This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

This topic lists the attributes that are synchronized by Microsoft Entra Connect Sync.
The attributes are grouped by the related Microsoft Entra app.

Attributes to synchronize

A common question is what is the list of minimum attributes to synchronize . The default and recommended approach is to keep the default attributes so a full GAL (Global Address List) can be constructed in the cloud and to get all features in Microsoft 365 workloads. In some cases, there are some attributes that your organization does not want synchronized to the cloud since these attributes contain sensitive personal data, like in this example:

In this case, start with the list of attributes in this topic and identify those attributes that would contain personal data and cannot be synchronized. Then deselect those attributes during installation using Microsoft Entra app and attribute filtering .

Warning

When deselecting attributes, you should be cautious and only deselect those attributes absolutely not possible to synchronize. Unselecting other attributes might have a negative impact on features.

Microsoft 365 Apps for enterprise

Attribute Name Comment objectSID mechanical property. AD user identifier used to maintain sync between Microsoft Entra ID and AD. pwdLastSet mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash sync, pass-through authentication and federation. samAccountName sourceAnchor mechanical property. Immutable identifier to maintain relationship between ADDS and Microsoft Entra ID. usageLocation mechanical property. The user’s country/region. Used for license assignment. userPrincipalName UPN is the login ID for the user. Most often the same as [mail] value.

Exchange Online

Attribute Name Contact Group Comment mechanical property. AD user identifier used to maintain sync between Microsoft Entra ID and AD. oOFReplyToOriginator otherFacsimileTelephone mechanical property. Used to know when to invalidate already issued tokens. Used by both password sync and federation. reportToOriginator reportToOwner securityEnabled mechanical property. Immutable identifier to maintain relationship between ADDS and Microsoft Entra ID. Synced to M365 profile photo periodically. Admins can set the frequency of the sync by changing the Microsoft Entra Connect value. Please note that if users change their photo both on-premises and in cloud in a time span that is less than the Microsoft Entra Connect value, we do not guarantee that the latest photo will be served. title mechanical property. AD user identifier used to maintain sync between Microsoft Entra ID and AD. oOFReplyToOriginator otherFacsimileTelephone mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash sync, pass-through authentication and federation. reportToOriginator reportToOwner securityEnabled mechanical property. Immutable identifier to maintain relationship between ADDS and Microsoft Entra ID. Synced to M365 profile photo periodically. Admins can set the frequency of the sync by changing the Microsoft Entra Connect value. Please note that if users change their photo both on-premises and in cloud in a time span that is less than the Microsoft Entra Connect value, we do not guarantee that the latest photo will be served. title mechanical property. AD user identifier used to maintain sync between Microsoft Entra ID and AD. otherTelephone mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash sync, pass-through authentication and federation. securityEnabled mechanical property. Immutable identifier to maintain relationship between ADDS and Microsoft Entra ID. Synced to M365 profile photo periodically. Admins can set the frequency of the sync by changing the Microsoft Entra Connect value. Please note that if users change their photo both on-premises and in cloud in a time span that is less than the Microsoft Entra Connect value, we do not guarantee that the latest photo will be served. title A string that represents the name often shown as the friendly name (first name last name). full email address. member objectSID mechanical property. AD user identifier used to maintain sync between Microsoft Entra ID and AD. proxyAddresses mechanical property. Used by Microsoft Entra ID. Contains all secondary email addresses for the user. pwdLastSet mechanical property. Used to know when to invalidate already issued tokens. securityEnabled sourceAnchor mechanical property. Immutable identifier to maintain relationship between ADDS and Microsoft Entra ID. usageLocation mechanical property. The user’s country/region. Used for license assignment. userPrincipalName This UPN is the login ID for the user. Most often the same as [mail] value.

Intune

Attribute Name Contact Group Comment mechanical property. AD user identifier used to maintain sync between Microsoft Entra ID and AD. proxyAddresses pwdLastSet mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash sync, pass-through authentication and federation. securityEnabled sourceAnchor mechanical property. Immutable identifier to maintain relationship between ADDS and Microsoft Entra ID. usageLocation mechanical property. The user’s country/region. Used for license assignment. userPrincipalName UPN is the login ID for the user. Most often the same as [mail] value.

Dynamics CRM

Attribute Name Contact Group Comment mechanical property. AD user identifier used to maintain sync between Microsoft Entra ID and AD. physicalDeliveryOfficeName mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash sync, pass-through authentication and federation. securityEnabled mechanical property. Immutable identifier to maintain relationship between ADDS and Microsoft Entra ID.

3rd party applications

This group is a set of attributes used as the minimal attributes needed for a generic workload or application. It can be used for a workload not listed in another section or for a non-Microsoft app. It is explicitly used for the following:

Yammer (only User is consumed)

Hybrid Business-to-Business (B2B) cross-org collaboration scenarios offered by resources like SharePoint

This group is a set of attributes that can be used if the Microsoft Entra directory is not used to support Microsoft 365, Dynamics, or Intune. It has a small set of core attributes. Note that single sign-on or provisioning to some third-party applications requires configuring synchronization of attributes in addition to the attributes described here. Application requirements are described in the SaaS app tutorial for each application.

Attribute Name Contact Group Comment mechanical property. AD user identifier used to maintain sync between Microsoft Entra ID and AD. proxyAddresses pwdLastSet mechanical property. Used to know when to invalidate already issued tokens. Used by both password hash sync, pass-through authentication and federation. securityEnabled mechanical property. Immutable identifier to maintain relationship between ADDS and Microsoft Entra ID. usageLocation mechanical property. The user’s country/region. Used for license assignment. userPrincipalName UPN is the login ID for the user. Most often the same as [mail] value.

Windows 10

A Windows 10 domain-joined computer(device) synchronizes some attributes to Microsoft Entra ID. For more information on the scenarios, see Connect domain-joined devices to Microsoft Entra ID for Windows 10 experiences . These attributes always synchronize and Windows 10 does not appear as an app you can unselect. A Windows 10 domain-joined computer is identified by having the attribute userCertificate populated.

Attribute Name Device Comment Derived from cloudAnchor in Microsoft Entra ID. This attribute is new in Exchange 2016 and Windows Server 2016 AD. msExchArchiveStatus ms-Exch-ArchiveStatus Online Archive: Enables customers to archive mail. msExchBlockedSendersHash ms-Exch-BlockedSendersHash Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients. msExchSafeRecipientsHash ms-Exch-SafeRecipientsHash Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients. msExchSafeSendersHash ms-Exch-SafeSendersHash Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients. msExchUCVoiceMailSettings ms-Exch-UCVoiceMailSettings Enable Unified Messaging (UM) - Online voice mail: Used by Microsoft Lync Server integration to indicate to Lync Server on-premises that the user has voice mail in online services. msExchUserHoldPolicies ms-Exch-UserHoldPolicies Litigation Hold: Enables cloud services to determine which users are under Litigation Hold. proxyAddresses proxyAddresses Only the x500 address from Exchange Online is inserted. publicDelegates ms-Exch-Public-Delegates Allows an Exchange Online mailbox to be granted SendOnBehalfTo rights to users with on-premises Exchange mailbox. Requires Microsoft Entra Connect build 1.1.552.0 or after.

Exchange Mail Public Folder

These attributes are synchronized from on-premises Active Directory to Microsoft Entra ID when you select to enable Exchange Mail Public Folder .

Attribute Name PublicFolder Comment

Notes

When using an Alternate ID, the on-premises attribute userPrincipalName is synchronized with the Microsoft Entra attribute onPremisesUserPrincipalName. The Alternate ID attribute, for example mail, is synchronized with the Microsoft Entra attribute userPrincipalName.

Although there is no enforcement of uniqueness on the Microsoft Entra onPremisesUserPrincipalName attribute, it is not supported to sync the same UserPrincipalName value to the Microsoft Entra onPremisesUserPrincipalName attribute for multiple different Microsoft Entra users.

In the lists above, the object type User also applies to the object type iNetOrgPerson .

Next steps

Learn more about the Microsoft Entra Connect Sync configuration.

Learn more about Integrating your on-premises identities with Microsoft Entra ID .

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

This product