Searching Azure Active Directory by CN from On-Premise AD

By | September 4, 2018

I just want to share what I had done by solving the above scenario. Basically we use a lot of Active Directory Groups in the Organization I am working with, and with that Groups we use the Common Name (cn) as our Primary Identifier, now when we started to sync that into our Azure AD the Common Name attribute value is lost and we cannot perform search using them which is quite an issue with the apps we build on the cloud that will be using those groups.

Regardless whether I use Azure Portal, Powershell or .Net to search for the Group using the Common Name (cn) as my search string, it will never show any results unless you haven’t indicated the Display Name on your On-Premise Active Directory as this defaults to the Common Name on sync. This means when I search like this on my .Net Application on Azure AD

public static Group GetGroupByName(string groupName)
        var client = AuthenticationHelper.GetActiveDirectoryClient();
        var group = (Group)client.Groups.Where(u => u.DisplayName == groupName).Take(1).ExecuteSingleAsync().Result;
        return group;
    catch (Exception ex)
        return null;

public static class AuthenticationHelper
    public static string GetTenantId() => ClaimsPrincipal.Current.FindFirst(AzureActiveDirectoryConstants.TenantClaimType)?.Value;
    public static string GetUserObjectId() => ClaimsPrincipal.Current.FindFirst(AzureActiveDirectoryConstants.ObjectIdentifierClaimType)?.Value;
    public static ActiveDirectoryClient GetActiveDirectoryClient()
        var baseServiceUri = new Uri(AzureActiveDirectoryConstants.GraphResourceId);
        var activeDirectoryClient = new ActiveDirectoryClient(new Uri(baseServiceUri, AzureActiveDirectoryConstants.TenantId),
                async () => await GetTokenForApplication().ConfigureAwait(false));
        return activeDirectoryClient;
    public static async Task<string> GetTokenForApplication()
        var userIdClaim = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier);
        if (userIdClaim == null)
            throw new UnauthorizedAccessException();
        var signedInUserId = userIdClaim.Value;
        var userObjectId = ClaimsPrincipal.Current.FindFirst(AzureActiveDirectoryConstants.ObjectIdentifierClaimType).Value;
        // get a token for the Graph without triggering any user interaction (from the cache, via multi-resource refresh token, etc)
        var clientcred = new ClientCredential(AzureActiveDirectoryConstants.ClientId, AzureActiveDirectoryConstants.AppKey);
        // initialize AuthenticationContext with the token cache of the currently signed in user, as kept in the app's database
        var authenticationContext = new AuthenticationContext(AzureActiveDirectoryConstants.AadInstance + AzureActiveDirectoryConstants.TenantId, new ADALTokenCache(signedInUserId));
        var authenticationResult = await authenticationContext.AcquireTokenSilentAsync(AzureActiveDirectoryConstants.GraphResourceId, clientcred, new UserIdentifier(userObjectId, UserIdentifierType.UniqueId));
        return authenticationResult.AccessToken;

Then I cannot find my Group. Now to fix my issue what I did was changed the Mapping on my AAD Connect so that the Common Name maps on the Display Name property, unless you need that Display Name this is the easiest way to resolve it and here is how I implemented it.

First log in to the server where your AAD Sync is located. Launch the Synchronization Rules Editor

Now update the synchronization rules, go to Rule Type -> Outbound -> Out to AAD – Group Identity then click Edit

Click no to edit the item

Then Go to Transformation and look for Target Attribute displayName. Change the Source from displayName to cn then click Save. Let it sync then now you can search by cn on your Active Directory.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.