The DLP policy match for a user-based directory server group requires a DLP agent to get Directory Groups for logged-in users from Active Directory. This DLP policy match is done using something called a "distinguished name" (DN) attribute of the Directory Group. Microsoft doesn't automatically sync this DN attribute for directory groups with Azure AD (Azure Active Directory). However, they offer two methods to do this synchronization. This document provides a step-by-step guide on how to set up this synchronization with Azure AD.

Approach

The two possible way to map Groups distinguished name to Azure AD attributes (Predefined/Custom directory extension) are:

• Using Azure AD Connect Sync - Directory Extension
• Using Azure AD Connect Cloud Sync - Directory Extension

Below sub-section details out steps required in respective method/approach.

A) Using Azure AD Connect Sync - Directory Extension

Steps:

1. Launch Azure AD connect from your Domain machine and start configuration.
2. Select "Customize Synchonization options" to modify/customize the configuration.
   
   
   
3. Provide Azure AD administrator credential to connect to Azure AAD.
   
   
   
4. Select the domain active directory that need to sync with Azure AD.
   
   
   
5. . Add Domain and OU Filtering if desired else select all domain and OU to sync.
   
   
   
6. Under "Optional Features", select "Directory extension attribute sync"
   
   
   
7. Customize which attribute to synchronize with Azure AD: from the available directory extension attributes there are 20 group attributes available in AD directory schema which can be used to map AD attribute to Azure AD attribute.
   
   Select any unused extension attribute and make that available to cloud based app by moving it selected attributes list. 
    
   
   
8. Reconfigure so as to changes take effect.
   
   
   
   
   
   
   
   As soon as the Configuration and Synchronization is successfully complete the newly selected extension attribute will be available in Synchronization Rule Editor.
   
   
9. Now, launch "Synchronization Rules Editor":
   
   
   
10. Create New Inbound group rule to map Distinguished Name to added extension attribute.
    
    
    
11.  Under Transformations section map source AD attribute to target AAD attribute, In this case dn to extension_msDS-cloudExtensionAttribute5.
    
    
    
12. Upon successful rule creation, the newly created rule will be listed under Synchronization rule editor:
    
    
    
13. Now, run the synchronization cycle to reflect changes on to azure AD using below PowerShell command:
    
    Start-ADSyncSyncCycle -PolicyType Initial
    
    
    
14. Now, on your Azure portal, a default app will get registered automatically. Name of the app happens to be - Tenant Schema Extension App.
    
    
    
15. Please take a note of the "Application ID" for the default app in the above step. Once we will query for Group DN, then the extension attribute will appear in following format:
    extension_<Application ID>_<predefined AD Group attribute which we mapped earlier>
    
    
16. Now, query for the Group attribute (using any supported applications) and you will get the Group DN mapped to the new extension attribute.
    We have demonstrated a MS Graph query for the same, refer as follows:
    
    
    Here the Group DN is mapped to the extension attribute which we configured.
    

B) Using Azure AD Connect Cloud Sync - Directory Extension

As we know, AAD extension attributes are not available in azure AD connect. So, we will create a custom extension attribute on the AAD and will map it to a Group DN.

Steps:

1. Create a CloudSyncCustomExtensionsApp application -
2. First check if the application already exists: 

GET https://graph.microsoft.com/v1.0/applications?$filter=identifierUris/any(uri:urieq 'api://<tenantId>/CloudSyncCustomExtensionsApp')

Ex. https://graph.microsoft.com/v1.0/applications?$filter=identifierUris/any(uri:uri eq 'api://<api key>/CloudSyncCustomExtensionsApp')

       3. If not exist, then create the app:

           POST https://graph.microsoft.com/v1.0/applications

{

"displayName": "CloudSyncCustomExtensionsApp",

"identifierUris": ["api://<tenantId>/CloudSyncCustomExtensionsApp"]

}

Example - 

            POST https://graph.microsoft.com/v1.0/applications

{

"displayName": "CloudSyncCustomExtensionsApp",

"identifierUris": ["api://<api key>/CloudSyncCustomExtensionsApp"]

}

        4. It will result into the app getting displayed on the Azure portal:
         

5. Now, check if Service Principal exists for CloudSyncCustomExtensionsApp application:

      GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=(appId eq '<appId>')

Example -

      GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=(appId eq '<app ID>')

6. If Service Principal doesn't exist then create it for CloudSyncCustomExtensionsApp application as follows:

      POST.  https://graph.microsoft.com/v1.0/servicePrincipals

                 Content-type: application/json

                     {

                            "appId":

                            "<appId>"

                      }

              Example- 

                 POST.  https://graph.microsoft.com/v1.0/servicePrincipals

                      Content-type: application/json

                     {

                            "appId":

                            "<app id>"

                      }

          7. Now get the ID of the app you're working on. In my case it is "CloudSyncCustomExtensionsApp" as follows:

                   GET https://graph.microsoft.com/v1.0/application

              Example output: 

                    "id": "<app id>",
                    "displayName": "CloudSyncCustomExtensionsApp",

              (Note: Replace the ID property below with the ID retrieved in the previous step. You'll need to use the "ID" attribute and not the "appId")

          8. Now, create a new directory extension definition, represented by an extensionProperty object as follows

POST.  https://graph.microsoft.com/v1.0/applications/<id>/extensionProperties

{

"name": "<userDefinedName>",

"dataType": "String",

"targetObjects": [

"Group"

            ]

}

Example- 

POST  https://graph.microsoft.com/v1.0/applications/<api key>/extensionProperties

{

"name": "CustomeExtensionAttributeDN",

"dataType": "String",

"targetObjects": [

"Group"

            ]

}

          Response :

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications('<api key>')/extensionProperties/$entity",
    "id": "<app id>",
    "deletedDateTime": null,
    "appDisplayName": "CloudSyncCustomExtensionsApp",
    "dataType": "String",
    "isSyncedFromOnPremises": false,
    "name": "extension_<app id>_CustomeExtensionAttributeDN",
    "targetObjects": [
        "Group"
    ]
}

9. Now on the Azure portal, navigate to the "Azure Ad Connect Cloud Sync → Attribute Mapping" and create the mapping for extended attributed created above:

10. Once the Azure AD Connect Cloud Sync cycle will run then this newly created custom attribute will be mapped to Group distinguished name.
   (Once above changes are done, to verify, you can follow step no:16 in previous subsection)

References

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-sync-feature-directory-extensions

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/cloud-sync/custom-attribute-mapping

https://developer.microsoft.com/en-us/graph/graph-explorer

Techdoc: Mapping a Group Distinguished Name to a Directory Extension Attribute