Azure AD Connect 同步:了解声明性预配Azure AD Connect sync: Understanding Declarative Provisioning

本主题介绍 Azure AD Connect 中的配置模型。This topic explains the configuration model in Azure AD Connect. 该模型称为声明性预配,让用户能够轻松地更改配置。The model is called Declarative Provisioning and it allows you to make a configuration change with ease. 本主题介绍的许多内容都是高级内容,在大部分客户方案中并非必要。Many things described in this topic are advanced and not required for most customer scenarios.

概述Overview

声明性预配处理从源连接目录传入的对象,并确定应如何将对象和属性从源转换到目标。Declarative provisioning is processing objects coming in from a source connected directory and determines how the object and attributes should be transformed from a source to a target. 对象在同步管道中进行处理,入站和出站规则的管道相同。An object is processed in a sync pipeline and the pipeline is the same for inbound and outbound rules. 入站规则是从连接器空间到 metaverse,而出站规则是从 metaverse 到连接器空间。An inbound rule is from a connector space to the metaverse and an outbound rule is from the metaverse to a connector space.

同步管道

管道有多个不同的模块。The pipeline has several different modules. 每个模块负责对象同步中的一个概念。Each one is responsible for one concept in object synchronization.

同步管道

  • 源:源对象Source, The source object
  • 范围:查找范围内的所有同步规则Scope, Finds all sync rules that are in scope
  • 联接:确定连接器空间与 metaverse 之间的关系Join, Determines relationship between connector space and metaverse
  • 转换:计算属性应如何转换和流动Transform, Calculates how attributes should be transformed and flow
  • 优先级:解决冲突的属性提供问题Precedence, Resolves conflicting attribute contributions
  • 目标:目标对象Target, The target object

作用域Scope

范围模块会计算对象,并确定在范围内且应纳入处理的规则。The scope module is evaluating an object and determines the rules that are in scope and should be included in the processing. 根据对象的属性值,不同同步规则的计算结果都是在范围内。Depending on the attributes values on the object, different sync rules are evaluated to be in scope. 例如,没有 Exchange 邮箱的已禁用用户拥有与具有邮箱的已启用用户不同的规则。For example, a disabled user with no Exchange mailbox does have different rules than an enabled user with a mailbox.
作用域

范围可定义为组和子句。The scope is defined as groups and clauses. 子句位于组内。The clauses are inside a group. 逻辑 AND 用于组中的所有子句之间。A logical AND is used between all clauses in a group. 例如,(department =IT AND country = Denmark)。For example, (department =IT AND country = Denmark). 逻辑 OR 用于组之间。A logical OR is used between groups.

作用域
此图中的范围应理解为 (department = IT AND country = Denmark) OR (country=Sweden)。The scope in this picture should be read as (department = IT AND country = Denmark) OR (country=Sweden). 如果组 1 或组 2 的计算结果为 true,则该规则在范围内。If either group 1 or group 2 is evaluated to true, then the rule is in scope.

范围模块支持以下运算。The scope module supports the following operations.

操作Operation 说明Description
EQUAL、NOTEQUALEQUAL, NOTEQUAL 计算某个值是否等于属性值的字符串比较。A string compare that evaluates if value is equal to the value in the attribute. 对于多值属性,请参阅 ISIN 和 ISNOTIN。For multi-valued attributes, see ISIN and ISNOTIN.
LESSTHAN、LESSTHAN_OR_EQUALLESSTHAN, LESSTHAN_OR_EQUAL 计算某个值是否小于属性值的字符串比较。A string compare that evaluates if value is less than of the value in the attribute.
CONTAINS、NOTCONTAINSCONTAINS, NOTCONTAINS 计算是否可以在属性值中找到某个值的字符串比较。A string compare that evaluates if value can be found somewhere inside value in the attribute.
STARTSWITH、NOTSTARTSWITHSTARTSWITH, NOTSTARTSWITH 计算某个值是否在属性值开头的字符串比较。A string compare that evaluates if value is in the beginning of the value in the attribute.
ENDSWITH、NOTENDSWITHENDSWITH, NOTENDSWITH 计算某个值是否在属性值末尾的字符串比较。A string compare that evaluates if value is in the end of the value in the attribute.
GREATERTHAN、GREATERTHAN_OR_EQUALGREATERTHAN, GREATERTHAN_OR_EQUAL 计算某个值是否大于属性值的字符串比较。A string compare that evaluates if value is greater than of the value in the attribute.
ISNULL、ISNOTNULLISNULL, ISNOTNULL 计算对象中是否不存在该属性。Evaluates if the attribute is absent from the object. 如果该属性不存在,则为 null,那么规则在范围内。If the attribute is not present and therefore null, then the rule is in scope.
ISIN、ISNOTINISIN, ISNOTIN 计算定义的属性中是否存在某个值。Evaluates if the value is present in the defined attribute. 此运算是 EQUAL 和 NOTEQUAL 的多值变化形式。This operation is the multi-valued variation of EQUAL and NOTEQUAL. 该属性应该是多值属性,且如果可以在任何属性值中找到该值,那么规则在范围内。The attribute is supposed to be a multi-valued attribute and if the value can be found in any of the attribute values, then the rule is in scope.
ISBITSET、ISNOTBITSETISBITSET, ISNOTBITSET 计算是否已设置特定的位。Evaluates if a particular bit is set. 例如,可用于计算 userAccountControl 中的位,查看用户是处于启用状态还是禁用状态。For example, can be used to evaluate the bits in userAccountControl to see if a user is enabled or disabled.
ISMEMBEROF、ISNOTMEMBEROFISMEMBEROF, ISNOTMEMBEROF 值应该包含连接器空间中组的 DN。The value should contain a DN to a group in the connector space. 如果对象是指定组的成员,则规则在范围内。If the object is a member of the group specified, the rule is in scope.

JoinJoin

同步管道中的联接模块负责查找源中的对象和目标中的对象之间的关系。The join module in the sync pipeline is responsible for finding the relationship between the object in the source and an object in the target. 在入站规则中,此关系是指连接器空间中的对象找到与 metaverse 中对象的关系。On an inbound rule, this relationship would be an object in a connector space finding a relationship to an object in the metaverse.
在 cs 和 mv 之间联接
目标在于查看 metaverse 中是否已经有应该与之关联的对象(由另一个连接器创建)。The goal is to see if there is an object already in the metaverse, created by another Connector, it should be associated with. 例如,在帐户-资源林中,帐户林中的用户应与资源林中的用户联接。For example, in an account-resource forest the user from the account forest should be joined with the user from the resource forest.

联接主要用于入站规则,以将连接器空间对象与同一 metaverse 对象联接在一起。Joins are used mostly on inbound rules to join connector space objects together to the same metaverse object.

联接定义为一个或多个组。The joins are defined as one or more groups. 在组内,用户拥有子句。Inside a group, you have clauses. 逻辑 AND 用于组中的所有子句之间。A logical AND is used between all clauses in a group. 逻辑 OR 用于组之间。A logical OR is used between groups. 组的处理顺序为从上到下。The groups are processed in order from top to bottom. 一个组在目标中恰好找到一个对象匹配项时,不会计算任何其他联接规则。When one group has found exactly one match with an object in the target, then no other join rules are evaluated. 如果找到零个或多个对象,则会继续处理下一组规则。If zero or more than one object is found, processing continues to the next group of rules. 出于此原因,应首先创建最明确的规则,最后创建比较模糊的规则。For this reason, the rules should be created in the order of most explicit first and more fuzzy at the end.
联接定义
此图中的联接会从上到下进行处理。The joins in this picture are processed from top to bottom. 同步管道首先查看是否有 employeeID 的匹配项。First the sync pipeline sees if there is a match on employeeID. 如果没有,第二个规则会查看是否可以使用帐户名来将对象联接在一起。If not, the second rule sees if the account name can be used to join the objects together. 如果也不是匹配项,则第三个(最后一个)规则会使用用户名查找更模糊的匹配项。If that is not a match either, the third and final rule is a more fuzzy match by using the name of user.

如果已对所有联接规则进行计算,但没有完全相符的匹配项,则会使用“说明”页上的“链接类型”。If all join rules have been evaluated and there is not exactly one match, the Link Type on the Description page is used. 如果此选项设置为“预配” ,则会在目标中创建新对象。If this option is set to Provision, then a new object in the target is created.
预配或联接Provision or join

一个对象应该只有一个同步规则具有在范围内的联接规则。An object should only have one single sync rule with join rules in scope. 如果有多个同步规则定义了联接,那么会出错。If there are multiple sync rules where join is defined, an error occurs. 优先级不用于解决联接冲突。Precedence is not used to resolve join conflicts. 对象必须具有在范围内的联接规则,属性才能以相同的入站/出站方向流动。An object must have a join rule in scope for attributes to flow with the same inbound/outbound direction. 如果需要让属性以入站和出站方式流动到同一对象,则联接必须具有入站和出站同步规则。If you need to flow attributes both inbound and outbound to the same object, you must have both an inbound and an outbound sync rule with join.

出站联接尝试将对象预配到目标连接器空间时,会有特殊行为。Outbound join has a special behavior when it tries to provision an object to a target connector space. DN 属性用于先尝试使用反向联接。The DN attribute is used to first try a reverse-join. 如果目标连接器空间中已存在具有同一 DN 的对象,对象会联接起来。If there is already an object in the target connector space with the same DN, the objects are joined.

新的同步规则进入范围时,只会计算联接模块一次。The join module is only evaluated once when a new sync rule comes into scope. 如果对象已联接,即使不再满足联接条件,也不会取消联接。When an object has joined, it is not disjoining even if the join criteria is no longer satisfied. 如果想要取消对象的联接,则联接对象的同步规则必须超出范围。If you want to disjoin an object, the sync rule that joined the objects must go out of scope.

Metaverse 删除Metaverse delete

只要有一个在范围内的同步规则,metaverse 对象的“链接类型”就会维持设置为“预配”或“StickyJoin”。A metaverse object remains as long as there is one sync rule in scope with Link Type set to Provision or StickyJoin. StickyJoin 用于不允许连接器将新对象预配到 metaverse 的情况,但如果已联接,则必须先在源中删除该对象,才能删除 metaverse 对象。A StickyJoin is used when a Connector is not allowed to provision a new object to the metaverse, but when it has joined, it must be deleted in the source before the metaverse object is deleted.

删除 metaverse 对象后,所有与标记为“预配” 的出站同步规则关联的对象都会标记为要删除。When a metaverse object is deleted, all objects associated with an outbound sync rule marked for provision are marked for a delete.

转换Transformations

转换用于定义属性应该如何从源流动到目标。The transformations are used to define how attributes should flow from the source to the target. 流可以是以下“流类型”之一:直接、常数或表达式。The flows can have one of the following flow types: Direct, Constant, or Expression. 直接流会按原样流动属性值,而不进行其他转换。A direct flow, flows an attribute value as-is with no additional transformations. 常数值会设置指定的值。A constant value sets the specified value. 表达式会使用声明性预配表达式语言来表达应该如何转换。An expression uses the declarative provisioning expression language to express how the transformation should be. 有关表达式语言的详细信息,请参阅了解声明性预配表达式语言主题。The details for the expression language can be found in the understanding declarative provisioning expression language topic.

预配或联接

“应用一次” 复选框定义只应在最初创建对象时设置的属性。The Apply once checkbox defines that the attribute should only be set when the object is initially created. 例如,此配置可用于设置新用户对象的初始密码。For example, this configuration can be used to set an initial password for a new user object.

合并属性值Merging attribute values

在属性流中,有一个设置可用于确定是否应从多个不同的连接器合并多值属性。In the attribute flows there is a setting to determine if multi-valued attributes should be merged from several different Connectors. 默认值为“Update” ,表示应采用具有最高优先级的同步规则。The default value is Update, which indicates that the sync rule with highest precedence should win.

合并类型

此外,还有“Merge”和“MergeCaseInsensitive”。There is also Merge and MergeCaseInsensitive. 这些选项让用户能够合并来自不同源的值。These options allow you to merge values from different sources. 例如,它可用于合并来自多个不同林的成员或 proxyAddresses 属性。For example, it can be used to merge the member or proxyAddresses attribute from several different forests. 使用此选项时,对象范围内的所有同步规则都必须使用相同的合并类型。When you use this option, all sync rules in scope for an object must use the same merge type. 不能在一个连接器中定义“Update”,而在另一个连接器中定义“Merge”。You cannot define Update from one Connector and Merge from another. 如果尝试此操作,将收到错误。If you try, you receive an error.

“Merge”和“MergeCaseInsensitive”之间的差异在于处理重复属性值的方式不同。The difference between Merge and MergeCaseInsensitive is how to process duplicate attribute values. 同步引擎可确保不会将重复的值插入目标属性。The sync engine makes sure duplicate values are not inserted into the target attribute. 使用“MergeCaseInsensitive” 可防止出现只有大小写差异的重复值。With MergeCaseInsensitive, duplicate values with only a difference in case are not going to be present. 例如,目标属性中无法同时看到 SMTP:bob@contoso.com 和 smtp:bob@contoso.com。For example, you should not see both "SMTP:bob@contoso.com" and "smtp:bob@contoso.com" in the target attribute. 只会查看仅可能存在大小写差异的确切值和多个值。Merge is only looking at the exact values and multiple values where there only is a difference in case might be present.

“Replace”选项与“Update”选项相同,但未使用该选项。The option Replace is the same as Update, but it is not used.

控制属性流动过程Control the attribute flow process

多个入站同步规则配置为向同一 metaverse 属性提供值时,会使用优先级确定获得采用的规则。When multiple inbound sync rules are configured to contribute to the same metaverse attribute, then precedence is used to determine the winner. 具有最高优先级(最小数值)的同步规则会提供值。The sync rule with highest precedence (lowest numeric value) is going to contribute the value. 出站规则的情况一样。The same happens for outbound rules. 具有最高优先级的同步规则会获得采用,并向已连接的目录提供值。The sync rule with highest precedence wins and contribute the value to the connected directory.

在某些情况下,同步规则应确定其他规则的行为方式,而不是提供值。In some cases, rather than contribute a value, the sync rule should determine how other rules should behave. 在这种情况下会使用一些特殊文本。There are some special literals used for this case.

对于入站同步规则,文本 NULL 可用于表示流没有要提供的值。For inbound Synchronization Rules, the literal NULL can be used to indicate that the flow has no value to contribute. 具有较低优先级的其他规则可以提供一个值。Another rule with lower precedence can contribute a value. 如果没有规则提供值,则会删除 metaverse 属性。If no rule contributed a value, then the metaverse attribute is removed. 对于出站规则,如果 NULL 是处理完所有同步规则后的最终值,则会在已连接的目录中删除该值。For an outbound rule, if NULL is the final value after all sync rules have been processed, then the value is removed in the connected directory.

文本 AuthoritativeNull 与 NULL 类似,但差异在于具有较低优先级的规则不可以提供值。The literal AuthoritativeNull is similar to NULL but with the difference that no lower precedence rules can contribute a value.

属性流还可使用 IgnoreThisFlowAn attribute flow can also use IgnoreThisFlow. 就表示没有要提供的内容而言,它与 NULL 类似。It is similar to NULL in the sense that it indicates there is nothing to contribute. 差异在于它不会删除目标中已经存在的值。The difference is that it does not remove an already existing value in the target. 就像属性流从未出现一样。It is like the attribute flow has never been there.

以下是示例:Here is an example:

在 Out to AD - User Exchange hybrid 中可找到下列流:In Out to AD - User Exchange hybrid the following flow can be found:
IIF([cloudSOAExchMailbox] = True,[cloudMSExchSafeSendersHash],IgnoreThisFlow)
此表达式的意思是:如果用户邮箱位于 Azure AD 中,则将属性从 Azure AD 传递到 AD。This expression should be read as: if the user mailbox is located in Azure AD, then flow the attribute from Azure AD to AD. 如果并非如此,则不会将任何内容传递回 Active Directory。If not, do not flow anything back to Active Directory. 在此情况下,会在 AD 中保留现有值。In this case, it would keep the existing value in AD.

ImportedValueImportedValue

函数 ImportedValue 不同于其他所有函数,因为其属性名称必须放在引号内,而不是放在方括号中:The function ImportedValue is different than all other functions since the attribute name must be enclosed in quotes rather than square brackets:
ImportedValue("proxyAddresses")ImportedValue("proxyAddresses").

同步期间,即使尚未导出预期值或在导出过程中出错(“top of the tower”),属性通常也会使用预期值。Usually during synchronization an attribute uses the expected value, even if it hasn’t been exported yet or an error was received during export (“top of the tower”). 入站同步会假定尚未到达已连接目录的属性最终会到达该目录。An inbound synchronization assumes that an attribute that hasn’t yet reached a connected directory eventually reaches it. 在某些情况下,需仅同步由已连接的目录确认的值,这很重要(“hologram and delta import tower”)。In some cases, it is important to only synchronize a value that has been confirmed by the connected directory (“hologram and delta import tower”).

在现成同步规则“In from AD - User Common from Exchange” 中可找到此函数的示例。An example of this function can be found in the out-of-box Synchronization Rule In from AD - User Common from Exchange. 在混合 Exchange 中,只应在确认已成功导出由 Exchange Online 添加的值的情况下才能对其进行同步:In Hybrid Exchange, the value added by Exchange online should only be synchronized when it has been confirmed that the value was exported successfully:
proxyAddresses <- RemoveDuplicates(Trim(ImportedValue("proxyAddresses")))

优先级Precedence

多个同步规则尝试向目标提供相同的属性值时,会使用优先级值来确定获得采用的规则。When several sync rules try to contribute the same attribute value to the target, the precedence value is used to determine the winner. 具有最高优先级(最小数值)的规则会在冲突中提供属性。The rule with highest precedence, lowest numeric value, is going to contribute the attribute in a conflict.

合并类型

此排序可用于针对小部分对象定义更精确的属性流。This ordering can be used to define more precise attribute flows for a small subset of objects. 例如,现成规则可确保已启用帐户 (User AccountEnabled) 的属性优先于其他帐户的属性。For example, the out-of-box-rules make sure that attributes from an enabled account (User AccountEnabled) have precedence from other accounts.

可定义连接器之间的优先级。Precedence can be defined between Connectors. 这样一来,具有更好的数据的连接器可以先提供值。That allows Connectors with better data to contribute values first.

相同连接器空间中的多个对象Multiple objects from the same connector space

如果在联接到同一 metaverse 对象的同一连接器空间中有多个对象,则必须调整优先级。If you have several objects in the same connector space joined to the same metaverse object, precedence must be adjusted. 如果多个对象都在同一同步规则的范围内,则同步引擎无法确定优先级。If several objects are in scope of the same sync rule, then the sync engine is not able to determine precedence. 应该向 metaverse 提供值的源对象不明确。It is ambiguous which source object should contribute the value to the metaverse. 即使源中的属性具有相同的值,此配置仍会报告为不明确。This configuration is reported as ambiguous even if the attributes in the source have the same value.
多个对象联接到同一 mv 对象

对于此方案,需要更改同步规则的范围,让源对象在范围内具有不同的同步规则。For this scenario, you need to change the scope of the sync rules so the source objects have different sync rules in scope. 这样可以定义不同的优先级。That allows you to define different precedence.
多个对象联接到同一 mv 对象

后续步骤Next steps

概述主题Overview topics

参考主题Reference topics