Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This topic covers how to preserve and use the original organizational unit (OU) of an on-premises group during group provisioning to Microsoft Entra ID.
Prerequisite
Use Connect Sync or Cloud Sync to sync a custom extension attribute, or use an existing attribute from the default schema that you aren't using today, and set the OU path for the groups that you want to convert Source of Authority (SOA) to the cloud. The attribute helps you provision the group to the same OU when you update these groups from the cloud.
Step 1: Populate extensionAttribute13 in on-premises Active Directory Domain Services (AD DS)
Use PowerShell to extract the OU from each group's distinguished name (DN) and store it in the extensionAttribute13 attribute. You can run the following cmdlet to store the original OU path of each group in a writable attribute before you convert Group Source of Authority (SOA).
Get-ADGroup -Filter * -SearchBase "DC=contoso,DC=com" | ForEach-Object {
$ou = ($_.DistinguishedName -split ",", 2)[1] # Extract OU path
Set-ADGroup -Identity $_.DistinguishedName -Replace @{extensionAttribute13 = $ou}
}
You can also store the OU information in some other attribute like info or any other custom attribute. For more information about how to sync custom attributes, see Custom attribute mapping.
Step 2: Enable sync for extensionAttribute13 in Microsoft Entra Cloud Sync or Connect Sync
Sign in to the Microsoft Entra admin center as at least an Hybrid Identity Administrator.
Browse to Identity > Provisioning > Cloud Sync.
Select your Cloud Sync configuration.
Under Attribute Mapping, for Group objects:
- Click Edit Mapping
- Add a new mapping:
Setting Value Source attribute extensionAttribute13 Target attribute onPremisesExtensionAttributes.extensionAttribute13 Match objects Leave unchecked Apply this mapping Always
Step 3: Confirm attribute sync in Microsoft Entra ID
Use PowerShell or Microsoft Graph Explorer to verify the attribute sync.
PowerShell (Microsoft Graph SDK)
Get-MgGroup -GroupId <groupId> | Select -ExpandProperty OnPremisesExtensionAttributesMicrosoft Graph Explorer
GET https://graph.microsoft.com/v1.0/groups/{group-id}?$select=onPremisesExtensionAttributesYou should see:
{ "onPremisesExtensionAttributes": { "extensionAttribute13": "OU=Finance,DC=contoso,DC=com" } }
Step 4: Use extensionAttribute13 during provisioning
When you configure Provisioning, use the synced attribute to control the target OU.
In your Provisioning configuration, map onPremisesExtensionAttributes.extensionAttribute13 to a custom variable such as preferredOU.
Use an expression like this example to handle fallback. This expression uses the original OU if it's available, or falls back to a default OU that you specify. You can change extensionAttribute13 later to override the value.
IIF(IsNullOrEmpty([extensionAttribute13]), "OU=<Enter your default OU name>,DC=contoso,DC=com", [extensionAttribute13])