Skip to content

Enterprise Mobility + Security


Howdy folks,

It’s Friday so that means it’s time for another Azure AD Mailbag. This time Mark and the crew are bringing you another set of great tips for working with sync in Azure AD Connect.

Best regards,
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Identity Products and Services

—————-

Hey y’all,

Mark Morowczynski back with another mailbag post. This one is focusing on Syncing with Azure AD again. We’ve covered a bunch of questions previously https://blogs.technet.microsoft.com/ad/2015/12/18/azure-ad-mailbag-syncing-with-azure-ad-connect/. A quick reminder, you can see all mailbag posts at https://blogs.technet.microsoft.com/ad/tag/mailbag/. Don’t forget to subscribe and share with fellow admins that would find this interesting. On to the questions.

Question: I’m upgrading from DirSync to Azure AD Connect in a parallel deployment and when I initially set up DirSync I synced all OUs. Now I want to only sync a subset of them. What is the best way to make this change while doing an upgrade?
Answer: You will want to make this change BEFORE you upgrade. The reason being is if you select only the subset of OUs, Azure AD Connect will not be aware of the OUs you have unselected and these objects that are already synced to Azure AD will remain in Azure AD as unmanaged objects. You’ll want to delete the unwanted objects BEFORE you start the migration.

Question: I’m running into the 5,000 error limit in Azure AD Connect and I found https://support.microsoft.com/en-us/kb/2387673 is it a good idea to just crank this baby all the way up and forget this ever happened?
Answer: I think we all know the answer to this. No absolutely not. You need to fix the issues. I would recommend starting with IDFix, https://www.microsoft.com/en-us/download/details.aspx?id=36832

The KB can be used as a TEMPORARY measure to allow synchronization to finish processing all the objects before the error is reached and then do a cloud filter until the objects are fixed. Moral of the story, you need to fix your objects.

Question: I have Azure AD Connect using Password Sync. There is no federation like ADFS. If their AD on prem account has a password change or is disabled, do I need to wait up to 3 hours for this to take place or should I force a manual sync?
Answer: Password Sync takes place every 2 minutes. The disabled user would be part of the normal sync. If you need to remove access quicker you are able to go to the portal, click on the user and hit disable. For more information on Password Sync please see,

https://azure.microsoft.com/documentation/articles/active-directory-aadconnectsync-implement-password-synchronization/

Question: I know I need to use a Global Admin account for Azure AD Connect but is there a way of giving more granular permissions, we guard our Global Admins very closely?
Answer: I’m glad to hear you take these accounts very seriously as you should.

You’ll still need to use your Global Admin account during the install and configuration but after that a service account is used. So you are NOT using your Global Admin account going forward. See https://azure.microsoft.com/documentation/articles/active-directory-aadconnect-accounts-permissions/

Question: Azure AD Connect is supported with using local SQL servers, what about using Azure SQL as a Service Database?
Answer: SQL Azure is not supported. https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/

Question:  I lost all of my transformations and had to re-create them when upgrading to a newer version of the sync engine.  Now I am hesitant to upgrade again.  What can I do to mitigate this from re-occurring?
Answer: The AD Connect sync engine is designed to preserve any custom rules when performing an in-place upgrade.  If you had a previous version of Azure AD Connect (October release) you may have had to modify the default rules

(We discuss a similar topic at http://blogs.technet.com/b/ad/archive/2015/12/18/azure-ad-mailbag-syncing-with-azure-ad-connect.aspx).  You can create a copy of the default rule, edit that copy, and disable the default rule instead.  If you are still hesitant to upgrade because of your previous experience, you can setup a separate sync engine in “Staging mode” and ensure that it is setup in your desired state before you start syncing.  You can find the documentation on how to do this here in the Azure AD Connect sync: Operational tasks and consideration article on Azure.com

We hope you’ve found this post and this series to be helpful. For any questions you can reach us at AskAzureADBlog@microsoft.com, the Microsoft Forums and on Twitter @AzureAD, @MarkMorow and @Alex_A_Simons

-Mark Morowczynski