Solved

How to re-sync changed / added employee attributes to Azure AD?

  • 19 September 2022
  • 7 replies
  • 57 views

Hello!

 

I’ve just started to get to know Personio with my new employer as IT manager and yesterday I found out that there’s even more employee attributes to sync to Azure AD than we’re using at the time.

 

I added a few Attributes (such as City, Department), waited for a few hours… nothing synced to Azure AD. Not even over night or the next day. Azure AD has not updated City or Department Attributes from Personio.

 

Does these changed attributes apply only to new users / accounts?

Is there a way to manually sync new attributes to existing Azure AD accounts?

 

I thought about turning Azure AD sync off and on again, but I don’t know what would happen, so I wouldn’t dare to try it before asking someone who might know better.

 

Thank you very much for your responses in advance!

icon

Solved by SpiralPlugger 25 September 2022, 12:40

View original

7 replies

Userlevel 4
Badge +10

Dear @SpiralPlugger,

Thank you very much for your very first question in the community! We are very happy to see you here 🤗.

I have a short question for you:

→  All of your attributes in Personio can be mapped to any of the Azure AD system attributes, but they cannot be mapped to Azure AD custom attributes.

Could you please make sure that the attributes you are trying to map are not custom attributes in your Azure AD?

Thank you very much in advance for your answer!

Best,

Andrea

Hello Andrea,

Thank you for responding! I truly hope Personio would make our IT-management even a bit easier.

Could you please explain to me, how will I know which Attribute is an Azure AD system attribute, and which is Azure AD custom attribute?

As far as I understand, attributes such as City, Department, Office, Position (Job title) could be placed to Azure AD to their respective places, as those attributes have placeholders by default in Azure AD.

Have I perhaps misunderstood something?

However, if these are Azure AD system attributes, what might be the reason why Personio isn’t syncing said recently enabled attributes to our Azure AD? Perhaps there is a way to manually trigger sync from Personio to Azure AD?

We are successfully receiving new users from Personio to Azure AD, so the sync should be functional also in any other way.

I did read from your website that Office phone is not a supported Attribute at this time, although it has a place in Azure AD contact information. Could you also tell us why the Office phone isn’t supported?

Also, I may have been adding the Attributes in a wrong place; I added ticks to Attributes under Settings → API credentials → Azure AD → Readable employee attributes

 

I realized that I might need to change Attributes under Marketplace → Microsoft Azure Active Directory → Settings → Step 4. Is this right?

 

Authentication already exist, but after I try to get forward from Step 1 by pressing Next, I get an error:

I have refreshed the page and even tried with another web browser, but I always get the same error.

Could this happen if I don’t have enough rights in Personio? I’m not the main admin user, although I have more access rights than normal users.

 

Best regards,

SpiralPlugger

Userlevel 4
Badge +10

Hi @SpiralPlugger 👋🏼,

Thank you very much for your quick response. I am investigating some details about your questions and confirming the accuracy of the information I have. Please bear with me, I will get back to you asap.

I appreciate your patience!

Best,

Andrea

Hello, I think I got it solved.

Just so you know, tapping the Azure AD API button on and off from Personio Settings, did not do anything.

I needed to remove authentication from Azure AD completely in Personio Marketplace, re-authenticate it again, and after this the synchronization started functioning even for the added Attributes. There were some issue with Azure AD authentiation.

However, there are a bunch of accounts that Personio couldn’t update Attributes to, most probably for the reason that Personio tried to create those accounts to Azure AD a while ago, but couldn’t, because the specific firstname.lastname@domain.com address type was already created manually (before Personio could do it) – so Personio had created firstname.lastname_bunchofnumbers@domain.com address instead. Now, because the real actual account is without those bunchofnumbers, Personio isn’t aware that it should update the correct account Attributes.

I’m unable to see from Personio / Azure AD settings (or API) that which account Personio is trying to synchronize those attributes to, but by guess is above. It would be great to see this linked account information within Personio, and be able to change it manually afterwards.

I see this as a bug in Personio to Azure AD synchronizing.

 

Best regards,

SpiralPlugger

Userlevel 4
Badge +10

Dear @SpiralPlugger,

Thank you very much for sharing this information with me. If I understood you correctly, there are still profiles for which information is not being synced even though you rearranged the authentication with Azure AD. You also mention this is because these profiles were created before the integration between Personio and Azure AD existed. Instead, Personio created new profiles in Azure AD (firstname.lastname_bunchofnumbers@domain.com ).Is this correct? This means you have to update the information in these profiles manually each time in Azure AD?

I am asking this, since I want to recognize if this is an inquiry that might have to be communicated to my colleagues from the support team, or if I can further support you.

Thank you in advance again for your response!

Best,

Andrea

Hello @Andrea,

I went ahead and started removing the wrong, “secondary” accounts (firstname.lastname_bunchofnumbers@domain.com ) from Azure AD, after which Personio started updating Attribute information to the correct (firstname.lastname@domain.com) accounts.

So I figured that…

  • if Personio has created “secondary” Azure AD accounts, it tries to sync / update Attribute information to those accounts it has created. It seems to know what’s the Azure AD account name it has created.
  • when those “secondary” accounts are removed from Azure AD, it will try to find the correct firstname.lastname@domain.com accounts, and if found, update Attribute information correctly to them

It would be nice if inside Personio it would show somewhere, what’s the name of the Azure AD linked account on each user, as it seems to already have this information somewhere, but hidden.

Anyway, this issue has now been solved for us.

 

Best regards, 

SpiralPlugger

Userlevel 4
Badge +10

Dear @SpiralPlugger,

Thank you so much for all your input! I am happy to read that the issue has been resolved. I totally understand why, in this situation, it would be useful to see in Personio which Azure AD profile is linked to which Personio profile. 

It would be super helpful, if you could share this suggestion for improvement in our ideation area. This way, our product team can take it into consideration for the future development of our tool!

I would be very thankful for your post 😊.

I wish you a great start in to the week.

Greetings from Munich,

Andrea

Your reply