Azure AD Connect 同步:了解声明性预配表达式Azure AD Connect sync: Understanding Declarative Provisioning Expressions

Azure AD Connect 同步基于 Forefront Identity Manager 2010 中最先引入的声明式预配。Azure AD Connect sync builds on declarative provisioning first introduced in Forefront Identity Manager 2010. 使用该功能可以实现完整的标识集成业务逻辑,而无需编写已编译的代码。It allows you to implement your complete identity integration business logic without the need to write compiled code.

声明性设置的一个重要组成部分是属性流中使用的表达式语言。An essential part of declarative provisioning is the expression language used in attribute flows. 所用的语言是 Microsoft® Visual Basic® for Applications (VBA) 的子集。The language used is a subset of Microsoft® Visual Basic® for Applications (VBA). Microsoft Office 中使用了这种语言,具有 VBScript 经验的用户都认识该语言。This language is used in Microsoft Office and users with experience of VBScript will also recognize it. 声明性预配表达式语言只使用函数,不属于结构化语言。The Declarative Provisioning Expression Language is only using functions and is not a structured language. 它不提供任何方法或语句。There are no methods or statements. 函数嵌套在表达式程序流中。Functions are instead nested to express program flow.

有关详细信息,请参阅 Welcome to the Visual Basic for Applications language reference for Office 2013(欢迎使用适用于 Office 2013 的 Visual Basic 应用程序语言参考)。For more details, see Welcome to the Visual Basic for Applications language reference for Office 2013.

属性属于强类型。The attributes are strongly typed. 函数只接受正确类型的属性。A function only accepts attributes of the correct type. 它还区分大小写。It is also case-sensitive. 函数名称和属性名称都必须具有正确的大小写,否则会引发错误。Both function names and attribute names must have proper casing or an error is thrown.

语言定义和标识符Language definitions and Identifiers

  • 函数名称后跟加括号的参数:FunctionName(argument 1, argument N)。Functions have a name followed by arguments in brackets: FunctionName(argument 1, argument N).
  • 属性采用方括号标识,如 [attributeName]。Attributes are identified by square brackets: [attributeName]
  • 参数通过百分比符号标识:%ParameterName%Parameters are identified by percent signs: %ParameterName%
  • 字符串常量放在引号中:例如 "Contoso"(注意:必须使用直引号 "",而不能使用弯引号“”)String constants are surrounded by quotes: For example, "Contoso" (Note: must use straight quotes "" and not smart quotes “”)
  • 数字值表示不带引号,并且应为十进制。Numeric values are expressed without quotes and expected to be decimal. 十六进制值带有前缀 &H。Hexadecimal values are prefixed with &H. 例如,98052, &HFFFor example, 98052, &HFF
  • 表示布尔值的常量: True、 False。Boolean values are expressed with constants: True, False.
  • 内置常量和文本仅使用其名称表示:NULL、CRLF、IgnoreThisFlowBuilt-in constants and literals are expressed with only their name: NULL, CRLF, IgnoreThisFlow


声明性预配使用许多函数来实现转换属性值的可能性。Declarative provisioning uses many functions to enable the possibility to transform attribute values. 这些函数可以嵌套,因此,一个函数的结果将传递到另一个函数。These functions can be nested so the result from one function is passed in to another function.


有关函数的完整列表,请参阅函数参考The complete list of functions can be found in the function reference.


通过连接器或由管理员使用 PowerShell 定义参数。A parameter is defined either by a Connector or by an administrator using PowerShell. 参数通常包含因系统不同而各异的值,例如用户所在域的名称。Parameters usually contain values that are different from system to system, for example the name of the domain the user is located in. 这些参数可在属性流中使用。These parameters can be used in attribute flows.

Active Directory 连接器为入站同步规则提供以下参数:The Active Directory Connector provided the following parameters for inbound Synchronization Rules:

参数名称Parameter Name 注释Comment
Domain.NetbiosDomain.Netbios 当前正在导入的域的 Netbios 格式,例如 FABRIKAMSALESNetbios format of the domain currently being imported, for example FABRIKAMSALES
Domain.FQDNDomain.FQDN 当前正在导入的域的 FQDN 格式,例如 sales.fabrikam.comFQDN format of the domain currently being imported, for example
Domain.LDAPDomain.LDAP 当前正在导入的域的 LDAP 格式,例如 DC=sales,DC=fabrikam,DC=comLDAP format of the domain currently being imported, for example DC=sales,DC=fabrikam,DC=com
Forest.NetbiosForest.Netbios 当前正在导入的林名称的 Netbios 格式,例如 FABRIKAMCORPNetbios format of the forest name currently being imported, for example FABRIKAMCORP
Forest.FQDNForest.FQDN 当前正在导入的林名称的 FQDN 格式,例如 fabrikam.comFQDN format of the forest name currently being imported, for example
Forest.LDAPForest.LDAP 当前正在导入的林名称的 LDAP 格式,例如 DC=fabrikam,DC=comLDAP format of the forest name currently being imported, for example DC=fabrikam,DC=com

系统提供以下参数用于获取当前正在运行的连接器的标识符:The system provides the following parameter, which is used to get the identifier of the Connector currently running:

以下示例使用用户所在域的 netbios 名称填充 Metaverse 属性域:Here is an example that populates the metaverse attribute domain with the netbios name of the domain where the user is located:
domain <- %Domain.Netbios%


可以使用以下运算符:The following operators can be used:

  • 比较:<、<=、<>、=、>、>=Comparison: <, <=, <>, =, >, >=
  • 数学:+、-、*、-Mathematics: +, -, *, -
  • 字符串:&(连接)String: & (concatenate)
  • 逻辑:&&(和)、||(或)Logical: && (and), || (or)
  • 计算顺序:( )Evaluation order: ( )

运算符从左到右进行求值,并具有相同的求值优先级。Operators are evaluated left to right and have the same evaluation priority. 也就是说,*(乘号)不会在 -(减号)之前求值。That is, the * (multiplier) is not evaluated before - (subtraction). 2*(5+3) 与 2*5+3 不同。2*(5+3) is not the same as 2*5+3. 如果从左到右的求值顺序不适当,可以使用括号 () 来更改求值顺序。The brackets ( ) are used to change the evaluation order when left to right evaluation order isn't appropriate.

多值属性Multi-valued attributes

可对单值和多值属性运行函数。The functions can operate on both single-valued and multi-valued attributes. 对于多值属性,函数将针对每个值运行,向每个值应用相同的函数。For multi-valued attributes, the function operates over every value and applies the same function to every value.

例如:For example:
Trim([proxyAddresses]) 对 proxyAddress 属性中的每个值执行 Trim。Trim([proxyAddresses]) Do a Trim of every value in the proxyAddress attribute.
Word([proxyAddresses],1,"@") & "" 对于包含 @-sign 的每个值,将域替换为。Word([proxyAddresses],1,"@") & "" For every value with an @-sign, replace the domain with
IIF(InStr([proxyAddresses],"SIP:")=1,NULL,[proxyAddresses]) 查找 SIP 地址并从值中删除该地址。IIF(InStr([proxyAddresses],"SIP:")=1,NULL,[proxyAddresses]) Look for the SIP-address and remove it from the values.

后续步骤Next steps

概述主题Overview topics

参考主题Reference topics