Syncing Custom Attributes for Users and Groups

Custom attributes for Users and Groups have been presented in Metric Insights 6.3.4 and allow syncing custom attributes from Okta, LDAP, and Microsoft 365 using mi-okta-usersync, mi-ldap-usersync, and mi-o365-usersync respectively. Each custom attribute that needs to be synced must be created in MI. All synced custom attributes are displayed on the Info tab of User/Group Editor.

The process comprises the following steps:

 Find Values for Custom Attributes

  1. Create a Custom Attribute
  2. Configure Custom Attribute
  3. Run Usersync Script
  4. View Sync Results
    1. View Synced Groups
    2. View Synced Users

NOTE: Custom group attributes cannot be synced by mi-o365-usersync script from Microsoft 365 since it is not supported by AD B2C on Azure.

Find Values for Custom Attributes

Okta

Find Custom User Attributes' Values

  1. Access the People tab
  2. Select a user
  3. Access the Profile tab
  4. Copy the attributes' Variable names (located below the Display names):
    • In this example 2 custom attributes will be synced and additionally mapping_group will be used to map users to groups that match this attribute's value (see Run Usersync Script for details); e.g., the user from the screenshot above will be added to 'Documentation Team from Okta Usersync' group

Find Custom Group Attributes' Values

  1. Access the Groups tab
  2. Select a group
  3. Access the Profile tab
  4. Copy the attribute's Variable name

Note: Use --auto-create all parameter if this group does not exist in MI and should be auto-created.

LDAP

The exact name of the custom attribute is required for mi-ldap-usersync script to sync it. The method of finding attribute names may vary depending on LDAP directory service you are using (e.g., Active Directory, OpenLDAP, etc.). We recommend referring to your specific LDAP directory service documentation or consulting with your system administrator.

Microsoft 365

NOTE: Custom user attributes can be displayed and modified via Microsoft Graph Explorer.

Add Custom User Attribute

  1. Access Azure AD B2C > User attributes in the Azure portal and add a custom attribute.
  2. Run the following API call using Graph Explorer replacing <User ID> with an actual value: 
PATCH https://graph.microsoft.com/v1.0/users/<User ID>

Set Content-Type header to application/json and provide the following request body: 

{  
"extension_<Application ID>_<Attribute Name>": "<Attribute Value>"
}
  • <Application ID> - The application ID used by Azure AD to store user data.
    • Can be found by accessing Azure AD B2C > App registrations > All applications
  • <Attribute Name> and <Attribute Value> - the name and value of the attribute

Get Custom User Attribute's Value

To get the custom user attribute's value run this API call:

GET https://graph.microsoft.com/v1.0/users/<User ID>?$select=extension_<Application ID>_<Attribute Name>

Provide values for the following parameters:

  • <User ID> - the ID of the user
  • <Application ID> - The application ID used by Azure AD to store user data.
    • Can be found by accessing Azure AD B2C > App registrations > All applications
  • <Attribute Name> - the name of the attribute

1. Create a Custom Attribute

  1. Access Custom Attributes:
    • v6: Go to <MI hostname>/admin/customattribute
    • v7: Go to <MI hostname>/admin/custom-attribute
  2. [+ Custom Attribute]

2. Configure Custom Attribute

Access the Settings tab

Each Custom Attribute that needs to be synced from Okta/LDAP/Microsoft 365 must be created in Metric Insights.

  1. Enter a Custom Attribute Name that will be displayed in User or Group Editor
  2. External ID: Enter the name of Okta/LDAP/Microsoft 365 custom attribute
  3. Optionally, provide a Description that will be displayed on hover in User/Group Editor
  4. Choose whether the attribute is displayed for Users, Groups or both

NOTE: Custom group attributes cannot be synced from Microsoft 365 since it is not supported by AD B2C on Azure.

  1. [Save]

3. Run Usersync Script

mi-ldap-usersync, mi-okta-usersync

NOTE:

  • If more than one custom user or group attribute is synced, separate attribute names with commas omitting whitespaces.
  • See Find Values for Custom Attributes for details on where to find custom attributes' values in Okta or LDAP directory services.
  1. Enter custom user attributes that need to be synced using the --custom-user-attribute parameter
  2. Enter custom group attributes that need to be synced using the --custom-group-attribute parameter
  3. Use --map-attr-to-group to select an attribute which will map users to groups based on this attribute's value
    • If the group(s) do not exist in Metric Insights, use --auto-create all to auto-create them in MI
  4. Sync summary is displayed listing all added users and groups

mi-o365-usersync

NOTE:

  1. Enter custom user attributes that need to be synced using the --custom-user-attribute parameter
  2. Enter the application ID used by Azure AD to store user data using the --custom-attr-app-id
    • It can be found by accessing Azure AD B2C > App registrations > All applications

Optionally, use --map-attr-to-group to select an attribute which will map users to groups based on this attribute's value

  • If the group(s) do not exist in Metric Insights, use --auto-create all to auto-create them in MI

4. View Sync Results

4.1. View Synced Groups

Access Admin > Users & Groups > Groups tab

  1. Click on the added group
  2. Access the Info tab, the synced Custom Group Attributes are displayed at the bottom of the page
  3. Access the Members tab, the synced users are displayed on the Members tab
  4. Click on one of the synced Users

4.2. View Synced Users

Access the Info tab

  1. The synced Custom User Attributes are displayed at the bottom of the page
  2. Access the Group Membership tab
  3. The synced User has been added to a group defined in the --map-attr-to-group parameter