Product: OneSync
Audience: ClassLink Administrator
This article details how to properly format a source with values that adhere to destination field requirements, including character length and valid characters. We also provide a comprehensive dictionary of mapping terms according to source or destination type and a downloadable Mappings Template.
Overview
Mapping Template
OneSync fields are based on LDAP attributes. Thus, it is best practice to avoid using the following special characters, unless they are required to properly format the field value or path (e.g. email@domain.com; CN=ContainerName, OU=OrgUnit; /GSuiteOU).
- Forward slash (/)
- Backward slash (\)
- Left square bracket ([)
- Right square bracket (])
- Colon (:)
- Semicolon (;)
- Vertical bar (|)
- Equal sign (=)
- Plus sign (+)
- Asterisk (*)
- Question mark (?)
- Left angle bracket (<)
- Right angle bracket (>)
- Double quote (")
- At symbol (@)
The table below lists the required fields and their requirements for OneSync and each destination type, as well as the formatting for Groups. Unique fields are denoted by an asterisk (*).
| Field | Min Length | Max Length | Notes |
| Active Directory | |||
| cn | 1 | 64 | |
| displayName | 1 | 256 | |
| Organizational Unit Path | 1 | 255 |
Organization Units should be formatted from most specific to least specific (e.g. OU=Most Specific,OU=Least Specific).
|
| givenName | 1 | 64 | |
| *sAMAccountName | 1 | 20 | |
| sn | 1 | 64 | |
| *userPrincipalName | 1 | 64 | (e.g. ExampleUPN@domain.com) |
| Azure | |||
| displayName | 1 | 256 | |
| *mailNickname | 1 | 64 | Cannot begin with a period. |
| passwordProfile.password | 8 | 16 |
Requires 3 out of 4 of the following: lowercase, uppercase, digits, symbols (not including spaces).
|
| *userPrincipalName | 1 | 113 |
Up to 64 characters before the @ symbol, and 48 characters after.
|
| GSuite | |||
| name.givenName | 1 | 60 | |
| name.familyName | 1 | 60 | |
| orgUnitPath | 1 | 128 |
Must be formatted with a forward slash (e.g. /OrgUnitPathName)
|
| *primaryEmail | 1 | 64 | No more than one period in a row. |
| password | 8 | 100 |
GSuite password sensitivity and settings can be edited in the gsuite admin console.
|
Mapping Terms Dictionary
The following is a list of all the available fields, both required and optional, for sources and destinations in OneSync. Required fields are listed at the top of each table and denoted by an asterisk (*). You can read the formatting rules and requirements for each required field by clicking here.
| OneSync Fields | Description |
| A user's email address. | |
| *givenName | A user's first name. |
| *role | The user's department or title (e.g. student, teacher, administrator). |
| *surname | A user's last name. |
| *uniqueId | A unique identifer that is associated with a single user within OneSync. |
| The remaining default OneSync fields are based off of LDAP/Active Directory Fields and definitions. | |
| Active Directory Fields | Description |
| *cn | This attribute specifies the name that represents an object. This attribute is used to perform searches. |
| *displayName | This attribute specifies the display name for an object. This attribute is usually the combination of the user's first name, middle initial, and last name. |
| *givenName | This attribute contains the given name (first name) of the user. |
| *Organizational Unit Path | The OU path, relative to the distinguished name (DN), without the domain components (DC) or the container names (CN). |
| *sAMAccountName | The logon name used to support clients and servers running earlier versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. |
| *sn | This attribute contains the family or last name for a user. |
| *userPrincipalName | This attribute contains the UPN that is an Internet-style logon name for a user, as specified in [RFC822]. The UPN is shorter than the DN and easier to remember. By convention, this attribute maps to the user email name. The value set for this attribute is equal to the length of the user's ID and the domain name. |
| accountExpires | This attribute specifies the date when an account exThis attribute specifies the date when an account expires. This value represents the number of 100-nanosecond intervals since January 1, 1601, Coordinated Universal Time (Greenwich Mean Time). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires.pires. This value represents the number of 100-nanosecond intervals since January 1, 1601, Coordinated Universal Time (Greenwich Mean Time). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires. |
| accountNameHistory | The length of time that the account has been active. |
| aCSPolicyName | String name of an ACS policy that applies to this user. |
| adminCount | Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively). |
| adminDescription | This attribute specifies the description displayed on administration screens. |
| adminDisplayName | This attribute specifies the name displayed on administration screens. |
| allowedAttributes | This attribute specifies attributes that are permitted to be assigned to a class. |
| allowedAttributesEffective | This attribute specifies a list of attributes that can be modified on the object. |
| allowedChildClasses | This attribute specifies classes that can be contained by a class. |
| allowedChildClassesEffective | This attribute specifies a list of classes that can be modified. |
| altSecurityIdentities | Contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication. |
| assistant | This attribute specifies the distinguished name (DN) of a user's administrative assistant. |
| badPasswordTime | This attribute specifies the last time and date that an attempt to log on to this account was made using an invalid password. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the last "bad password time" is unknown. |
| badPwdCount | This attribute specifies the number of times the user tried to log on to the account by using an incorrect password. A value of 0 indicates that the value is unknown. |
| bridgeheadServerListBL | This attribute is the back link attribute of bridgeheadServerList and contains the list of servers that are bridgeheads for replication. |
| c | This attribute specifies the country/region in the address of the user. The country/region is represented as the two-character country code based on ISO-3166. |
| canonicalName | This attribute specifies the name of the object in canonical format. "myserver2.fabrikam.com/users/jeffsmith" is an example of a DN in canonical format. |
| co | This attribute specifies the country/region in which the user is located. |
| codePage | Specifies the code page for the user's language of choice. This value is not used by Windows 2000. |
| comment | This attribute specifies the user's comments. |
| company | This attribute specifies the user's company name. |
| controlAccessRights | Used by DS Security to determine which users can perform specific operations on the host object. |
| countryCode | This attribute specifies the country code for the user's language of choice. |
| createTimeStamp | This attribute specifies the date when this object was created. This value is replicated. |
| dBCSPwd | The account's LAN Manager password. |
| defaultClassStore | This attribute specifies the default class store for a given user. |
| department | This attribute contains the name for the department in which the user works. |
| description | This attribute contains the description to display for an object. This value is treated as single-valued by the Active Directory system. |
| desktopProfile | This attribute specifies the location of the desktop profile for a user or group of users. |
| destinationIndicator | This attribute is part of the X.500 specification [X500]. |
| directReports | This attribute contains the list of users that directly report to the user. The users that are listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user. |
| displayNamePrintable | This attribute specifies the printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name. |
| division | This attribute specifies the user's division. |
| dSASignature | This attribute specifies the DSA-Signature of an object, which is the Invocation-ID of the last directory to modify the object. |
| dSCorePropagationData | This attribute is for internal use only. |
| dynamicLDAPServer | This attribute specifies the fully qualified domain name (FQDN) (1) ([MS-ADTS] section 1.1) of the server handling dynamic properties for this account. |
| employeeID | This attribute specifies the ID of an employee. |
| extensionName | This attribute specifies the name of a property page that is used to extend the UI of a directory object. |
| facsimileTelephoneNumber | This attribute contains the telephone number of the user's business fax machine. |
| flags | This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only; for example, a global catalog (GC) replica instance. |
| fromEntry | This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only; for example, a global catalog (GC) replica instance. |
| frsComputerReferenceBL | Reference to replica sets to which this computer belongs. |
| fRSMemberReferenceBL | Reference to subscriber objects for this member. |
| fSMORoleOwner | The fSMORoleOwner attribute stores the distinguished name of a DSA object as described in [MS-ADTS] section 3.1.1.1.11 (FSMO Roles). |
| garbageCollPeriod | This attribute is located on the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,... object. It represents the period of time, in hours, between directory service (DS) garbage collection runs. |
| generationQualifier | This attribute indicates a person's generation; for example, "Jr." or "II". |
| groupMembershipSAM | Windows NT Security. Down level Windows NT support. |
| groupPriority | The Group-Priority attribute is not currently used. |
| groupsToIgnore | The Groups-to-Ignore attribute is not currently used. |
| homeDirectory | The home directory for the account. If homeDrive is set and specifies a drive letter, homeDirectory must be a UNC path. Otherwise, homeDirectory is a fully qualified local path including the drive letter (for example, DriveLetter:\Directory\Folder). This value can be a null string. |
| homeDrive | Specifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the form DriveLetter: where DriveLetter is the letter of the drive to map. The DriveLetter must be a single, uppercase letter and the colon (:) is required. |
| homePhone | The user's main home phone number. |
| homePostalAddress | This attribute specifies the user's home address. |
| info | Additional user info. |
| initials | This attribute contains the initials for parts of the user's full name. It can be used as the middle initial in the Windows Address Book. |
| instanceType | This attribute specifies a bit field that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas, even if the replicas are in sync. |
| internationalISDNNumber | This attribute specifies an international ISDN number associated with an object. |
| ipPhone | This attribute specifies the TCP/IP address for the phone. Used by telephony. |
| isCriticalSystemObject | If TRUE, the object hosting this attribute has to be replicated during installation of a new replica. |
| isDeleted | If TRUE, this object has been marked for deletion and will be removed from the Active Directory system. |
| isPrivilegeHolder | Backward link to privileges held by a given principal. |
| City | This attribute represents the name of a locality, such as a town or city. |
| lastKnownParent | This attribute specifies the DN of the last known parent of an orphaned or deleted object. |
| lastLogoff | This attribute is not used. |
| lastLogon | This attribute specifies the time at which the user last logged on to the domain. This value is only updated if the user logs on after a week has passed since the last update. This value is replicated. |
| legacyExchangeDN | The distinguished name previously used by Exchange. |
| lmPwdHistory | The password history of the user in LAN Manager (LM) one-way format (OWF). The LM OWF is used for compatibility with LAN Manager 2.x clients, Windows 95, and Windows 98. |
| localeID | This attribute contains a list of locale IDs supported by this application. A locale ID represents a geographic location, such as a country/region, city, county, and so on. |
| lockoutTime | This attribute specifies the date and time (in UTC) that this account was locked out. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the account is not currently locked out. |
| logonCount | The number of times the account has successfully logged on. A value of 0 indicates that the value is unknown. |
| logonHours | The hours that the user is allowed to logon to the domain. |
| logonWorkstation | This attribute is not used. See the User-Workstations attribute. |
| This attribute specifies the list of email addresses for a contact. | |
| managedObjects | This attribute contains the list of objects that are managed by the user. The objects listed are those that have the managedBy property set to this user. Each item in the list is a linked reference to the managed object. |
| manager | This attribute contains the DN of the user who is the user's manager. The manager's user object contains a directReports property that contains references to all user objects that have their manager properties set to this DN. |
| masteredBy | This attribute specifies the DN of the object that is assigned to manage this object. |
| maxStorage | The maximum amount of disk space the user can use. Use the value specified in USER_MAXSTORAGE_UNLIMITED to use all available disk space. |
| memberOf | This attribute specifies the DN of the groups to which this object belongs. |
| mhsORAddress | X.400 address. |
| middleName | This attribute specifies additional names for a user; for example, middle name, patronymic, matronymic, or others. |
| mobile | This attribute specifies the primary cellular phone number for a user. |
| modifyTimeStamp | This attribute specifies the date when this object was last changed. This value is replicated. |
| mS-DS-ConsistencyChildCount | This attribute is not necessary for Active Directory to function. The protocol does not define a format beyond that required by the schema. |
| mS-DS-ConsistencyGuid | This attribute is not necessary for Active Directory to function. The protocol does not define a format beyond that required by the schema. |
| mS-DS-CreatorSID | The security ID of the creator of the object that contains this attribute. |
| mSMQDigests | An array of digests of the corresponding certificates in attribute mSMQ-Sign-Certificates. They are used for mapping a digest into a certificate. |
| mSMQDigestsMig | In MSMQ mixed-mode, contains the previous value of mSMQDigests. |
| mSMQSignCertificates | This attribute contains a number of certificates. A user can generate a certificate per computer. For each certificate we also keep a digest. |
| mSMQSignCertificatesMig | In MSMQ mixed-mode, the attribute contains the previous value of mSMQSignCertificates. MSMQ supports migration from the MSMQ 1.0 DS to the Windows 2000 DS, and mixed mode specifies a state in which some of the DS severs were not upgraded to Windows 2000. |
| msNPAllowDialin | Indicates whether the account has permission to dial in to the RAS server. Do not modify this value directly. Use the appropriate RAS administration function to modify this value. |
| msNPCallingStationID | The msNPCallingStationID attribute is used internally. Do not modify this value directly. |
| msNPSavedCallingStationID | The msNPSavedCallingStationID attribute is used internally. Do not modify this value directly. |
| msRADIUSCallbackNumber | The msRADIUSCallbackNumber attribute is used internally. Do not modify this value directly. |
| msRADIUSFramedIPAddress | The msRADIUSFramedIPAddress attribute is used internally. Do not modify this value directly. |
| msRADIUSFramedRoute | The msRADIUSFramedRoute attribute is used internally. Do not modify this value directly. |
| msRADIUSServiceType | The msRADIUSServiceType attribute is used internally. Do not modify this value directly. |
| msRASSavedCallbackNumber | The msRASSavedCallbackNumber attribute is used internally. Do not modify this value directly. |
| msRASSavedFramedIPAddress | The msRASSavedFramedIPAddress attribute is used internally. Do not modify this value directly. |
| msRASSavedFramedRoute | The msRASSavedFramedRoute attribute is used internally. Do not modify this value directly. |
| name | This attribute specifies the relative distinguished name of an object. |
| netbootSCPBL | A list of service connection points that reference this NetBoot server. |
| networkAddress | This attribute specifies the TCP/IP address for a network segment. Also called the subnet address. |
| nonSecurityMemberBL | List of nonsecurity-members for an Exchange distribution list. |
| ntPwdHistory | This attribute specifies the password history of the user in Windows NT operating system one-way format (OWF). Windows 2000 operating system uses the Windows NT OWF. |
| nTSecurityDescriptor | This attribute specifies the Windows NT operating system security descriptor for an object. |
| o | This attribute specifies the name of the company or organization. |
| objectCategory | This attribute specifies an object class name used to group objects of this or derived classes. |
| objectClass | This attribute specifies the list of classes of which this object is an instance. |
| objectGUID | This attribute specifies the unique identifier for an object. |
| objectSid | This attribute contains a binary value that specifies the security identifier (SID) of a security principal object. The SID is a unique value used to identify security principal objects. |
| objectVersion | This attribute can be used to store a version number for the object. |
| operatorCount | Operator count. |
| otherFacsimileTelephoneNumber | This attribute specifies a list of alternate facsimile numbers. |
| otherHomePhone | This attribute specifies a list of alternate home phone numbers. |
| otherIpPhone | This attribute specifies the list of alternate TCP/IP addresses for the phone. Used by telephony. |
| otherLoginWorkstations | Non–Windows NT or LAN Manager workstations from which a user can log on. Active Directory does not use or populate this field. |
| otherMailbox | Contains other additional mail addresses in a form such as CCMAIL: BruceKeever. |
| otherMobile | This attribute specifies a list of alternate cell phone numbers. |
| otherPager | This attribute specifies a list of alternate pager numbers. |
| otherTelephone | This attribute specifies a list of alternate office phone numbers. |
| otherWellKnownObjects | This attribute contains a list of containers by GUID and distinguished name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the Active Directory system will automatically update the distinguished name. |
| ou | This attribute specifies the name of the organizational unit. |
| pager | This attribute specifies the primary pager number. |
| partialAttributeDeletionList | This attribute tacks the internal replication state of partial replicas (that is, on GCs). It is an attribute of the partial replica NC object, and is used when the GC is in the process of removing attributes from the objects in its partial replica NCs. |
| partialAttributeSet | This attribute tracks the internal replication state of partial replicas (that is, on GCs). It is an attribute of the partial replica NC object, and defines the set of attributes present on a particular partial replica NC. |
| personalTitle | This attribute specifies the user's title. |
| physicalDeliveryOfficeName | This attribute contains the office location in the user's place of business. |
| possibleInferiors | This attribute specifies the list of objects that this object can contain. |
| postalAddress | This attribute specifies the mailing address for the object. |
| postalCode | This attribute specifies the postal or ZIP code for mail delivery. |
| postOfficeBox | This attribute specifies the P.O. box number for this object. |
| preferredDeliveryMethod | This attribute specifies the X.500–preferred way [X500] to deliver to the addressee. |
| preferredOU | This attribute specifies the organizational unit to show by default on the user's desktop. |
| primaryGroupID | Contains the relative identifier (RID) for the primary group of the user. By default, this is the RID for the Domain Users group. |
| primaryInternationalISDNNumber | This attribute specifies the primary ISDN number. |
| primaryTelexNumber | This attribute specifies the primary telex number. |
| profilePath | Specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path. |
| proxiedObjectName | This attribute is used internally by Active Directory to help track interdomain moves. |
| proxyAddresses | This attribute specifies proxy addresses. A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists. |
| pwdLastSet | This attribute specifies the date and time that the password for this account was last changed. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). |
| queryPolicyBL | This attribute is the back link attribute of queryPolicy and lists all objects holding references to a given Query-Policy. |
| registeredAddress | This attribute specifies a mnemonic for an address associated with an object at a particular city location. The mnemonic is registered in the country/region in which the city is located and is used in the provision of the Public Telegram Service. |
| replPropertyMetaData | This attribute tracks internal replication state information for DS objects. Information here can be extracted in public form through the public DsReplicaGetInfo() API. This attribute is present on all DS objects. |
| replUpToDateVector | This attribute tracks internal replication state information for an entire NC. Information here can be extracted in public form through the DsReplicaGetInfo() API. Present on all NC root objects. |
| repsFrom | This attribute lists the servers from which the directory will accept changes for the defined naming context (NC). |
| repsTo | This attribute lists the servers that the directory will notify of changes and the servers that the directory will send changes to, upon request for the defined NC. |
| revision | This attribute specifies the revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects. |
| rid | The relative Identifier of an object. |
| sAMAccountType | The logon name used to support clients and servers running earlier versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. |
| scriptPath | This attribute specifies the path for the user's logon script. The string can be null. |
| sDRightsEffective | This constructed attribute returns a single DWORD value that can have up to three bits set: OWNER_SECURITY_INFORMATION, DACL_SECURITY_INFORMATION, and SACL_SECURITY_INFORMATION. If a bit is set, then the user has write access to the corresponding part of the security descriptor. |
| securityIdentifier | A unique value of variable length used to identify a user account, group account, or logon session to which an ACE applies. |
| seeAlso | This attribute specifies the list of DNs related to an object. |
| serverReferenceBL | This attribute is the backlink attribute of serverReference, and it contains the DN of a server object under the sites folder. This attribute is not necessary for Active Directory Lightweight Directory Services to function. The protocol does not define a format beyond that required by the schema. |
| servicePrincipalName | List of principal names used for mutual authentication with an instance of a service on this computer. |
| showInAddressBook | This attribute is used to indicate in which MAPI address books an object will appear. It is usually maintained by the Exchange Recipient Update Service. |
| showInAdvancedViewOnly | This attribute is TRUE if the corresponding attribute is to be visible in the advanced mode of the UI. |
| sIDHistory | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and that new SID becomes the objectSID. The previous SID is added to the sIDHistory property. |
| siteObjectBL | This attribute is the backlink attribute of siteObject and contains the list of subnet objects that belong to a site. |
| st | This attribute specifies the name of a user's state or province. |
| street | This attribute specifies the user's street address. |
| streetAddress | This attribute specifies the user's address. |
| subRefs | This attribute specifies a list of subordinate references of a naming context. |
| subSchemaSubEntry | This attribute specifies the DN for the location of the subschema object where a class or attribute is defined. |
| supplementalCredentials | This attribute specifies stored credentials for use in authenticating. It provides the encrypted version of the user's password. This attribute is neither readable nor writable. |
| systemFlags | This attribute specifies an integer value that contains flags that define additional properties of the class. |
| telephoneNumber | This attribute specifies the primary telephone number. |
| teletexTerminalIdentifier | This attribute specifies the Teletex terminal identifier, and optionally parameters, for a Teletex terminal associated with an object. |
| telexNumber | This attribute specifies a list of alternate telex numbers. |
| terminalServer | Opaque data used by the Windows NT terminal server. |
| textEncodedORAddress | This attribute is used to support X.400 addresses in a text format. |
| thumbnailLogo | This attribute specifies a BLOB containing a logo for this object. |
| thumbnailPhoto | This attribute specifies a small picture for this object. |
| title | This attribute contains the user's job title. This property is commonly used to indicate the formal job title, such as Senior Programmer, rather than occupational class, such as programmer. It is not typically used for suffix titles such as "Esq." or "DDS". |
| tokenGroups | This computed attribute contains the list of SIDs due to a transitive group membership expansion operation on a given user or computer. Token groups cannot be retrieved if no global catalog is present to retrieve the transitive reverse memberships. |
| tokenGroupsGlobalAndUniversal | Token groups for Exchange. |
| tokenGroupsNoGCAcceptable | This attribute contains the list of SIDs due to a transitive group membership expansion operation on a given user or computer. Token groups cannot be retrieved if a Global Catalog is not present to retrieve the transitive reverse memberships. |
| unicodePwd | The password of the user in Windows NT operating system one-way format (OWF). Windows 2000 operating system uses the Windows NT OWF. This property is used only by the operating system. Note The clear password cannot be derived back from the OWF form of the password. |
| url | This attribute specifies a list of alternate webpages. |
| userAccountControl | Flags that control the behavior of the user account. |
| userCert | Nortel v1 or DMS certificates. |
| userCertificate | This attribute contains the DER-encoded X509v3 certificates issued to the user ([RFC3280]). |
| userParameters | This attribute specifies the user's parameters and is set aside for use by applications. Microsoft products use this member to store user data that is specific to the individual program. |
| userPassword | This attribute specifies the user's password in UTF-8 format. This is a write-only attribute. |
| userSharedFolder | Specifies a UNC path to the user's shared documents folder. The path must be a network UNC path of the form \\Server\Share\Directory. This value can be a null string. |
| userSharedFolderOther | Specifies a UNC path to the user's additional shared documents folder. The path must be a network UNC path of the form \\Server\Share\Directory. This value can be a null string. |
| userSMIMECertificate | This attribute specifies a certificate distribution object or tagged certificates. |
| street | This attribute specifies the user's street address. |
| uSNChanged | This attribute specifies an update sequence number (USN) value assigned by the local directory for the latest change, including creation. |
| uSNCreated | This attribute specifies a USN-Changed value that is assigned at object creation. |
| USNIntersite | This attribute specifies the USN for intersite replication. |
| uSNLastObjRem | This attribute contains the USN for the last non-system object that was removed from a server. |
| uSNSource | This attribute specifies the value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server. |
| wbemPath | This attribute specifies references to objects in other ADSI namespaces. |
| wellKnownObjects | This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the Active Directory system will automatically update the distinguished name portion of the Well-Known-Objects values that referred to the object. |
| whenChanged | This attribute specifies the date when this object was last changed. This value is not replicated and exists in the global catalog. |
| whenCreated | This attribute specifies the date when this object was created. This value is replicated and is in the global catalog. |
| wWWHomePage | This attribute specifies the primary web page. |
| x121Address | This attribute specifies the X.121 address for an object, as specified in [X121]. |
| GSuite Fields | Description |
| *name.familyName | The user's last name. Required when creating a user account. |
| *name.givenName | The user's first name. Required when creating a user account. |
| *orgUnitPath | The full path of the parent organization associated with the user. If the parent organization is the top-level, it is represented as a forward slash (/). |
| *password | Stores the password for the user account. The user's password value is required when creating a user account. It is optional when updating a user and should only be provided if the user is updating their account password. A password can contain any combination of ASCII characters. A minimum of 8 characters is required. The maximum length is 100 characters. We recommend sending the password property value as a base 16 bit, hexidecimal-encoded hash value. If a hashFunction is specified, the password must be a valid hash key. The password value is never returned in the API's response body. |
| *primaryEmail | The user's primary email address. This property is required in a request to create a user account. The primaryEmail must be unique and cannot be an alias of another user. |
| addresses[0].country | Country. |
| addresses[0].countryCode | The country code. Uses the ISO 3166-1 standard. |
| addresses[0].customType | If the address type is custom, this property contains the custom value. |
| addresses[0].extendedAddress | For extended addresses, such as an address that includes a sub-region. |
| addresses[0].formatted | A full and unstructured postal address. This is not synced with the structured address fields. |
| addresses[0].poBox | The post office box, if present. |
| addresses[0].postalCode | The ZIP or postal code, if applicable. |
| addresses[0].primary | If this is the user's primary address. The addresses list may contain only one primary address. |
| addresses[0].region | The abbreviated province or state. |
| addresses[0].sourceIsStructured | Indicates if the user-supplied address was formatted. Formatted addresses are not currently supported. |
| addresses[0].streetAddress | The street address, such as 1600 Amphitheatre Parkway. Whitespace within the string is ignored; however, newlines are significant. |
| addresses[0].type | The address type. Acceptable values are: "custom", "home", "other", "work". |
| changePasswordAtNextLogin | Indicates if the user is forced to change their password at next login. This setting doesn't apply when SSO is configured with a third party identity provider. |
| creationTime | The time the user's account was created. The value is in ISO 8601 date and time format. The time is the complete date plus hours, minutes, and seconds in the form YYYY-MM-DDThh:mm:ssTZD. For example, 2010-04-05T17:30:04+01:00. |
| deletionTime | The time the user's account was deleted. The value is in ISO 8601 date and time format. The time is the complete date plus hours, minutes, and seconds in the form YYYY-MM-DDThh:mm:ssTZD. For example 2010-04-05T17:30:04+01:00. |
| emails[0].address | The user's email address. Also serves as the email ID. This value can be the user's primary email address or an alias. |
| emails[0].customType | If the value of type is custom, this property contains the custom type string. |
| emails[0].primary | Indicates if this is the user's primary email. Only one entry can be marked as primary. |
| emails[0].type | The type of the email account. Acceptable values are: "custom", "home", "other", "work". |
| externalIds[0].customType | If the external ID type is custom, this property holds the custom type. |
| externalIds[0].type | The type of the ID. Acceptable values are: "account", "custom", "customer", "login_id", "network", "organization". |
| externalIds[0].value | The value of the ID. |
| gender.addressMeAs | AddressMeAs. A human-readable string containing the proper way to refer to the profile owner by humans, for example "he/him/his" or "they/them/their". |
| gender.customGender | Custom gender. |
| gender.type | Gender. Acceptable values are: "female", "male", "other", "unknown". |
| hashFunction | Stores the hash format of the password property. We recommend sending the password property value as a base 16 bit hexadecimal-encoded hash value. Set the hashFunction values as either the SHA-1, MD5, or crypt hash format. |
| ims[0].customProtocol | If the protocol value is custom_protocol, this property holds the custom protocol's string. |
| ims[0].customType | If the IM type is custom, this property holds the custom type string. |
| ims[0].im | The user's IM network ID. |
| ims[0].primary | If this is the user's primary IM. Only one entry in the IM list can have a value of true. |
| ims[0].protocol | An IM protocol identifies the IM network. The value can be a custom network or the standard network. Acceptable values are: "aim": AOL Instant Messenger protocol; "custom_protocol": A custom IM network protocol; "gtalk": Google Talk protocol; "icq": ICQ protocol; "jabber": Jabber protocol; "msn": MSN Messenger protocol; "net_meeting": Net Meeting protocol; "qq": QQ protocol; "skype": Skype protocol; "yahoo": Yahoo Messenger protocol. |
| ims[0].type | Acceptable values are: "custom", "home", "other", "work". |
| includeInGlobalAddressList | Indicates if the user's profile is visible in the G Suite global address list when the contact sharing feature is enabled for the domain. For more information about excluding user profiles, see the administration help center. |
| ipWhitelisted | If true, the user's IP address is white listed. |
| languages[0].customLanguage | Other language. A user can provide their own language name if there is no corresponding Google III language code. If this is set, LanguageCode can't be set |
| languages[0].languageCode | Language Code. Should be used for storing Google III LanguageCode string representation for language. Illegal values cause SchemaException. |
| locations[0].area | Textual location. This is most useful for display purposes to concisely describe the location. For example, "Mountain View, CA", "Near Seattle". |
| locations[0].buildingId | Building identifier. |
| locations[0].customType | If the location type is custom, this property contains the custom value. |
| locations[0].deskCode | Most specific textual code of individual desk location. |
| locations[0].floorName | Floor name/number. |
| locations[0].floorSection | Floor section. More specific location within the floor. For example, if a floor is divided into sections "A", "B", and "C", this field would identify one of those values. |
| locations[0].type | The location type. |
| notes.contentType | Content type of note, either plain text or HTML. Default is plain text. Possible values are: |
| notes.value | Contents of notes. |
| suspended | Indicates if the user is suspended. |
| Azure Fields | Description |
| *displayName | The display name for an object, usually the combination of the person's first name, middle initial, and last name. |
| *mailNickname | The user's email address without the domain, the value of which represents the alias of a user in an Exchange organization. |
| *passwordProfile.password | The user's email account password. |
| *userPrincipalName | The user principal name (UPN) that is an Internet-style logon name for a user, as specified in RFC 822. |
| accountEnabled | Defines if an account is enabled. |
| assistant | The name of the assistant for an account. |
| altRecipient | Property of the user specifying the DN of the contact to forward to. |
| authOrig | Relationship that indicates that the mailbox for the target object is authorized to send mail to the source object. |
| c | Two-letter ISO 3166 [ISO3166] country code. |
| cn | The common name of the object. |
| co | The country/region in which the person (user or contact) or company is located. |
| company | The person's (user or contact) company name. |
| countryCode | The country code for person's (user or contact) language of choice. |
| department | The name of the person's (user or contact) department. |
| description | Human-readable descriptive phrases about the object. |
| dLMemRejectPerms | Relationship that indicates that members of the target object are not authorized to send mail to the source object. |
| dLMemSubmitPerms | Relationship that indicates that members of the target object are authorized to send mail to the source object. |
| extensionAttribute1 | Custom attribute that is defined in the customer on-premises directory. |
| facsimiletelephonenumber | Telephone numbers (and, optionally, the parameters) for facsimile terminals. |
| givenName | Name strings that are the part of a person's (user or contact) name that is not their surname. |
| homePhone | The person's (user or contact) main home telephone number. |
| info | Notes field on "Telephone" tab of ADUC. |
| initials | Strings of initials of some or all of an individual's names, except the surname(s). |
| ipPhone | The TCP/IP address for the telephone. |
| l | Names of a locality or place, such as a city, county, or other geographic region. |
| legacyExchangeDN | The distinguished name previously used by Exchange. |
| The list of email addresses for a person (user or contact). | |
| managedBy | Resource/owner relationship, where the source object (a group) is the resource, and the target object is the owner. |
| manager | Manager/direct report relationship between two individuals, where the source object is the direct report, and the target object is the manager. |
| member | Membership of the target object (of class User, Contact, or Group) in the group that is identified as the source object. |
| middleName | Additional names for a person (user or contact), for example, middle name, patronymic, matronymic, or other names. |
| mobile | The primary mobile phone number for a person (user or contact). |
| objectSID | A binary value that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal. |
| otherFacsimileTelephone | A list of alternative facsimile numbers. |
| otherHomePhone | A list of alternative home telephone numbers. |
| otherIpPhone | A list of alternative TCP/IP addresses for the telephone. |
| otherMobile | A list of alternative mobile phone numbers. |
| otherPager | A list of alternative pager numbers. |
| otherTelephone | A list of alternative office telephone numbers. |
| pager | The primary pager number. |
| physicalDeliveryOfficeName | Names that a postal service uses to identify a post office. |
| postalCode | Codes that a postal service uses to identify postal service zones. |
| postOfficeBox | Postal box identifiers that a postal service uses when a customer arranges to receive mail at a box on the premises of the postal service. |
| preferredLanguage | The preferred written or spoken language for a user. |
| proxyAddresses | The address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. |
| publicDelegates | Cross-premises public delegation: allows users to specify delegates for their mailbox. |
| pwdLastSet | The date and time that the password for this account was last changed |
| reportToOriginator | Governs whether to send delivery reports to the message originator when a message that is sent to a group is not delivered. The delivery report lets the group owner know that the message was not delivered. |
| reportToOwner | A boolean specifying whether or not to report to owner of a group. |
| securityEnabled | Defines a security group when equal to true and a distribution group when equal to false. |
| sn | Name strings for the family names of a person (user or contact). |
| sourceAnchor | Mechanical property. Immutable identifier to maintain relationship between ADDS and Azure AD. |
| st | The full names of states or provinces. |
| streetAddress | The person's (user or contact) address. |
| targetAddress | The destination address for the person (user or contact). |
| telephoneAssistant | Specifies the telephone number of the contact's assistant. |
| telephoneNumber | Telephone numbers that comply with the ITU Recommendation E.123. |
| thumbnailphoto | Persons Photo - 10kb maximum size limit |
| title | The title of a person (user or contact) in the person's organizational context. |
| unauthOrig | Relationship that indicates that the mailbox for the target object is not authorized to send mail to the source object. |
| url | The list of alternative web pages. |
| usageLocation | Determines what features are available to your users. |
| userCertificate | Contains certificates used as part of the Exchange SMIME feature set. |
| userSMIMECertificates | Contains certificates used as part of the Exchange SMIME feature set. |
| wWWHomePage | The primary web page. |
Formatting a CSV file
Comma-separated value (CSV) files are text files that store tabular data and use commas as delimiters. You can manually edit CSV files in a text editor, but it is recommended that you edit them via Excel for visual ease. You can click here for details on how to open CSVs in Excel without losing data, or you can download the attached Mappings Template.
Note: When using Microsoft Excel to edit and format your CSV data, you must save your file as type CSV (Comma delimited).
Updated: Jan 2019