Configure People Picker to find users from the UPA

Blog Summary

Traditionally when users are located via People Picker, an LDAP query is executed to the domain / forests configured in the People Picker configuration settings.  If customers want to query the “User Profile Service Application” (UPA) directly from People Picker, a custom claim provider is required.

In SharePoint Server Subscription Edition, People Picker is enhanced to search and pick users directly from the UPA to help you avoid creating a customized claim provider. Rather than writing a piece of C# code to implement a new claim provider, customers can simply synchronize user profiles from their identity provider to the User Profile service application to make People Picker work.

This new feature is achieved by using the “SPTrustedBackedByUPAClaimProvider”.

Official Documentation: OpenID Connect 1.0 authentication – SharePoint Server | Microsoft Docs

Enable People Picker to use the UPA Claim Provider

To enable the People with this new feature, use the “-UseUPABackedClaimProvider” switch to instruct the People Picker to search and select users and groups from the User Profile service application.

The UseUPABackedClaimProvider switch cannot be used when using OIDC switches at the same time. To enable this feature using the “Set-SPTrustedIdentityTokenIssuer” after the Trusted Identity Token Issuer was created.

Before you Begin:

After completing the steps in SharePoint SE OIDC Configuration with Azure AD – Mike Lee’s Blog (mikesblogs.net), you can complete the steps below to enable this feature.

Step 1: Set the STS with the new claim provider

This step will enable the OIDC Trusted Identity Token issuer to use the new claim provider. This command will extend the current SharePoint Trusted Identity Token Issuer to use the new “SPTrustedBackedByUPAClaimProvider”.

  1. Logon to server SPWFE as a Farm Admin
  2. Run the following PowerShell from script from an Admin Elevated PowerShell ISE.
  1. Ensure that the new Claim Provider is not used by default.

See: Unable to create new root site after enabling the “SPTrustedBackedByUPAClaimProvider”

Step 2: Make UPA Fields Searchable from People Picker

  1. Logon to server SPWFE as a Farm Admin
  2. Run the following PowerShell from script from an Admin Elevated PowerShell ISE.

Step 3: Create a Sync Connection with the new Auth Provider

In this step we will delete the current Synchronization Connection that is using Windows and create a new connection using the OIDC Authentication Provider. 

  1. From Central Administration, “Application Management” > “Manage Service Applications” and open the “User Profile Service Application”.
  2. Select on “Configure Synchronization Connections”.
  3. Remove the current connection.
  1. Select “Create New Connection
  2. Use the following properties:

    – Connection Name: contoso.local
    – Type: Active Directory Import
    – Fully Qualified Domain Name: contoso.local
    – Authentication Provider Type:  Trusted Claims Provider Authentication
    – Authentication Provider Instance: “SP to AAD TokenIssuer”
    – Account Name:  contoso\admacct
    – Password:  <Account Password>
  3. Select “Populate Containers”.
  4. Select the “SpUsers” OU and ensure all sub objects are selected.

  1. Select ok to save the changes.

Step 4: Map the SPS-ClaimID to the claim type(s) used by the Token Issuer

In this step we will map the SPS-ClaimID to the claim identifier used by the Token Issuer.

  1. From Central Administration, “Application Management” > “Manage Service Applications” and open the “User Profile Service Application”.
  2. Select “Manage User Properties”.
  1. Find and edit the “Claim User Identifier”.
  1. Remove the “samAccountName” from current mapping.
  1. Type in the “mail” attribute into the field.
  1. Select “Ok” to save the changes.

Step 5: Ensure All users have e-mail addresses

Please Note: This step is only suggested in DEV / Test environments as it will add/ change e-mail addresses for users stored in Active Directory.

Please do not run this script in production environments.

In this step we will ensure that People Picker has users to show, we must set e-mail and proxy addresses for these our users in AD.

Run the following script from the DC using an elevated PowerShell ISE session:

Note: This script above assumes you have an OU named “SPUsers” and a UPN Suffix set at the AD level when AD Connect was configured to sync on-prem users to Azure AD.

Step 6: Run a full User Profile Sync

In this step we will run a full a sync to import the users with the correct sync connection.

  1. From Central Administration, “Application Management” > “Manage Service Applications” and open the “User Profile Service Application”.
  1. Select on “Start Profile Synchronization”.
  2. Choose the “Start “Full Synchronization” option and select “Ok” to start.

Step 7: Search users from people Picker

In this step we will search for people from People Picker to and prove its coming from the UPA and using an LDAP query to the directory service.

  1. Log into a Client machine as user that has access to a SharePoint Site hosted in your OIDC zone.
  2. Launch an InPrivate browser session.
  3. Access site https://spaad.contoso.local with the AAD user that was added to the user policy when you configured OIDC AAD.
  4. Got to Settings > “Site Permissions”.
  1. Open “Advanced permissions Settings”.
  1. Select on “Grant Permissions”.
  1. Search for “User1” and hover over the results.
Note: You should see the results come from “UPA Backing” with the correct claim type for the user found.
  1. Once you found the user you would like to add, click “Share” or “Show Options” to change the default permission level.

Optional Step: Remove Enhanced People Picker Settings

If you want to remove the Enhanced People Picker Settings, you can run the following scripts.

After removing these objects, you should delete the UPA sync connection and re-add it with using the previous setting that utilizes the “Windows” authentication provider. Then perform a full synchronization.

6 Comments


  1. Thanks for the detailed article, very useful. How do you make the Groups searchable in people picker with OIDC.

    Reply

    1. Thank you for taking time to provide feedback, it’s very appreciated.

      You should be able adjust the ‘$PropertyNames = ‘FirstName’, ‘LastName’, ‘SPS-ClaimID” with whatever fields you want searchable.

      Reply

  2. Hi Mike,
    Did you manage to search groups also? because it’s not working for me… I’m not using AD import but external idp, I’m wondering if it is the same behaviour for AD import.

    Thx for your feedback, Tarik

    Reply

    1. You need to make the fields searchable. The example in this blog only uses, FirstName, LastName and SPS-ClaimID. Find the Group related fields from the UPA and make them searchable.

      Reply

  3. Hello Mike,

    I followed your very impressive guide to configure OIDC authentication with Azure AD. People Picker resolves the users and the security groups, however SharePoint SE doesn’t resolve the group memberships. Check permission is also not working for security groups. Users direct permission works properly.
    Do you have any advice to get security group resolution working SharePoint SE with OIDC? Is there any steps to must implement which not covered by this tutorial?

    Reply

    1. Thank you for the feedback and I’m happy you found it helpful. Whatever property you want to use, needs to marked as searchable. I have not tried groups, but there should be UPA field that can be used to search for groups. In this example I have only used FirstName, LastName and SPS-ClaimID.

      Reply

Leave a Reply to Chandesh GowdaCancel reply