Update Mobile Numbers In Employee Directory Plus Using Power Shell Script
Sync Mobile Phone properties from Azure Active Directory to SharePoint Online User Profiles / Employee Directory Plus
Staring version 1. 4. 7. 200517, you can make the change from the settings panel under Display options. For older versions, please refer to this article.
Microsoft 365 and Azure active Directory
Office 365 uses Azure Active Directory for storing user information. Since SharePoint and SharePoint Online both have it´s own User Profile Service and User Store it was clear for Microsoft that some of the user properties have to be shared between these two storages.
So Microsoft built a synchronization – or at least an one way transport – between the Azure Active Directory (AAD) user objects and SharePoint Online (SPO) user profiles.
Why two user storages?
Well, a user profile is the collection of user properties which describe a single user like User Principal Name (which is the login in Office 365) , First Name , Last Name , Work Phone and so on.
In Active Directory many user properties are different or simply not existent in SharePoint User Profiles and vice versa.
So the reason is simply historically. Both systems grew and developed. In the cloud world with Office 365 this means that we now have technically two user objects with two different user profiles – but “some properties” are transferred from AAD to SPO…
Going Hybrid
Many companies use hybrid scenarios to transport their local Active Directory (AD) into the cloud (AAD). This can be done with tools like DirSync or ADFS systems. The benefit is that end users can use their single identity also in Office 365 services like in Exchange, SharePoint and Lync. This is a great solution (which we deploy very often for customers).
In many cases DirSync is an excellent choice because it´s easy to use and doesn’t require a great server infrastructure. With that tool selected objects are copied from the local AD into the cloud AAD (to make it clear : but not vice versa).
If a user changes his password (with the password sync option on) it will be double hashed (which is not recoverable in any way) and copied into the AAD. Depending on the sync schedules this takes some time, but the user can work with his new password in Office 365. The same goes for other user properties changed in AD.
The Challenge
The User Profile Sync in SharePoint Online imports a number of properties from Azure Active Directory – but we’re unable to configure any additional property mappings for import. This creates a challenge where the mobile Phone Active Directory attribute does not get synchronized to the SharePoint Online User Profile Cell Phone property. Microsoft has the valid reason for not allowing sync Mobile number from Azure AD to user profile in SharePoint Online / Exchange online as this number is expected to be updated by user for MFA. In-case if this number is overwritten by old number from Azure AD properties, user may end up losing their MFA access. Please allow mobile sync only if you are sure that users are not using MFA. In-case they are using MFA, they would be updating their number themselves hence you can skip this knowledge base.A Solution
Requirements
To accomplish this we’ll need to have the following:- Azure Subscription
- Office 365 Global Administrator account credentials
- Power shell script
Configuring the Azure Automation account and Runbook
Create the Automation Account
Log into the Azure Portal and create a new Automation Account:For our purposes we don’t need the ‘Run As Account’:
Import PowerShell Modules
Once the Automation Account is created we need to import the Power Shell Modules into the Automation Account for use by the Power Shell scripts. Open the Automation Account and click on the Modules link in the Shared Resources section:
Click the Browse gallery link:
Click the OK button and then wait for the module to successfully import:
Repeat the above for the SharePointPnPPowerShellOnline module:
Confirm that both modules are imported by reviewing the available modules:
Automation Account Variables and Credentials
To enable some flexibility in the script we’ll utilize a few Automation Account Variables and Credentials - in fact, we’ll create a variable for the credential name in case this already exists in the environment.
Create the Automation Account Credential first so we can refer to it by name in a variable. The credentials should be named o365GlobalAdmin and look something like the following:
If your Office 365 Global Administrator account is MFA-enabled you’ll need to have and use an App Password
The script relies on the following variables:
- o365 Global Admin Credential Name
- overwrite Existing SPOUPA Value
- tenant Name
Create the first variable o365 Global Admin Credential Name which contains the name of the Azure Automation Credential created above (o365 Global Admin), as a non-encrypted string type variable similar to the following:
The second variable over write Existing SPOUPA Value is a boolean (True/False) type that indicates whether or not we’ll overwrite existing values in the SharePoint Online User Profile store. When set to True the script will use the values in Azure AD as the source of truth which may overwrite any values that users have updated in their profiles manually:
The last variable tenant Name is a string type and contains the Company name portion of the Office 365/Azure AD Tenant:
The script uses the tenantName variable to build the Url to the SharePoint Online Administration site, for example https://YOURTENANTNAMEHERE-admin.sharepoint.com/
That’s all we need to setup the Automation Account for use by the Runbook.
Runbook
At this point we need to create the Runbook which will contain our PowerShell script, click on the Create a runbook link:
Give the runbook a name, select Power Shell as the type and optionally set a description – click the Create button once everything looks good:
Once created, click the Edit button:
This will open the browser-based code editor, into which we’ll upload the Power Shell script:
Import-Module MSOnline
Import-Module SharePoint PnP Power Shell Online
# Automation Variables
$tenant Name = Get-Automation Variable -Name “tenant Name”
$spoAdminUrl = “https://$tenantName-admin. sharepoint. com”
$over write Existing SPOUPA Value = Get-Automation Variable -Name “over write Existing SPOUPA Value”
# Get credentials from Automation Variables
$credential = Get-Automation PS Credential -Name (Get-Automation Variable -Name “o365 Global Admin Credential Name”)
Try {
# Connect to Azure AD
Connect-Msol Service -Credential $credential
# Connect to SPO using PnP
$spo PnP Connection = Connect-PnP Online -Url $spo Admin Url -Credentials $credential -Return Connection
# Get all Azure AD Users with a populated Mobile Phone property
$Azure AD Users = Get-M sol User -All | Where-Object {(![string]::Is Null Or White Space($_.Mobile Phone))}
For Each ($Azure AD User in $Azure AD Users) {
# Check to see if SPO User Profile Property Cell Phone differs from Azure AD User Property Mobile Phone
if((Get-PnP User Profile Property -Account $Azure AD User. User Principal Name).User Profile Properties. Cell Phone -ne $Azure AD User. Mobile Phone){
# Property differs, update with Azure AD value
# Check to see if we’re to overwrite existing property value
if ($over write Existing SPOUPA Value -eq “True”) {
Write-Output “Update Cell Phone for
$($Azure AD User. User Principal Name)”
Set-PnP User Profile Property -Account $Azure AD User. User Principal Name -Property Name Cell Phone -Value $Azure AD User. Mobil Phone
}
else{
# Not going to overwrite existing property value
Write-Output “Target SPO UPA Cell Phone is not empty for $($Azure
AD User. User Principal Name) and we’re to preserve existing properties”
}
}
}
}
Catch {
$exception = $_.Exception.Message
Write-Output “$($exception)”
}
Click the Publish button in the Edit window and we’re ready to give the script a quick test.
Back on the Runbook Overview screen click the Start link and wait a few minutes – the script will run and output any messages, Warnings or Errors as it executes.
Here’s a screenshot of the Output tab showing that there are users with different values in the mobile Phone / Cell Phone properties, but since over write Existing SPOU PAValue is currently set to False the target values will be preserved:
OUTPUT TAB SHOWING TARGET PROPERTIES WILL BE PRESERVED
At this point we can modify the over write Existing SPOUPA Value variable to True, and set the runbook to run on a schedule by clicking Schedules and Add a schedule:
Click through the Link a schedule to your runbook and Create a new schedule. The following example shows a daily recurring schedule with no end date:
Confirm that the Runbook is schedule to execute on the schedule:
RUNBOOK SCHEDULED TO RUN DAILY At this point the configuration is complete and scheduled to execute daily
Verification
Following the scheduled execution, we can see that the Azure Active Directory Users that had a value in the mobile Phone attribute now have the same value in the SharePoint User Profile property Cell Phone. In my test tenant we’ll take a look at Binaca Pisani’s account information:
BIANCAP AZURE AD USER MOBILE PHONE And we can compare that to the SharePoint User Profile property of CellPhone:
SHAREPOINT USER PROPERTY CELL PHONE Note that even though the value exists in the User Profile Property Store we need to wait for Search to crawl the update before it’ll show in our search-based Employee Directories. Here we can see the property exists in the Delve profile card as well:
DELVE PROFILE CARD
Summary
Currently the mobile Phone values from Azure Active Directory don’t sync to the SharePoint Online User Profile Store – we’re unable to modify the configuration of the import to make this happen.
We’ve worked-around the challenge with an automated approach – using Azure Automation Runbooks, PnP Power shell and a simple script that identifies users having a mobile Phone value in Azure Active Directory and sets the same value in the SharePoint User Profile Cell Phone property
Recent Updates
User photos aren’t synced from the on-premises Active Directory to Employee Directory Plus after selecting Sync Outlook profile pictures.
User Photos Aren’t Synced From The On-Premises Active Directory To
Update Mobile Numbers in Employee Directory Plus Using Power Shell Script
Update Mobile Numbers In Employee Directory Plus Using Power Shell
Admin Guide – Employee Directory
Admin Guide – Employee Directory Knowledge Base Share on facebook
User Guide – Employee Directory
Employee Directory Plus Installation and User Manual Guide Once installation
How To Create Graph API With Permissions For Displaying Leaves In Outlook Calendar
How To Create Graph API With Permissions For Displaying Leaves
