Guest Users
What is a Guest User?
A guest user is an Microsoft Entra ID Business-to-Business account which is utilized to provide seamless collaboration between the Microsoft Cloud organizations.
For more context and details check out Microsoft’s document on the topic, What is guest user access in Microsoft Entra ID B2B?
Can I create, update and delete Guest user objects with Directory Sync?
Yes, Directory Sync provides create, update and delete capabilities to keep your multiple identities, objects and properties in sync for short-term and long-term integration needs.
There are two (2) new additional options to create users in a target cloud directory, highlighted below. The image shows the Template wizard where you may manage how users are created.
Figure 1: Example Template Wizard - Create New Users – Guest Options
What does the Guest User option do?
The Guest User option (see figure 1) will create a user object with the type of Guest within the destination directory configured in the workflow. This user’s password will be set and managed within the target directory management controls. This user’s UPN, Display Name and email address will be constructed based on the template mapping controls configured within the workflow.
What does the Guest Invite option do?
The Guest Invite option (see figure 1) will create a user object with the type of Guest within the destination directory configured in the workflow and immediately send an invitation to the source email user account. This user’s UPN will be constructed automatically by Microsoft to meet their requirements for B2B functionality. This user’s password will not be set and will continue to be managed from the source directory management tools and administrators. All other attributes set during creation will be determined by the template mapping controls configured within the workflow.
Can I send an invitation later if I didn’t send one during creation?
Yes, Microsoft provides numerous methods for managing invitations. For more details, see the Microsoft Entra ID B2B documentation.
Can I match to an existing Guest user and update it?
Yes, Directory Sync can match and update existing Guest user types in Active Directory and Microsoft Entra ID.
What is the recommend matching attribute for Guest Users?
To match a source user object to a target Guest user object can sometimes be challenging because depending on the type of target Guest user object, there may not be a readily available attribute or property that can be used for an exact match to ensure an accurate match.
How to identify unique attributes for Matching to Guest Users
Before synchronization, you must first decide how to derive the matching attribute pairs between the source user object and target guest object. In other words, what parameters in your environment are unique to your external collaborators? Determine a parameter that distinguishes these external collaborators from members of your own organization.
A common approach to resolve this is to:
- Designate an unused attribute (for example, extensionAttribute1) to use as the source attribute that will match to a unique identifier attribute, such as email, in the target.
- Next construct the value for that attribute from other source properties, to create a unique identifier that will be found in the target. For example, use the email address of the source user to construct the extensionAttribute1 value as Source Local Part @ Target Domain.
Can I create a local user, so it is ready to be synchronized up to Microsoft Entra ID as a Guest?
Yes, Directory Sync supports the creation of local user objects for this purpose. Simply configure the template mappings to set the attribute value of the predetermined attributed which will be used by Microsoft Entra Connect to set the UserType = Guest in the cloud object. If you are using a different method within Microsoft Entra Connect, adjust your mapping rules to fit your needs.
You can use Microsoft Entra Connect to sync the accounts to the cloud as Microsoft Entra B2B users (that is, users with UserType = Guest). This enables your users to access cloud resources using the same credentials as their local accounts, without giving them more access than they require.
For more information about How to grant local users access to cloud apps read this Microsoft article on the topic.
For details on How to enable synchronization of UserType for Microsoft Entra Connect then please read this Microsoft document.
Additional Information
How To Use Guest Users in Directory Sync
What is guest user access in Microsoft Entra ID B2B?
Microsoft Entra ID B2B best practices
Microsoft Entra ID B2B documentation
Properties of an Microsoft Entra ID B2B collaboration user
Quickstart: Add guest users to your directory in the Azure portal
Add guests to the global address list
Settings
Environments
What is an Environment?
If a workflow is a series of action steps, an environment is the receiver of those actions. On the Select Environments screen you will choose two or more environments that the workflow will take actions against. You need at least two so that you have at least one source and one target, but you can choose several in a more complex migration scenario. For example, you may choose to read from two different environments as sources, to be written to a single target environment.
Where do I manage Environments?
To manage environments, simply open the left navigation menu and click Environments, located under Settings, see figure 1.
Figure 1: Directory Sync Setup and Settings Menu
How are Local Environments added?
To add a local environment:
-
On the Environments page, Click the New button. The Select your Environment type page appears.
-
Select Local and click Next.
-
Enter a name for your environment and click Next.
- Enter a name for your agent and click Next.
-
Enter values in the following fields:
-
Target Domain Controller IP Address – The IP address of the target Domain Controller.
-
Target Domain Controller Ping Interval - The number of seconds the script will sleep between pings to the defined target domain controller. The default value is 300 seconds.
-
Timeout Before Job Failure – The number of minutes to wait after Credential Cache job is downloaded by the agent before marking the job a failure due to timeout. The default value is 180 minutes.
-
Timeout for User Credential Prompt – The number of minutes to prompt the user with a dialog box to enter their target domain credentials for caching. The default value is 5 minutes
-
Click Save Profile. The Credential Cache Profile is added to the list.
How do you export a list of Users, Groups, Contacts, and Devices in an environment?
Select an environment in the Environments table and then click Details. On the Details page, click the Export button to download a CSV file of the Users, Groups, Contacts, and Devices.
How do you unmatch Users, Groups, Contacts, and Devices so they will not be synchronized?
Select an environment in the Environments table and then click Details. On the Details page, select an object in the table and click the Unmatch button. The Match Status for the object will change to "Unmatched" and the object will not be synchronized.
The Unmatch action is not supported for objects belonging to the Tenant-to-Tenant project and registered devices.
How do you view logs for local environments?
Select a local environment in the Environments table and then click Password Logs or Discovery Logs to export a CSV with password or discovery information.
How do you discover local environments?
Select a local environment in the Environments table and then click Discover to begin the discovery process for the environment.
How do you filter out users and groups in cloud environments you do not want to synchronize?
Select a cloud environment in the Environments table and then click Settings. Then select the Object Filter tab to view the filter options. Uncheck the object types you wish to exclude. Options to exclude unlicensed and disabled accounts are also available. Click Attribute Filters to build filters that allow you to be more specific as to which object(s) to sync. Select the Filter Groups tab to enable Group filters.
How do you set the object filter to synchronize Microsoft Entra ID Joined devices in cloud environments?
If you subscribe to the Microsoft Entra ID Joined Device add on feature, you can enable the Microsoft Entra ID Joined device object filter option in Settings. To enable the Microsoft Entra ID Joined device option, select a cloud environment in the Environments table and then click Settings. Then select the Object Filter tab to view the filter options. Check the Microsoft Entra ID Joined devices option. Click Attribute Filters to build filters that allow you to be more specific as to which device(s) to sync.
The below table displays filterable properties and the object types that can be filtered by them. ✓= The property can be used to filter this object type.
| AcceptMessagesOnlyFrom |
|
✓ |
✓ |
✓ |
|
| AcceptMessagesOnlyFromDLMembers |
|
✓ |
✓ |
✓ |
|
| AcceptMessagesOnlyFromSendersOrMembers |
|
✓ |
✓ |
✓ |
|
| AccessType |
|
|
|
✓ |
|
| AccountDisabled |
✓ |
|
|
|
|
| AddressListMembership |
|
✓ |
✓ |
✓ |
|
| AdministrativeUnits |
✓ |
✓ |
✓ |
✓ |
|
| Alias |
|
✓ |
✓ |
✓ |
|
| AllowAddGuests |
|
|
|
✓ |
|
| AllowUMCallsFromNonUsers |
✓ |
|
|
|
|
| AlwaysSubscribeMembersToCalendarEvents |
|
|
|
✓ |
|
| ArbitrationMailbox |
|
✓ |
✓ |
|
|
| ArchiveRelease |
✓ |
|
|
|
|
| AssistantName |
✓ |
|
|
|
|
| AuditLogAgeLimit |
|
|
|
✓ |
|
| AuthenticationPolicy |
✓ |
|
|
|
|
| AutoSubscribeNewMembers |
|
|
|
✓ |
|
| BypassModerationFromSendersOrMembers |
|
✓ |
✓ |
✓ |
|
| BypassNestedModerationEnabled |
|
|
✓ |
|
|
| CalendarMemberReadOnly |
|
|
|
✓ |
|
| CalendarUrl |
|
|
|
✓ |
|
| CertificateSubject |
✓ |
|
|
|
|
| City |
✓ |
|
|
|
|
| Classification |
|
|
|
✓ |
|
| Company |
✓ |
|
|
|
|
| ConnectorsEnabled |
|
|
|
✓ |
|
| ConsumerNetID |
✓ |
|
|
|
|
| CountryOrRegion |
✓ |
|
|
|
|
| CustomAttribute1 |
|
✓ |
✓ |
✓ |
✓ |
| CustomAttribute10 |
|
✓ |
✓ |
✓ |
✓ |
| CustomAttribute11 |
|
✓ |
✓ |
✓ |
✓ |
| CustomAttribute12 |
|
✓ |
✓ |
✓ |
✓ |
| CustomAttribute13 |
|
✓ |
✓ |
✓ |
✓ |
| CustomAttribute14 |
|
✓ |
✓ |
✓ |
✓ |
| CustomAttribute15 |
|
✓ |
✓ |
✓ |
✓ |
| CustomAttribute2 |
|
✓ |
✓ |
✓ |
✓ |
| CustomAttribute3 |
|
✓ |
✓ |
✓ |
✓ |
| CustomAttribute4 |
|
✓ |
✓ |
✓ |
✓ |
| CustomAttribute5 |
|
✓ |
✓ |
✓ |
✓ |
| CustomAttribute6 |
|
✓ |
✓ |
✓ |
✓ |
| CustomAttribute7 |
|
✓ |
✓ |
✓ |
✓ |
| CustomAttribute8 |
|
✓ |
✓ |
✓ |
✓ |
| CustomAttribute9 |
|
✓ |
✓ |
✓ |
✓ |
| Database |
|
|
|
✓ |
|
| DataEncryptionPolicy |
|
|
|
✓ |
|
| Department |
✓ |
|
|
|
|
| DirectReports |
✓ |
|
|
|
|
| DisplayName |
✓ |
✓ |
✓ |
✓ |
✓ |
| DistinguishedName |
✓ |
✓ |
✓ |
✓ |
|
| EmailAddressPolicyEnabled |
|
✓ |
✓ |
✓ |
|
| ExchangeGuid |
|
|
|
✓ |
|
| ExchangeVersion |
✓ |
✓ |
✓ |
✓ |
|
| ExpansionServer |
|
|
✓ |
✓ |
|
| ExtensionCustomAttribute1 |
|
✓ |
✓ |
✓ |
|
| ExtensionCustomAttribute2 |
|
✓ |
✓ |
✓ |
|
| ExtensionCustomAttribute3 |
|
✓ |
✓ |
✓ |
|
| ExtensionCustomAttribute4 |
|
✓ |
✓ |
✓ |
|
| ExtensionCustomAttribute5 |
|
✓ |
✓ |
✓ |
|
| Extensions |
|
✓ |
|
|
|
| ExternalDirectoryObjectId |
✓ |
✓ |
✓ |
✓ |
|
| ExternalEmailAddress |
|
✓ |
|
|
|
| Fax |
✓ |
|
|
|
|
| FileNotificationsSettings |
|
|
|
✓ |
|
| FirstName |
✓ |
|
|
|
|
| GeoCoordinates |
✓ |
|
|
|
|
| GrantSendOnBehalfTo |
|
✓ |
✓ |
✓ |
|
| GroupExternalMemberCount |
|
|
|
✓ |
|
| GroupMemberCount |
|
|
|
✓ |
|
| GroupPersonification |
|
|
|
✓ |
|
| GroupSKU |
|
|
|
✓ |
|
| GroupType |
|
|
✓ |
✓ |
|
| Guid |
✓ |
✓ |
✓ |
✓ |
|
| HasPicture |
|
✓ |
|
|
|
| HasSpokenName |
|
✓ |
|
|
|
| HiddenFromAddressListsEnabled |
|
✓ |
✓ |
✓ |
|
| HiddenFromExchangeClientsEnabled |
|
|
|
✓ |
|
| HiddenGroupMembershipEnabled |
|
|
✓ |
✓ |
|
| HomePhone |
✓ |
|
|
|
|
| Id |
✓ |
✓ |
✓ |
✓ |
|
| Identity |
✓ |
✓ |
✓ |
✓ |
|
| InboxUrl |
|
|
|
✓ |
|
| Initials |
✓ |
|
|
|
|
| InPlaceHolds |
|
|
|
✓ |
|
| InPlaceHoldsRaw |
✓ |
|
|
✓ |
|
| IsExternalResourcesPublished |
|
|
|
✓ |
|
| IsLinked |
✓ |
|
|
|
|
| IsMailboxConfigured |
|
|
|
✓ |
|
| IsMembershipDynamic |
|
|
|
✓ |
|
| IsSecurityPrincipal |
✓ |
|
|
|
|
| IsSoftDeletedByDisable |
✓ |
|
|
|
|
| IsSoftDeletedByRemove |
✓ |
|
|
|
|
| IsValid |
✓ |
✓ |
✓ |
✓ |
|
| Language |
|
|
|
✓ |
|
| LastExchangeChangedTime |
|
✓ |
✓ |
✓ |
|
| LastName |
✓ |
|
|
|
|
| LegacyExchangeDN |
✓ |
✓ |
✓ |
✓ |
|
| LinkedMasterAccount |
✓ |
|
|
|
|
| MacAttachmentFormat |
|
✓ |
|
|
|
| MailboxLocations |
✓ |
|
|
|
|
| MailboxProvisioningConstraint |
✓ |
|
|
✓ |
|
| MailboxProvisioningPreferences |
✓ |
|
|
|
|
| MailboxRegion |
✓ |
|
|
✓ |
|
| MailboxRegionLastUpdateTime |
✓ |
|
|
|
|
| MailboxRelease |
✓ |
|
|
|
|
| MailTip |
|
✓ |
✓ |
✓ |
|
| MailTipTranslations |
|
✓ |
✓ |
✓ |
|
| ManagedBy |
|
|
✓ |
✓ |
|
| ManagedByDetails |
|
|
|
✓ |
|
| Manager |
✓ |
|
|
|
|
| MaxReceiveSize |
|
✓ |
✓ |
✓ |
|
| MaxRecipientPerMessage |
|
✓ |
|
|
|
| MaxSendSize |
|
✓ |
✓ |
✓ |
|
| MemberDepartRestriction |
|
|
✓ |
|
|
| MemberJoinRestriction |
|
|
✓ |
|
|
| MessageBodyFormat |
|
✓ |
|
|
|
| MessageFormat |
|
✓ |
|
|
|
| MicrosoftOnlineServicesID |
✓ |
|
|
|
|
| MigrationToUnifiedGroupInProgress |
|
|
✓ |
✓ |
|
| MobilePhone |
✓ |
|
|
|
|
| ModeratedBy |
|
✓ |
✓ |
✓ |
|
| ModerationEnabled |
|
✓ |
✓ |
✓ |
|
| Name |
✓ |
✓ |
✓ |
✓ |
|
| NetID |
✓ |
|
|
|
|
| Notes |
✓ |
|
|
✓ |
|
| ObjectCategory |
✓ |
✓ |
✓ |
✓ |
|
| ObjectClass |
✓ |
✓ |
✓ |
✓ |
|
| ObjectState |
✓ |
✓ |
✓ |
✓ |
|
| Office |
✓ |
|
|
|
|
| OrganizationalUnit |
✓ |
✓ |
✓ |
✓ |
|
| OrganizationId |
✓ |
✓ |
✓ |
✓ |
|
| OriginatingServer |
✓ |
✓ |
✓ |
✓ |
|
| OtherFax |
✓ |
|
|
|
|
| OtherHomePhone |
✓ |
|
|
|
|
| OtherTelephone |
✓ |
|
|
|
|
| Pager |
✓ |
|
|
|
|
| PeopleUrl |
|
|
|
✓ |
|
| Phone |
✓ |
|
|
|
|
| PhoneticDisplayName |
✓ |
|
|
|
|
| PhotoUrl |
|
|
|
✓ |
|
| PoliciesExcluded |
|
✓ |
✓ |
✓ |
|
| PoliciesIncluded |
|
✓ |
✓ |
✓ |
|
| PostalCode |
✓ |
|
|
|
|
| PostOfficeBox |
✓ |
|
|
|
|
| PreviousRecipientTypeDetails |
✓ |
|
|
|
|
| RecipientType |
✓ |
✓ |
✓ |
✓ |
|
| RecipientTypeDetails |
✓ |
✓ |
✓ |
✓ |
|
| RejectMessagesFrom |
|
✓ |
✓ |
✓ |
|
| RejectMessagesFromDLMembers |
|
✓ |
✓ |
✓ |
|
| RejectMessagesFromSendersOrMembers |
|
✓ |
✓ |
✓ |
|
| RemotePowerShellEnabled |
✓ |
|
|
|
|
| ReportToManagerEnabled |
|
|
✓ |
✓ |
|
| ReportToOriginatorEnabled |
|
|
✓ |
✓ |
|
| RequireSenderAuthenticationEnabled |
|
✓ |
✓ |
✓ |
|
| ResetPasswordOnNextLogon |
✓ |
|
|
|
|
| RunspaceId |
✓ |
✓ |
✓ |
✓ |
|
| SamAccountName |
✓ |
|
✓ |
|
|
| SendModerationNotifications |
|
✓ |
✓ |
✓ |
|
| SendOofMessageToOriginatorEnabled |
|
|
✓ |
✓ |
|
| SeniorityIndex |
✓ |
|
|
|
|
| ServerName |
|
|
|
✓ |
|
| SharePointDocumentsUrl |
|
|
|
✓ |
|
| SharePointNotebookUrl |
|
|
|
✓ |
|
| SharePointSiteUrl |
|
|
|
✓ |
|
| Sid |
✓ |
|
|
|
|
| SidHistory |
✓ |
|
|
|
|
| SiloName |
✓ |
|
|
|
|
| SimpleDisplayName |
✓ |
✓ |
✓ |
|
|
| SKUAssigned |
✓ |
|
|
|
|
| StateOrProvince |
✓ |
|
|
|
|
| StreetAddress |
✓ |
|
|
|
|
| StsRefreshTokensValidFrom |
✓ |
|
|
|
|
| SubscriptionEnabled |
|
|
|
✓ |
|
| TelephoneAssistant |
✓ |
|
|
|
|
| Title |
✓ |
|
|
|
|
| UMCallingLineIds |
✓ |
|
|
|
|
| UMDialPlan |
✓ |
|
|
|
|
| UMDtmfMap |
✓ |
✓ |
✓ |
|
|
| UpgradeDetails |
✓ |
|
|
|
|
| UpgradeMessage |
✓ |
|
|
|
|
| UpgradeRequest |
✓ |
|
|
|
|
| UpgradeStage |
✓ |
|
|
|
|
| UpgradeStageTimeStamp |
✓ |
|
|
|
|
| UpgradeStatus |
✓ |
|
|
|
|
| UseMapiRichTextFormat |
|
✓ |
|
|
|
| UsePreferMessageFormat |
|
✓ |
|
|
|
| UserAccountControl |
✓ |
|
|
|
|
| UserCertificate |
|
✓ |
|
|
|
| UserPrincipalName |
✓ |
|
|
|
|
| UserSMimeCertificate |
|
✓ |
|
|
|
| VoiceMailSettings |
✓ |
|
|
|
|
| WebPage |
✓ |
|
|
|
|
| WelcomeMessageEnabled |
|
|
|
✓ |
|
| WhenChanged |
✓ |
✓ |
✓ |
✓ |
|
| WhenChangedUTC |
✓ |
✓ |
✓ |
✓ |
|
| WhenCreated |
✓ |
✓ |
✓ |
✓ |
|
| WhenCreatedUTC |
✓ |
✓ |
✓ |
✓ |
|
| WhenSoftDeleted |
✓ |
|
|
✓ |
|
| WindowsEmailAddress |
✓ |
✓ |
✓ |
|
|
| WindowsLiveID |
✓ |
|
|
|
|
| YammerEmailAddress |
|
|
|
✓ |
|
| Description |
|
|
✓ |
✓ |
|
| OperatingSystem |
|
|
|
|
✓ |
| OperatingSystemVersion |
|
|
|
|
✓ |
| ProfileType |
|
|
|
|
✓ |
| EmailAddresses |
|
✓ |
✓ |
✓ |
|
Additional Information
Password Sync
Password Sync
What is Password Sync?
The Password Sync feature is designed to synchronize passwords from environment to environment without being directly tied to workflows.
However, a workflow that reads all the users in scope for password sync must exist and there must be a workflow that matches the source to target objects. If there is no match, passwords will not be synchronized.
How many agents can be set to monitor password changes?
You may only have one agent set to detect password changes. Having a single agent for this task avoids conflicts caused by multiple agents updating passwords at the same time.
What does the Allow password changes option do?
When the “Allow password changes” option is selected, objects passwords will be updated if matched to any environment set to detect password changes.
How is it determined which users are in scope for password sync?
The environment filter determines which users are in scope for password change. if matched and in environment scope, they will be updated if a source changes.
Is two-way password sync possible?
Two-way password sync is possible by selecting to monitor password changes in the source and target environments.
Are passwords encrypted during password sync?
The password hash is stored encrypted in the database to determine if password changes must occur on the target. Passwords are never converted to plain text.
How often does the agent check for password changes?
The agent designated for password change monitoring checks for changes every 30 seconds.
Creating an alert for when agents go offline is recommended in case the password monitoring agent encounters an issue.
What access is needed?
The account that the agent has been configured with must have access to the admin$ share of the domain controllers.
Can password sync be applied to a subset of users?
A LDAP query can be entered in the LDAP Filter field to control the application of the Password Sync feature.
What is Password Propagation Service?
Password Propagation Service is a component of Directory Sync that allows password synchronization in environments without RC4 Encryption. Unlike the Legacy Password Monitor Service, which requires RC4 Encryption, Password Propagation Service simply copies the password from the source to the target. When a password changes in the source, the password filter installed on every domain controller in the source environment will capture the password and use the Password Propagation Service to set the password in the target using LDAPS security. Please refer to the On Demand Migration Password Propagation Service User Guide for installation/configuration.
What is Modern Password Monitor Service?
Modern Password Monitor Service adds support for Microsoft Advance LSA Protection by installing a Password Filter on the Domain Controller. Additional details about Modern Password Monitor Service can be found in the On Demand Migration Active Directory Modern Password Sync Setup Quick Start Guide.
