Azure AD Connect is the synchronization tool formerly known as “Azure AD Sync” which was formerly known as “DirSync”. Regardless of what you call it, Azure AD Connect is the tool you’ll use to synchronize your on-premises Active Directory with Azure AD.
With each name change, new features have been added to the product.
Below are 10 quick little tidbits you might not have known about Azure AD Connect.
1: Where To Download
For reasons unknown, if you follow the links in the Office 365 portal to setup Directory Synchronization, you will be sent to a download link for the old version of DirSync (the version two names ago). Download the current version of Azure AD Connect from this link: Azure AD Connect.
2: Configuration Options
During the initial configuration, you’ll be presented the option to use the “Express” or “Custom” installation. While “Express” is designed to make installation easier (and can even configure AD FS for you), I prefer to maintain control over the configuration and always select the “Custom” option.
3: Cloud Service Account
During the custom installation, you’ll be prompted for “Global Admin” cloud credentials for your tenant. If you’ve installed any of the previous versions, you might think that these are the credentials used by the synchronization engine; they are actually used by the installer to create a service account. Previously you needed to create the cloud service account yourself and set the password as non-expiring. In Azure AD Connect, the installer will create an account in the tenant called “Sync_SERVERNAME_GUID@tenant.onmicrosoft.com”. The account will have a non-expiring password and have a custom role (“Directory Synchronization Accounts”) so that it’s not a “Global Admin”. Interestingly, it will also show as a synchronized account despite appearing to be a cloud account.
4: On-Premises Permissions
Unleash the Potential of Power Platform With a Center of Excellence
Business innovation often comes from within. Discover how to empower innovation from non-traditional developers with the Microsoft Power Platform.
With the custom installation, Azure AD Connect does not configure any of the necessary permissions in the on-premises Active Directory. The permissions needed will depend on what sync scenarios you are using such as Password Synchronization, Exchange Hybrid, Password Writeback, etc. The list of permissions can be found at: “Permissions Required for Specific Scenario“. There are a number of scripts available that can configure these permissions, Brian Reid has one of the more well documented ones.
If you’re installing in a clean environment such as a lab, you’ll want to make sure that you have the Active Directory schema in place before configuring Azure AD Connect. If Azure AD Connect does not see the Exchange schema, it will not allow you to select the Exchange Hybrid write-back scenario.
6: Deleted Item Threshold
Azure AD Connect includes a feature to help prevent accidental mass deletion of cloud objects. By default, you cannot delete more than 500 objects via a sync operation. Depending on the size of your organization, you might want to lower this number or you may need to disable it temporarily when clearing out a tenant. Changes to this setting can be done via the relatively undocumented PowerShell module, run “Import-Module ADSync” from the Azure AD Connect server to access the commands. Additional information on the threshold and on how to change it can be found at: “Prevent Accidental Deletes“.
Azure AD Connect includes a nice feature that allows you to pilot the sync process before synchronizing the entire directory. Previously you would have to put filters in to select your pilot users but now you can select a group and Azure AD Connect will only sync objects in that group. Once you’re done piloting, you can run the configuration wizard again to remove the pilot group restriction.
The last option during the configuration is to “Enable Staging Mode”. This allows you to perform the import operations and bring the data into the metaverse but it will not export out any changes to Azure AD or your on-premises Active Directory. In the situation where you’re transitioning from an old sync installation or want to test out your filtering, this is a nice option.
9: Filtering By OU
While filtering the objects you synchronize by OU is an option, it creates some complexities. If you get need to add additional OUs to the scope of objects that you want to sync, you will need to run a “full sync” in order for the new objects to sync. In large environments, a full sync can be a fairly time consuming process. Consider using a different filter method such as filtering by an attribute or try to keep your OU selections to higher level root OUs.
10: Stay Updated
While Azure AD Connect pretty much just runs and sends you an email report when there are sync issues, it’s not completely maintenance free. Six months into the product and we’re on the third version already. The updates generally contain a healthy set of fixes as well as new features. Make sure you check out the “Azure AD Connect Version History” page to see the latest updates. Fortunately, most updates can be done in-place with relatively little work.
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.