Raymond Tishenko

Raymond Tishenko


Thoughts, ideas and general ramblings of a SharePoint and Infrastructure Consultant in Vancouver, BC

I'm addicted to coffee. There, I said it.

Share


Tags


Sync Mobile Phone from Azure Active Directory to SharePoint Online using PowerShell

Nearly every organization needs a People Search / Employee Directory, and the usefulness of these applications is directly proportional to the data available for search and display.

In SharePoint Online and Office 365, the synchronization of values from Azure Active Directory (AAD) to the SharePoint User Profile Service Application (UPA) is completely automated and not configurable. This is quite different from the on-premises Active Directory and SharePoint installations, where administrators are able to configure the synchronization of values from a variety of sources into the SharePoint UPA.

At a glance, you can see which properties are synchronized in the "SharePoint Admin Centre > User Profiles > Manage User Profiles > Edit User Profile"; the synchronized properties are indicated by the "lock" icon, as below:
SharePoint Online User Profile Properties Sync

The current configuration of AAD and O365 UPA is such that the values of the "Mobile Phone" User property is not synchronized to the UPA "Cell Phone" property, nor is there any way for an Administrator to configure this using either of the administrative interfaces.
Empty User Profile Mobile phone property
As such, this critical piece of People-related data is not available for People Search or Employee Directories.

There are few ways to populate this information in the SharePoint UPA, ranging from encouraging users to populate the data manually (not kidding!) - to using the Office Dev PnP BulkUserProfileUpdater sample but only if you've an on-premises Active Directory instance. However, if you're only using Cloud identities or not keen on building the Office Dev PnP sample application then you need another solution - PowerShell and the SharePoint Client-Side Object Model (CSOM).

Prerequisites

If you're already managing your Office 365 / SharePoint Online tenant using PowerShell chances are you'll have these installed, but if not you'll need:

For additional details on running PowerShell against Office 365 and Azure Active Directory, take a look at http://powershell.office.com/get-started.

Additionally, you'll need a set of credentials for both Office 365 tenant and the Azure AD tenant. This user must be a global admin on the SharePoint User Profile Application as well as a Service Admin on the Azure tenant. Lastly - be sure that the user account is not configured for Multi-Factor Authentication, otherwise you'll be unable to connect via PowerShell.

Running the PowerShell Script

The following script will need to be modified to reflect the admin URL of your SharePoint Online tenant. Also, it'd be a good idea to implement additional error handling and perhaps log errors and/or output - it's rough and assumes a 'happy path'. Lastly, it pulls all the users in your Azure AD tenant - that may not be desirable based on the number of accounts or your particular needs. If you want to reduce the scope of users, simply change this line and add some filter criteria here: $AzureADUsers = Get-MSolUser -All

There is a flag that controls the behaviour of the script with regards to existing values in the "Cell Phone" UPA field - by default it will not overwrite values but by setting $overwriteExistingSPOUPAValue = "True" it will do so.

Run the "Windows Azure Active Directory Module for Windows PowerShell" as an Administrator, then execute this script:


Import-Module MSOnline
Import-Module Microsoft.Online.SharePoint.PowerShell

# add SharePoint CSOM libraries
Import-Module 'C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll'
Import-Module 'C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll'
Import-Module 'C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.UserProfiles.dll'

# Defaults
$spoAdminUrl = "https://tenant-admin.sharepoint.com"
$overwriteExistingSPOUPAValue = "False"

# Get credentials of account that is AzureAD Admin and SharePoint Online Admin
$credential = Get-Credential

Try {
    # Connect to AzureAD
    Connect-MsolService -Credential $credential

    # Get credentials for SharePointOnline
    $spoCredentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($credential.GetNetworkCredential().Username, (ConvertTo-SecureString $credential.GetNetworkCredential().Password -AsPlainText -Force))
    $ctx = New-Object Microsoft.SharePoint.Client.ClientContext($spoAdminUrl)
    $ctx.Credentials = $spoCredentials
    $spoPeopleManager = New-Object Microsoft.SharePoint.Client.UserProfiles.PeopleManager($ctx)

    # Get all AzureAD Users
    $AzureADUsers = Get-MSolUser -All

    ForEach ($AzureADUser in $AzureADUsers) {

        $mobilePhone = $AzureADUser.MobilePhone
        $targetUPN = $AzureADUser.UserPrincipalName.ToString()
        $targetSPOUserAccount = ("i:0#.f|membership|" + $targetUPN)

        # Check to see if the AzureAD User has a MobilePhone specified
        if (!([string]::IsNullOrEmpty($mobilePhone))) {
            # Get the existing value of the SPO User Profile Property CellPhone
            $targetUserCellPhone = $spoPeopleManager.GetUserProfilePropertyFor($targetSPOUserAccount, "CellPhone")
            $ctx.ExecuteQuery()

            $userCellPhone = $targetUserCellPhone.Value

            # If target property is empty let's populate it
            if ([string]::IsNullOrEmpty($userCellPhone)) {
                $targetspoUserAccount = ("i:0#.f|membership|" + $AzureADUser.UserPrincipalName.ToString())
                $spoPeopleManager.SetSingleValueProfileProperty($targetspoUserAccount, "CellPhone", $mobilePhone)
                $ctx.ExecuteQuery()
            }
            else {
                # Target property is not empty
                # Check to see if we're to overwrite existing property value
                if ($overwriteExistingSPOUPAValue -eq "True") {
                    $targetspoUserAccount = ("i:0#.f|membership|" + $AzureADUser.UserPrincipalName.ToString())
                    $spoPeopleManager.SetSingleValueProfileProperty($targetspoUserAccount, "CellPhone", $mobilePhone)
                    $ctx.ExecuteQuery()
                }
                else {
                    # Not going to overwrite existing property value
                    Write-Output "Target SPO UPA CellPhone is not empty for $targetUPN and we're to preserve existing properties"
                }
            }
        }
        else {
            # AzureAD User MobilePhone is empty, nothing to do here
            Write-Output "AzureAD MobilePhone Property is Null or Empty for $targetUPN)"
        }
    }
}
Catch {
    [Exception]
}

Results

Once it's completed, the script does not report status - it's bare-bones (but works), and the output looks something like this:
PowerShell script output

During the run there were a couple of accounts with no value in the AAD MobilePhone property, and one account that already had a value in the UPA CellPhone property - since the default behaviour is to preserve existing values it was not overwritten.

Checking the User Profile Details now, you can see we've successfully copied the values from Azure Active Directory to the SharePoint User Profile Service Application:
Updated User Profile Properties

Now, once the search crawl process picks it up the new values in CellPhone they will be available for use in People Search or Employee Directory applications, and will be visible to the user in their personal User Profile page.

Lastly, note that this is not a one-time process, but rather the script will need to be run periodically to ensure the Mobile Phone property values are available as new users are added to Azure AD. In the long term, let's hope that Microsoft either automatically synchronizes the Mobile Phone to Cell Phone properties, or allows Office 365 administrators some limited ability to configure the User Profile synchronization mappings. Until that time, this PowerShell script will allow you to sync values from Azure Active Directory Mobile Phone to the SharePoint Online User Profile Application Cell Phone property.

I'm addicted to coffee. There, I said it.

View Comments