If you follow this blog regularly, you know that over the past 6 months we’ve been adding a lot of new features to Azure AD Connect Health. It is one of our more widely used Azure AD Premium features and over 10k customers use it in production.
So today, I’m excited to announce that we’re rolling out the public preview of another new enhancement Azure AD Connect Health, Sync Error Reports! This enhancement reallly rounds out the Azure AD Connect feature set, making it easy and efficient for you to monitor the health of your hybrid identity control plane.
I asked Varun Karandikar, one of the Program Managers in our team, to write a blog about Sync Error Reports. His blog is below.
But if you are the kind of person who just wants to jump in, you can get started by installing or upgrading to the latest version of Azure AD Connect. (version 1.1.281.0 or higher). That’s all it takes!
I hope you find this new capability useful and as always, we would love to receive your feedback, questions, and suggestions.
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity Division
I’m Varun Karandikar, a Program Manager on the Azure Active Directory team. As you already know, Azure AD Connect Health, a feature of Azure AD Premium, lets you monitor and gain insights into your hybrid identity infrastructure. Today I’m excited to let you know that we’re adding a new capability within Azure AD Connect Health for Sync that makes it easy to report on any synchronization errors that might occur syncing data from on-premises AD to Azure AD using Azure AD Connect.
This preview release is available for all Azure AD Premium customers.
What we learned from you, our customers
As we worked to design this enhancement, we talked to a ton of customers to understand the kind of sync errors people were running into. We learned a lot from doing this:
- Wading through the sync logs (parse XML) or using email addresses can be super time consuming.
- It is really challenging to identify common patterns when there are a large number of errors.
- It is challenging to pinpoint specific reasons for many sync failures.
- There isn’t a lot of guidance on how to fix syncing problems.
- Trying to get to the root cause of a sync error required querying Azure AD and the underlying AD which isn’t easy to do.
- There is no easy way for a helpdesk professional to search within the error reports when trying to help a user.
With these challenges in mind, we focused on building a solution that addresses each of them by making it easy for admins easily access rich a sync reports and easily find tips and tricks for addressing them.
What the report provides
With Azure AD Connect Health for Sync you get a simple visual report of any synchronization errors that occur during an export operation to Azure AD on your active (non-staging) Azure AD Connect server. The report is available in the new Azure Portal.
A few of the key capabilities of this new feature include:
A quick count of the total number of errors are available at a glance
This gives a quick count of total number of errors.
Automatic categorization of errors based on error type and likely cause
Errors are categorized based on type and the potential root cause and include:
|Duplicate Attribute||Sync errors due to a conflict between two objects for an attribute that must be unique in Azure AD.|
|Data Mismatch||Sync errors due to data mismatches causing the soft-match mechanism to fail.|
|Data Validation Failure||Sync errors due to invalid data, including bad characters in UPN, Display Name, UPN Format, etc. that fail validation before being written in Azure AD.|
|Large Attribute||Sync errors due to attribute values or objects exceeding the allowed limits of size, length, count, etc.|
A catch-all bucket to capture errors that don’t fit in the above categories.
Easily drill down into each category for a detailed view of each error
Selecting a category shows you the list of objects in that category that have errors. You can then select a specific entry to see the details of the error, including the description, the AD object, Azure AD object, and links to relevant articles with tips on how to fix the error.
Role Based Access Control makes it easy to roll out securely
Azure AD Connect Health supports our Role Based Access Control. This means you can give users like helpdesk admins access to the report without requiring global admin privileges.
1. Install or upgrade to the latest version of Azure AD Connect. (version 1.1.281.0 or higher). That’s it!
- Note that if you have auto update enabled, you may already be running the latest version.
- Ensure that the Azure AD Connect Health Agent for sync has outbound connectivity to the Health Service. Read our installation documentation to find out more about requirements.
2. Visit the Azure AD Connect Health portal and click on the “Sync Errors” section to view the report about your existing sync errors.
We hope that with this new feature you’re able to understand and resolve Azure AD sync errors with greater efficiency and ease by having all the data in one place.
As always, we’d love to hear your feedback. If you have any feedback, questions, or issues to report, please leave a comment at the bottom of this post, send a note to the Azure AD Connect Health team, or tweet with the hashtag #AzureAD.
Varun Karandikar (@varundikar)