Azure Active Directory
đ
Introduction
In SharePoint Online only syncs a predefined set of properties from an Azure Active Directory User object to the SharePoint UserProfile and as mentioned in the FAQ section no additional properties can be added.
But it is still possible to add new User Profile Properties in SharePoint Online.
The newly created property becomes a Crawled Property and can be mapped to a Managed Property and surfaced in the SharePoint Online Search Schema.
Using a timer-triggered Azure Function it is possible to synchronize Azure Active Directory properties of a user object (or anything else) with the SharePoint Online User Profile.
This example shows how to get the âCountry or Regionâ property of the AAD User object synced with a SharePoint User Profile custom property and a Managed Property in SharePoint Online Search.
Creating the User Profile Property
-
Navigate to SharePoint Admin Center -> More Features -> User Profiles
https://<tenant>-admin.sharepoint.com/ _layouts/15/TenantProfileAdmin/ ManageUserProfileServiceApplication.aspx - Click âManage User Propertiesâ
- Add a âNew Propertyâ
- Give it a name
- Be sure that the âDefault Privacy Settingâ is set to âEveryoneâ
- Be sure that in âSearch Settingsâ the checkbox âIndexedâ is set
Creating the Search Managed Property
- Navigate to SharePoint Admin Center -> More Features -> Search
- Click âManage Search Schemaâ
- Select âManaged Propertiesâ
https://<tenant>-admin.sharepoint.com/
_layouts/15/searchadmin/
ta_listmanagedproperties.aspx?level=tenant- Look for an existing âRefineableStringXYZâ (I used âRefinableString120â in this example)
- Add an Alias, e.g., CountryOrRegion
- Click âAdd a Mappingâ to map the Crawled Property âPeople:CustomCountryâ on the âManaged Propertyâ
Note: It may take several hours for the Crawled Property âPeople:CustomCountryâ to show up.
Setup Authentication for the Azure Function
This topic is addressed in another article Creating SharePoint Terms using the App Context with the new PnP Core SDK.
A PowerShell Script can be found in the Github Repository.
The Azure Function
The Azure Function implementation that synchronizes the âCountry or Regionâ property can be found in this GitHub Repository
Utility.ResolvePrincipal can be used to receive the login of the user
var resolvedPrincipal =
Utility.ResolvePrincipal(
clientContext,
clientContext.Web,
user.Mail,
PrincipalType.User,
PrincipalSource.All,
null,
true); // true - as input is only the email
await clientContext.ExecuteQueryRetryAsync();
PrincipalInfo principal = resolvedPrincipal.Value;
string loginName = principal.LoginName;With the loginName we can then update the CustomCountry property.
var peopleManager = new PeopleManager(clientContext);
peopleManager.SetSingleValueProfileProperty(
loginName,
"CustomCountry", // The custom UserProfile property
user.Country);
clientContext.Load(peopleManager);
await clientContext.ExecuteQueryRetryAsync();The Problem
PeopleManager can be used to manage SharePoint Online UserProfile Properties.
The Azure AD app registration that is used for accessing the graph cannot be used to access the SharePoint User Profile.
Since we are authenticating the Azure Function using the PnP Core SDK we can use PnP.Framework.AuthenticationManager.GetACSAppOnlyContext to get a ClientContext.
public ClientContext GetACSAppOnlyContext(
string siteUrl, string appId, string appSecret)The appId and appSecret required for this call are from a SharePoint Add-In Registration.
So, a âproxyâ SharePoint Add-In is required for that:
Letâs first create a new Add-In using AppRegNew.aspx:
https://<tenant>.sharepoint.com
/_layouts/15/appregnew.aspx- Generate Client Id - note the id for later use
- Generate Client Secret - note the secret for later use
- Title: âGraph SyncJob Delegate Appâ
- App Domain: âwww.localhost.comâ
- Redirect URL: âhttps://www.localhost.comâ
Then the permissions need to be assigned using:
https://<tenant>-admin.sharepoint.com
/_layouts/15/appinv.aspx- Enter the App Id from the previous step and click on âLookupâ.
- In the Add-Insâs permissions request, enter the followings:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
</AppPermissionRequests>- Click on âCreateâ
- Click on âTrustâ
This will request App Only Permissions for writing to the SharePoint User Profile.
Enabling App Only Authentication
App-Only authentication is deactivated by default, but it can be enabled with this PnP PowerShell command:
Connect-PnPOnline -Url https://<tenant>-admin.sharepoint.com -DeviceLogin
Set-PnPTenant -DisableCustomAppAuthentication $falseResults
After the job ran successfully the UserProfile contains a value from the Azure AD field âCountry or Regionâ on the SharePoint UserProfileâŚ
SharePoint User Profile
⌠and in Search, we have the RefinableString120 property with the same value.
(Submit-PnPSearchQuery `
-SourceId b09a7990-05ea-4af9-81ef-edfab16c4e31 # User Profiles `
-Query "DocId:17592245537205" # My Account in this Tenant `
-SelectProperties RefinableString120,CountryOrRegion # mapped to CustomCountry `
).ResultRowsKey Value
--- -----
RefinableString120 Erdbeerland
CountryOrRegion Erdbeerland
DocId 17592245537205
GeoLocationSource EUR
contentclass urn:content-class:SPSPeople
AccountName i:0#.f|membership|martin@loitzl.onmicrosoft.com
Department Development
JobTitle Developer
LastModifiedTime 03/17/2022 09:54:21
Path https://loitzl-my.sharepoint.com/Person.aspx?accountname=i:0%23.f|membership|martin@loitzl.onmicrosoft.com
PictureURL https://loitzl-my.sharepoint.com/User Photos/Profile Pictures/martin_loitzl_onmicrosoft_com_MThumb.jpg
PreferredName Martin Loitzl
SipAddress martin@loitzl.onmicrosoft.com
WorkEmail martin@loitzl.com
Title Martin Loitzl
Final Notes
- The function uses PnP.Core Authentication to connect to MS Graph and a SharePoint âProxyâ Add-In with AppOnly Permissions to write to the SharePoint User Profile Service:
- And Kudos to Darius for figuring that out in one of our customer projects đđŚ