Active Directory Attribute Reference

This reference provides a complete listing of Active Directory attributes that can be synchronized with EmpowerID Person objects, including their AD schema mappings and recommended flow configurations.

For step-by-step instructions on configuring attribute flow rules, see Configure Attribute Flow for Active Directory. For conceptual information about flow directions and authority scoring, see Configure Attribute Flow Rules.

Understanding Attribute Mappings

Each attribute mapping connects an EmpowerID Person attribute to its corresponding Active Directory schema attribute:

Person Attribute — The attribute name in EmpowerID Person objects
AD Attribute — The corresponding LDAP attribute name in Active Directory schema
Description — What the attribute stores and its purpose
Notes — Special considerations, typical sources, or security warnings

Use the Configure Attribute Flow Rules decision framework to determine appropriate flow directions for your environment based on your authoritative sources and organizational policies.

Identity Attributes

Core attributes that define user identity and naming.

Person Attribute	AD Attribute	Description	Notes
FirstName	givenName	User's first name	Typically from HR system
MiddleName	middleName	User's middle name or initial
LastName	sn	User's surname or family name	Typically from HR system
Name	name	User's full display name	Often calculated from FirstName + LastName
PersonalTitle	personalTitle	Honorific or title prefix (Mr., Ms., Dr., etc.)
GenerationalSuffix	generationQualifier	Generational suffix (Jr., Sr., III, etc.)
Initials	initials	User's name initials

Employment Attributes

Attributes related to employment, organizational structure, and job roles.

Person Attribute	AD Attribute	Description	Notes
Title	title	User's job title or position	Typically from HR system
Department	department	Department or organizational unit name	Typically from HR system
DepartmentNumber	departmentNumber	Department identifier or code
Division	division	Division or business unit name
Company	company	Company or organization name
EmployeeID	employeeID	Primary employee identifier	Set during provisioning; should not sync after creation
EmployeeIDOther	employeeNumber	Alternate employee number or identifier
EmployeeType	employeeType	Employment classification (FTE, contractor, temporary, etc.)
ManagerPersonID	manager	Distinguished name of user's manager	Typically from HR system

Critical - EmployeeID

Set EmployeeID to No Sync to prevent ongoing synchronization. While EmpowerID populates this during account creation, subsequent changes should not flow to prevent identifier conflicts.

Contact Attributes

Communication and contact information attributes.

Person Attribute	AD Attribute	Description	Notes
Email	mail	Primary email address	Flow direction depends on authoritative source
EmailAddressesJSON	proxyAddresses	Email proxy addresses for Exchange (multi-valued)	Uses custom handler for Exchange integration
Telephone	telephoneNumber	Primary telephone number
BusinessPhone	otherTelephone	Additional business telephone number
MobilePhone	mobile	Mobile or cellular phone number	Often user-updatable through self-service
HomeTelephone	homePhone	Home telephone number
Fax	facsimileTelephoneNumber	Fax number
Pager	pager	Pager or beeper number

Location Attributes

Physical location and address attributes.

Person Attribute	AD Attribute	Description	Notes
Office	physicalDeliveryOfficeName	Office location name or identifier
RoomNumber	roomNumber	Room or suite number
StreetAddress	street	Street address	Maps to both street and streetAddress AD attributes
StreetAddress	streetAddress	Street address	Maps to both street and streetAddress AD attributes
City	l	City name
State	st	State or province name
PostalCode	postalCode	Postal or ZIP code
Country	co	Country name	Uses custom handler for country name/code mapping
Location	location	General location identifier

Street Address Mapping

The StreetAddress Person attribute maps to both street and streetAddress AD attributes. Both mappings are typically configured identically to ensure consistency across directory queries.

Security and Authentication Attributes

Attributes related to authentication, authorization, and security.

Person Attribute	AD Attribute	Description	Notes
Login	samAccountName	Account login name (SAM account name)	CRITICAL: Must be set to No Sync to prevent authentication issues
ValidUntil	accountExpires	Account expiration date and time	Uses custom handler for date format conversion

Critical - Login Attribute

The Login attribute must always be set to No Sync. Allowing attribute flow to modify samAccountName after account creation causes authentication failures and security issues. While EmpowerID populates the login name during provisioning, it must remain static thereafter.

Descriptive Attributes

General descriptive and miscellaneous attributes.

Person Attribute	AD Attribute	Description	Notes
Description	description	User description or notes
Notes	info	Additional information or comments
Assistant	assistant	Name of user's assistant
BusinessCategory	businessCategory	Business category or classification
CarLicense	carLicense	License plate number	Uses encrypted handler for sensitive data
ClearanceLevelSBAPerson	ClearanceLevelSBA	Security clearance level
CustomAttribute4	type	Custom attribute field (type)
CustomAttribute27	thumbnailPhoto	User photo thumbnail	Binary data
LocaleID	localeID	Locale identifier for regional settings
PreferredLanguage	preferredLanguage	Preferred language code

Determining Flow Direction

Flow direction for each attribute depends on your organization's identity architecture and authoritative sources. Use the Configure Attribute Flow Rules decision framework to determine appropriate flow directions:

Inbound — When Active Directory is authoritative for the attribute
Outbound — When EmpowerID or another system (such as HR) is authoritative
Bidirectional — When both systems can legitimately update; last change wins
No Sync — When the attribute should not synchronize after initial provisioning

Consider your organization's source of truth for each attribute category before configuring flow rules.

Common Configuration Patterns

HR-Driven Environment

When an HR system provides authoritative employee data:

Outbound to AD: Identity attributes, employment attributes, most location attributes
Bidirectional: Contact attributes users can self-update (mobile phone, personal information)
No Sync: Login, EmployeeID (static after creation)

AD as Authoritative Source

In organizations without HR integration where AD manages identity data:

Inbound from AD: Identity attributes, employment attributes, contact attributes
No Sync: Login (critical - never synchronize)

Mixed Authority

When different systems are authoritative for different attribute categories:

Configure authority scores to define precedence
Use Bidirectional flow where both systems can legitimately update
Clearly document which system owns which attributes

Custom Flow Handlers

Some attributes use custom flow handlers for attribute-specific transformation logic:

ValidUntil — ExpirationDateAttributeHandler
Country — CountryAttributeflowHandler
CarLicense — EncyptedAttributeFlowHandler
EmailAddressesJSON — CustomPersonEmailForADAttributeFlowHandler
ManagerPersonID — ManagerAttributeFlowHandler

Custom handlers are specified in the account store configuration and typically do not require modification during normal operations.

Configure Attribute Flow for Active Directory — Step-by-step configuration procedure
Configure Attribute Flow Rules — Decision guidance and authority scoring
Connect to Active Directory — Creating the account store connection
Active Directory Connector Overview — Architecture and capabilities

Understanding Attribute Mappings​

Identity Attributes​

Employment Attributes​

Contact Attributes​

Location Attributes​

Security and Authentication Attributes​

Descriptive Attributes​

Determining Flow Direction​

Common Configuration Patterns​

HR-Driven Environment​

AD as Authoritative Source​

Mixed Authority​

Custom Flow Handlers​

Related Articles​