Share via


User identity rules

When configuring School Data Sync (SDS), you need to define your student and staff identity from your source data (API or CSV files) to the user object in the target directory (Microsoft Entra ID or Microsoft Entra ID).

You select the user identity rules options by making selections for both staff and student roles.

These rules are used for matching existing users from SIS / SMS to Microsoft Entra ID.

Important

When configuring Microsoft 365 Manage Users flow, these rules are used if the option is activated to Create unmatched users. The rule configuration is used to define the construct for the Microsoft Entra UserPrincipalName property and to ensure future runs match to the same user.

Note

User matching is performed with the inbound flow and doesn't write or update the user objects in Microsoft Entra ID. The matching is performed and stored in the Education data lake. For more information, see Microsoft 365 Manage Users on the writing of the match link forward with the outbound flow.

  • If a user has multiple roles, the following rules are used to determine what staff or student match rule should be used between the user record and the Microsoft Entra user object.
  • If isPrimary is set for all student roles, even if association to a staff role exists, the match is made based on the student role.
  • If isPrimary is set for any staff role, even if association to a student role exists, the match is made based on the staff role.
  • If isPrimary is set for both staff and student role, the match is made based on the staff role.
  • If isPrimary isn't set for any roles, especially with a mix for both staff and student roles, the match is based on the staff role.

Important

If the user is also associated with multiple organizations, the following is also used to determine the value when writing the role to the Microsoft Entra user object if the tenant has setup a "Manage Microsoft 365 Users" outbound flow.

Value from source: User value based on data that's coming from your SIS/SMS. The rule configuration uses the selected value as a simple string value, or alpha-numeric characters without spaces. The string value must match the exact value contained in the selected target to find the corresponding user.

  • Available source options are:

    • Username (v1/v2.1 CSV and OneRoster API)
    • Email (v1/v2.1 CSV and OneRoster API)
    • ActiveDirectoryMatchId (v2.1 CSV)
  • Domain (optional) selection to append the @domain value to the source option selected.

    Warning

    Selecting a domain is optional and should only be used if the incoming data based on the selected Attribute from source doesn't include the @domain value. SDS doesn't check and append if the value is missing on a record. SDS appends the domain selection to all records which could result in @domain@domain and not find matches in those instances for existing user mapping with users in Microsoft Entra ID.

    Caution

    If the SIS / SMS users, for example users in the staff role group, could be associated to @domain1 or @domain2 or @domain3 you must have a @domain included in the source data, based on the selected Attribute from source selection (example: prefix@domain). This is needed for your Attribute to match to: UserPrincipalName or Mail to find the correct Microsoft Entra user to match with.

Attribute to match to: User property in Microsoft Entra ID to match to.

  • Available Microsoft Entra ID match options are:
    • UserPrincipalName
    • Mail

Tip

For your Attribute to match to: UserPrincipalName or Mail, example - prefix@domain, you must have a @domain value included in or appended to the source data.