnaam | X | UPN is the login ID for the user. Usually the same as [mail] value. | ||
| wWWStart page | X | X |
Teams and Skype for Business Online
| attribute name | User | Contact | Group | Remark |
|---|---|---|---|---|
| accountEnabled | X | Defines whether an account is enabled. | ||
| C | X | X | ||
| cn | X | X | ||
| co | X | X | ||
| company | X | X | ||
| department | X | X | ||
| description | X | X | X | |
| Display name | X | X | X | |
| fax phone number | X | X | X | |
| given name | X | X | ||
| house phone | X | X | ||
| ipPhone | X | X | ||
| I | X | X | ||
| X | X | X | ||
| mailNickname | X | X | X | |
| managed by | X | |||
| manager | X | X | ||
| lid | X | |||
| mobile | X | X | ||
| msExchHideFromAddressLists | X | X | X | |
| msRTCSIP Application Options | X | |||
| msRTCSIP-DeploymentLocator | X | X | ||
| msRTCSIP Line | X | X | ||
| msRTCSIP-OptionFlags | X | X | ||
| msRTCSIP-OwnerUrn | X | |||
| msRTCSIP-PrimaryUserAddress | X | X | ||
| msRTCSIP-UserEnabled | X | X | ||
| objectSID | X | X | mechanical property. AD user ID used to maintain synchronization between Azure AD and AD. | |
| other phone | X | X | ||
| physicalDeliveryOfficeName | X | X | ||
| Postcode | X | X | ||
| Preferred Language | X | |||
| proxyAdressen | X | X | X | |
| pwdLastSet | X | mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash synchronization, pass-through authentication, and federation. | ||
| sn | X | X | ||
| almostAnker | X | X | X | mechanical property. Immutable ID to maintain the relationship between ADDS and Azure AD. |
| st | X | X | ||
| Address | X | X | ||
| phone number | X | X | ||
| thumbnail photo | X | X | Periodically synced with M365 profile picture. Administrators can set the frequency of synchronization by changing the Azure AD Connect value. Please note that if users change their photo both on-premises and in the cloud within a time span shorter than the Azure AD Connect value, we cannot guarantee that the latest photo will be displayed. | |
| title | X | X | ||
| useLocation | X | mechanical property. The country/region of the user. Used for license assignment. | ||
| userPrincipalnaam | X | UPN is the login ID for the user. Usually the same as [mail] value. | ||
| wWWStart page | X | X |
Azure-RMS
| attribute name | User | Contact | Group | Remark |
|---|---|---|---|---|
| accountEnabled | X | Defines whether an account is enabled. | ||
| cn | X | X | Common name or alias. Usually the prefix of [mail] value. | |
| Display name | X | X | X | A string representing the name often shown as the friendly name (first name last name). |
| X | X | X | full email address. | |
| lid | X | |||
| objectSID | X | X | mechanical property. AD user ID used to maintain synchronization between Azure AD and AD. | |
| proxyAdressen | X | X | X | mechanical property. Used by Azure AD. Contains all of the user's secondary email addresses. |
| pwdLastSet | X | mechanical property. Used to know when to invalidate already issued tokens. | ||
| almostAnker | X | X | X | mechanical property. Immutable ID to maintain the relationship between ADDS and Azure AD. |
| useLocation | X | mechanical property. The country/region of the user. Used for license assignment. | ||
| userPrincipalnaam | X | This UPN is the login ID for the user. Usually the same as [mail] value. |
In tune
| attribute name | User | Contact | Group | Remark |
|---|---|---|---|---|
| accountEnabled | X | Defines whether an account is enabled. | ||
| C | X | X | ||
| cn | X | X | ||
| description | X | X | X | |
| Display name | X | X | X | |
| X | X | X | ||
| mail nickname | X | X | X | |
| lid | X | |||
| objectSID | X | X | mechanical property. AD user ID used to maintain synchronization between Azure AD and AD. | |
| proxyAdressen | X | X | X | |
| pwdLastSet | X | mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash synchronization, pass-through authentication, and federation. | ||
| almostAnker | X | X | X | mechanical property. Immutable ID to maintain the relationship between ADDS and Azure AD. |
| useLocation | X | mechanical property. The country/region of the user. Used for license assignment. | ||
| userPrincipalnaam | X | UPN is the login ID for the user. Usually the same as [mail] value. |
Dynamic CRM
| attribute name | User | Contact | Group | Remark |
|---|---|---|---|---|
| accountEnabled | X | Defines whether an account is enabled. | ||
| C | X | X | ||
| cn | X | X | ||
| co | X | X | ||
| company | X | X | ||
| Landcode | X | X | ||
| description | X | X | X | |
| Display name | X | X | X | |
| fax phone number | X | X | ||
| given name | X | X | ||
| I | X | X | ||
| managed by | X | |||
| manager | X | X | ||
| lid | X | |||
| mobile | X | X | ||
| objectSID | X | X | mechanical property. AD user ID used to maintain synchronization between Azure AD and AD. | |
| physicalDeliveryOfficeName | X | X | ||
| Postcode | X | X | ||
| Preferred Language | X | |||
| pwdLastSet | X | mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash synchronization, pass-through authentication, and federation. | ||
| sn | X | X | ||
| almostAnker | X | X | X | mechanical property. Immutable ID to maintain the relationship between ADDS and Azure AD. |
| st | X | X | ||
| Address | X | X | ||
| phone number | X | X | ||
| title | X | X | ||
| useLocation | X | mechanical property. The country/region of the user. Used for license assignment. | ||
| userPrincipalnaam | X | UPN is the login ID for the user. Usually the same as [mail] value. |
Third Party Applications
This group is a set of attributes used as the minimum attributes needed for a generic workload or application. It can be used for a workload not listed in another section or for a non-Microsoft app. It is used explicitly for the following:
- Yammer (only User is consumed)
- Hybrid Business-to-Business (B2B) cross-org collaboration scenarios provided by resources such as SharePoint
This group is a set of attributes that can be used if the Azure AD directory is not used to support Microsoft 365, Dynamics, or Intune. It has a small set of core attributes. Note that single sign-on or provisioning for some third-party applications requires configuring attribute synchronization in addition to those described here. The application requirements are described in theTutorial SaaS appfor every application.
| attribute name | User | Contact | Group | Remark |
|---|---|---|---|---|
| accountEnabled | X | Defines whether an account is enabled. | ||
| cn | X | X | ||
| Display name | X | X | X | |
| employeeID | X | |||
| given name | X | X | ||
| X | X | |||
| managed by | X | |||
| mailNickName | X | X | X | |
| lid | X | |||
| objectSID | X | mechanical property. AD user ID used to maintain synchronization between Azure AD and AD. | ||
| proxyAdressen | X | X | X | |
| pwdLastSet | X | mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash synchronization, pass-through authentication, and federation. | ||
| sn | X | X | ||
| almostAnker | X | X | X | mechanical property. Immutable ID to maintain the relationship between ADDS and Azure AD. |
| useLocation | X | mechanical property. The country/region of the user. Used for license assignment. | ||
| userPrincipalnaam | X | UPN is the login ID for the user. Usually the same as [mail] value. |
Windows 10
A computer (device) that is a member of a Windows 10 domain synchronizes some attributes with Azure AD. For more information about the scenarios, seeConnect domain-joined devices to Azure AD for Windows 10 experiences. These attributes are always synced and Windows 10 will not appear as an app that you can deselect. A computer that is a member of a Windows 10 domain is identified by having the userCertificate attribute populated.
| attribute name | Device | Remark |
|---|---|---|
| accountEnabled | X | |
| deviceTrustType | X | Hard-coded value for domain-joined computers. |
| Display name | X | |
| ms-DS-CreatorSID | X | Also called RegisteredOwnerReference. |
| objectGUID | X | Also referred to as device ID. |
| objectSID | X | Also known as onPremisesSecurityIdentifier. |
| operating system | X | Also called deviceOSType. |
| operatingSystemVersion | X | Also called deviceOSVersion. |
| user certificate | X |
These attributes foruserare in addition to the other apps you have selected.
| attribute name | User | Remark |
|---|---|---|
| domainFQDN | X | Also called dnsDomainName. For example, contoso.com. |
| domainNetBios | X | Also called netBiosName. For example CONTOSO. |
| msDS-KeyCredentialLink | X | Once the user is enrolled in Windows Hello for Business. |
Exchange hybrid writeback
These attributes are written back from Azure AD to on-premises Active Directory when you choose to enableWissel hybrid of. Depending on your Exchange version, fewer attributes can be synchronized.
| Attribute name (on-premises AD) | Attribute Name (Connect UI) | User | Contact | Group | Remark |
|---|---|---|---|---|---|
| msDS-ExternDirectoryObjectID | ms-DS-Externe-Directory-Object-Id | X | Derived from cloudAnchor in Azure AD. This attribute is new in Exchange 2016 and Windows Server 2016 AD. | ||
| msExchArchiveStatus | ms-Exch-ArchiveStatus | X | Online Archive: Allows customers to archive email. | ||
| msExchBlockedSendersHash | ms-Exch-BlockedSendersHash | X | Filtering: Writes back on-premises filtering and online safe and blocked sender data from customers. | ||
| msExchSafeRecipientsHash | ms-Exch-SafeRecipientsHash | X | Filtering: Writes back on-premises filtering and online safe and blocked sender data from customers. | ||
| msExchSafeSendersHash | ms-Exch-SafeSendersHash | X | Filtering: Writes back on-premises filtering and online safe and blocked sender data from customers. | ||
| msExchUCVoiceMail Settings | ms-Exch-UCVoiceMailSettings | X | Enable Unified Messaging (UM) - Online Voicemail - Used by Microsoft Lync Server integration to indicate to Lync Server on-premises that the user has voicemail in online services. | ||
| msExchUserHoldPolicies | ms-Exch-UserHoldPolicies | X | Litigation Hold: Enables cloud services to determine which users are under Litigation Hold. | ||
| proxyAdressen | proxyAdressen | X | X | X | Only the Exchange Online x500 address is inserted. |
| public delegates | ms-Exch-Public-Delegates | X | Allows an Exchange Online mailbox to grant SendOnBehalfTo privileges to users with a local Exchange mailbox. Requires Azure AD Connect build 1.1.552.0 or later. |
Openbare Exchange Mail-map
These attributes are synced from on-premises Active Directory to Azure AD when you choose to enableOpenbare Exchange Mail-map.
| attribute name | public folder | Remark |
|---|---|---|
| Display name | X | |
| X | ||
| msExchRecipientTypeDetails | X | |
| objectGUID | X | |
| proxyAdressen | X | |
| destination address | X |
Write back device
Device objects are created in Active Directory. These objects can be Azure AD-joined devices or domain-joined Windows 10 computers.
| attribute name | Device | Remark |
|---|---|---|
| altSecurityIdentities | X | |
| Display name | X | |
| dn | X | |
| msDS-CloudAnchor | X | |
| msDS-DeviceID | X | |
| msDS-DeviceObjectVersion | X | |
| msDS-DeviceOSType | X | |
| msDS-DeviceOSVersion | X | |
| msDS-DevicePhysicalID's | X | |
| msDS-KeyCredentialLink | X | Only with Windows Server 2016 AD schema |
| msDS-IsCompliant | X | |
| msDS-IsEnabled | X | |
| msDS-IsManaged | X | |
| msDS-RegisteredOwner | X |
Notes
- When you use an alternate ID, the on-premises userPrincipalName attribute is synchronized with the Azure AD onPremisesUserPrincipalName attribute. The Alternate ID attribute, e.g. email, is synchronized with the Azure AD userPrincipalName attribute.
- While uniqueness is not enforced for the Azure AD onPremisesUserPrincipalName attribute, it is not supported to synchronize the same UserPrincipalName value with the Azure AD onPremisesUserPrincipalName attribute across multiple different Azure AD users.
- In the lists above, the object typeUseralso applies to the object typeiNetOrgPerson.
Next steps
Learn more about theAzure AD Connect syncconfiguration.
Learn more aboutIntegrate your on-premises identities with Azure Active Directory.