Professional Documents
Culture Documents
Hybrid Identity Documentation
Hybrid Identity Documentation
Today, businesses, and corporations are becoming more and more a mixture of on-premises and cloud
applications. Users require access to those applications both on-premises and in the cloud. Managing
users both on-premises and in the cloud poses challenging scenarios.
Microsoft’s identity solutions span on-premises and cloud-based capabilities. These solutions create a
common user identity for authentication and authorization to all resources, regardless of location. We
call this hybrid identity .
With hybrid identity to Azure AD and hybrid identity management these scenarios become possible.
To achieve hybrid identity with Azure AD, one of three authentication methods can be used, depending
on your scenarios. The three methods are:
Password hash synchronization (PHS)
Pass-through authentication (PTA)
Federation (AD FS)
These authentication methods also provide single-sign on capabilities. Single-sign on automatically
signs your users in when they are on their corporate devices, connected to your corporate network.
For additional information, see Choose the right authentication method for your Azure Active Directory
hybrid identity solution.
Ensure no password
hashes are stored in the
cloud.
Enable cloud-based
multi-factor
authentication solutions.
Enable on-premises
multi-factor
authentication solutions.
Support smartcard
authentication for my
users.4
4 AD FS can be integrated with your enterprise PKI to allow sign-in using certificates. These
certificates can be soft-certificates deployed via trusted provisioning channels such as MDM or
GPO or smartcard certificates (including PIV/CAC cards) or Hello for Business (cert-trust). For more
information about smartcard authentication support, see this blog.
Next Steps
What is Azure AD Connect and Connect Health?
What is password hash synchronization (PHS)?
What is pass-through authentication (PTA)?
What is federation?
What is single-sign on?
Tutorial: Integrate a single AD forest using password
hash sync (PHS)
9/7/2020 • 6 minutes to read • Edit Online
The following tutorial will walk you through creating a hybrid identity environment using password hash sync. This
environment can then be used for testing or for getting more familiar with how a hybrid identity works.
Prerequisites
The following are prerequisites required for completing this tutorial
A computer with Hyper-V installed. It is suggested to do this on either a Windows 10 or a Windows Server 2016
computer.
An external network adapter to allow the virtual machine to communicate with the internet.
An Azure subscription
A copy of Windows Server 2016
NOTE
This tutorial uses PowerShell scripts so that you can create the tutorial environment in the quickest amount of time. Each of
the scripts uses variables that are declared at the beginning of the scripts. You can and should change the variables to reflect
your environment.
The scripts used create a general Active Directory environment prior to installing Azure AD Connect. They are relevant for all
of the tutorials.
Copies of the PowerShell scripts that are used in this tutorial are available on GitHub here.
#Declare variables
$VMName = 'DC1'
$Switch = 'External'
$InstallMedia = 'D:\ISO\en_windows_server_2016_updated_feb_2018_x64_dvd_11636692.iso'
$Path = 'D:\VM'
$VHDPath = 'D:\VM\DC1\DC1.vhdx'
$VHDSize = '64424509440'
#Install features
New-Item $featureLogPath -ItemType file -Force
Add-WindowsFeature $addsTools
Get-WindowsFeature | Where installed >>$featureLogPath
#Declare variables
$DatabasePath = "c:\windows\NTDS"
$DomainMode = "WinThreshold"
$DomainName = "contoso.com"
$DomaninNetBIOSName = "CONTOSO"
$ForestMode = "WinThreshold"
$LogPath = "c:\windows\NTDS"
$SysVolPath = "c:\windows\SYSVOL"
$featureLogPath = "c:\poshlog\featurelog.txt"
$Password = "Pass1w0rd"
$SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
#Declare variables
$Givenname = "Allie"
$Surname = "McCray"
$Displayname = "Allie McCray"
$Name = "amccray"
$Password = "Pass1w0rd"
$Identity = "CN=ammccray,CN=Users,DC=contoso,DC=com"
$SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
Next Steps
Hardware and prerequisites
Express settings
Password hash synchronization|
Tutorial: Integrate a single AD forest using pass-
through authentication (PTA)
9/7/2020 • 8 minutes to read • Edit Online
The following tutorial will walk you through creating a hybrid identity environment using pass-through
authentication. This environment can then be used for testing or for getting more familiar with how a hybrid
identity works.
Prerequisites
The following are prerequisites required for completing this tutorial
A computer with Hyper-V installed. It is suggested to do this on either a Windows 10 or a Windows Server 2016
computer.
An Azure subscription
An external network adapter to allow the virtual machine to communicate with the internet.
A copy of Windows Server 2016
A custom domain that can be verified
NOTE
This tutorial uses PowerShell scripts so that you can create the tutorial environment in the quickest amount of time. Each of
the scripts uses variables that are declared at the beginning of the scripts. You can and should change the variables to reflect
your environment.
The scripts used create a general Active Directory environment prior to installing Azure AD Connect. They are relevant for all
of the tutorials.
Copies of the PowerShell scripts that are used in this tutorial are available on GitHub here.
NOTE
If you have never run a script in PowerShell on your host machine you will need to run Set-ExecutionPolicy remotesigned
and say yes in PowerShell, prior to running scripts.
Do the following:
1. Open up the PowerShell ISE as Administrator.
2. Run the following script.
#Declare variables
$VMName = 'DC1'
$Switch = 'External'
$InstallMedia = 'D:\ISO\en_windows_server_2016_updated_feb_2018_x64_dvd_11636692.iso'
$Path = 'D:\VM'
$VHDPath = 'D:\VM\DC1\DC1.vhdx'
$VHDSize = '64424509440'
#Declare variables
$ipaddress = "10.0.1.117"
$ipprefix = "24"
$ipgw = "10.0.1.1"
$ipdns = "10.0.1.117"
$ipdns2 = "8.8.8.8"
$ipif = (Get-NetAdapter).ifIndex
$featureLogPath = "c:\poshlog\featurelog.txt"
$newname = "DC1"
$addsTools = "RSAT-AD-Tools"
#Install features
New-Item $featureLogPath -ItemType file -Force
Add-WindowsFeature $addsTools
Get-WindowsFeature | Where installed >>$featureLogPath
#Declare variables
$Givenname = "Allie"
$Surname = "McCray"
$Displayname = "Allie McCray"
$Name = "amccray"
$Password = "Pass1w0rd"
$Identity = "CN=ammccray,CN=Users,DC=contoso,DC=com"
$SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
7. On the Connect to Azure AD screen, enter the username and password of the global admin we created above
and click Next .
8. On the Connect your directories screen, click Add Director y . Then select Create new AD account and enter
the contoso\Administrator username and password and click OK .
9. Click Next .
10. On the Azure AD sign-in configuration screen, select Continue without matching all UPN suffixes to
verified domains and click Next.
11. On the Domain and OU filtering screen, click Next .
12. On the Uniquely identifying your users screen, click Next .
13. On the Filter users and devices screen, click Next .
14. On the Optional features screen, click Next .
15. On the Enable single sign-n credentials page, enter the contoso\Administrator username and password and click
Next.
16. On the Ready to configure screen, click Install .
17. When the installation completes, click Exit .
18. After the installation has completed, sign out and sign in again before you use the Synchronization Service
Manager or Synchronization Rule Editor.
You have now successfully setup a hybrid identity environment that you can use to test and familiarize yourself
with what Azure has to offer.
Next Steps
Hardware and prerequisites
Customized settings
Pass-through authentication
Tutorial: Federate a single AD forest environment to
the cloud
9/7/2020 • 9 minutes to read • Edit Online
The following tutorial will walk you through creating a hybrid identity environment using federation. This
environment can then be used for testing or for getting more familiar with how a hybrid identity works.
Prerequisites
The following are prerequisites required for completing this tutorial
A computer with Hyper-V installed. It is suggested to do this on either a Windows 10 or a Windows Server 2016
computer.
An Azure subscription
An external network adapter to allow the virtual machine to communicate with the internet.
A copy of Windows Server 2016
A custom domain that can be verified
NOTE
This tutorial uses PowerShell scripts so that you can create the tutorial environment in the quickest amount of time. Each of
the scripts uses variables that are declared at the beginning of the scripts. You can and should change the variables to reflect
your environment.
The scripts used create a general Active Directory environment prior to installing Azure AD Connect. They are relevant for all
of the tutorials.
Copies of the PowerShell scripts that are used in this tutorial are available on GitHub here.
NOTE
If you have never run a script in PowerShell on your host machine you will need to run
Set-ExecutionPolicy remotesigned and say yes in PowerShell, prior to running scripts.
Do the following:
1. Open up the PowerShell ISE as Administrator.
2. Run the following script.
#Declare variables
$VMName = 'DC1'
$Switch = 'External'
$InstallMedia = 'D:\ISO\en_windows_server_2016_updated_feb_2018_x64_dvd_11636692.iso'
$Path = 'D:\VM'
$VHDPath = 'D:\VM\DC1\DC1.vhdx'
$VHDSize = '64424509440'
#Declare variables
$ipaddress = "10.0.1.117"
$ipprefix = "24"
$ipgw = "10.0.1.1"
$ipdns = "10.0.1.117"
$ipdns2 = "8.8.8.8"
$ipif = (Get-NetAdapter).ifIndex
$featureLogPath = "c:\poshlog\featurelog.txt"
$newname = "DC1"
$addsTools = "RSAT-AD-Tools"
#Install features
New-Item $featureLogPath -ItemType file -Force
Add-WindowsFeature $addsTools
Get-WindowsFeature | Where installed >>$featureLogPath
#Declare variables
$Givenname = "Allie"
$Surname = "McCray"
$Displayname = "Allie McCray"
$Name = "amccray"
$Password = "Pass1w0rd"
$Identity = "CN=ammccray,CN=Users,DC=contoso,DC=com"
$SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
#Create certificate
New-SelfSignedCertificate -DnsName $DNSname -CertStoreLocation $Location
5. Provide a name for the organization along with the initial domain name . Then select Create . This will
create your directory.
6. Once this has completed, click the here link, to manage the directory.
7. On the Connect to Azure AD screen, enter the username and password of the global admin we created
above and click Next .
8. On the Connect your directories screen, click Add Director y . Then select Create new AD account and
enter the contoso\Administrator username and password and click OK .
9. Click Next .
10. On the Azure AD sign-in configuration screen, select Continue without matching all UPN suffixes to
verified domains and click Next.
11. On the Domain and OU filtering screen, click Next .
12. On the Uniquely identifying your users screen, click Next .
13. On the Filter users and devices screen, click Next .
14. On the Optional features screen, click Next .
15. On the Domain Administrator credentials page, enter the contoso\Administrator username and password
and click Next.
16. On the AD FS farm screen, make sure Configure a new AD FS farm is selected.
17. Select Use a cer tificate installed on the federation ser vers and click Browse .
18. Enter DC1 in the search box and select it when it is found. Click Ok .
19. From the Cer tificate File drop-down, select adfs.contoso.com the certificate we created above. Click
Next .
20. On the AD FS server screen, click Browse and enter DC1 in the search box and select it when it is found.
Click Ok . Click Next .
You have now successfully setup a hybrid identity environment that you can use to test and familiarize yourself
with what Azure has to offer.
Next Steps
Hardware and prerequisites
Customized settings
Azure AD Connect and federation
Tutorial: Setting up PHS as backup for AD FS in Azure
AD Connect
9/7/2020 • 4 minutes to read • Edit Online
The following tutorial will walk you through setting up password hash sync as a backup and fail-over for AD FS.
This document will also demonstrate how to enable password hash sync as the primary authentication method, if
AD FS has failed or become unavailable.
NOTE
Although these steps are usually performed during emergency or outage situations, it is recommended that you test these
steps and verify your procedures before an outage occurs.
NOTE
In the event that you do not have access to Azure AD Connect server or the server does not have access to the internet, you
can contact Microsoft Support to assist with the changes to the Azure AD side.
Prerequisites
This tutorial builds upon the Tutorial: Federate a single AD forest environment to the cloud and is a per-requisite
before attempting this tutorial. If you have not completed this tutorial, do so before attempting the steps in this
document.
IMPORTANT
Prior to switching to PHS you should create a backup of your AD FS environment. This can be done using the AD FS Rapid
Restore Tool.
IMPORTANT
Be aware that it will take some time for the password hashes to synchronize to Azure AD. This means that it may take up 3
hours for the synchronizations to complete and before you can start authenticating using the password hashes.
1. Double-click the Azure AD Connect icon that was created on the desktop
2. Click Configure .
3. Select Change user sign-in and click Next .
4. Enter the username and password for your global administrator. This account was created here in the previous
tutorial.
5. On the User sign-in screen, select Password Hash Synchronization and place a check in the Do not
conver t user accounts box.
6. Leave the default Enable single sign-on selected and click Next .
7. On the Enable single sign-on screen click Next .
8. On the Ready to configure screen, click Configure .
9. Once configuration is complete, click Exit .
10. Users can now use their passwords to sign in to Azure and Azure services.
11. On the Verify federation connectivity screen, click Verify . You may need to configure DNS records (add A
and AAAA records) for this to complete successfully.
12. Click Exit .
You have now successfully setup a hybrid identity environment that you can use to test and familiarize yourself
with what Azure has to offer.
Next steps
Hardware and prerequisites
Express settings
Password hash synchronization
How Azure AD Delivers Cloud Governed
Management for On-Premises Workloads
9/7/2020 • 11 minutes to read • Edit Online
Azure Active Directory (Azure AD) is a comprehensive identity as a service (IDaaS) solution used by millions of
organizations that span all aspects of identity, access management, and security. Azure AD holds more than a billion
user identities and helps users sign in and securely access both:
External resources, such as Microsoft Office 365, the Azure portal, and thousands of other Software-as-a-Service
(SaaS) applications.
Internal resources, such as applications on an organization's corporate network and intranet, along with any
cloud applications developed by that organization.
Organizations can use Azure AD if they are 'pure cloud,' or as a 'hybrid' deployment if they have on-premises
workloads. A hybrid deployment of Azure AD can be part of a strategy for an organization to migrate its IT assets to
the cloud, or to continue to integrate existing on-premises infrastructure alongside new cloud services.
Historically, 'hybrid' organizations have seen Azure AD as an extension of their existing on-premises infrastructure.
In these deployments, the on-premises identity governance administration, Windows Server Active Directory or
other in-house directory systems, are the control points, and users and groups are synced from those systems to a
cloud directory such as Azure AD. Once those identities are in the cloud, they can be made available to Office 365,
Azure, and other applications.
As organizations move more of their IT infrastructure along with their applications to the cloud, many are looking
for the improved security and simplified management capabilities of identity management as a service. The cloud-
delivered IDaaS features in Azure AD accelerate the transition to cloud governed management by providing the
solutions and capabilities that allow organizations to quickly adopt and move more of their identity management
from traditional on-premises systems to Azure AD, while continuing to support existing as well as new applications.
This paper outlines Microsoft's strategy for hybrid IDaaS and describes how organizations can use Azure AD for
their existing applications.
Finally, for organizations that permit users to change their passwords in AD, AD can be configured to use the same
password policy as the organization is using in Azure AD through the Azure AD password protection feature,
currently in public preview.
When an organization is ready to move an AD-integrated application to the cloud by moving the operating system
hosting the application to Azure, Azure AD Domain Services provides AD-compatible domain services (such as
domain join, group policy, LDAP, and Kerberos/NTLM authentication). Azure AD Domain Services integrates with
the organization's existing Azure AD tenant, making it possible for users to sign in using their corporate credentials.
Additionally, existing groups and user accounts can be used to secure access to resources, ensuring a smoother 'lift-
and-shift' of on-premises resources to Azure infrastructure services.
Future directions
In hybrid environments, Microsoft's strategy is to enable deployments where the cloud is the control plane for
identity , and on-premises directories and other identity systems, such as Active Directory and other on-premises
applications, are the target for provisioning users with access. This strategy will continue to ensure the rights,
identities, and access in those applications and workloads that rely upon them. At this end state, organizations will
be able to drive end-user productivity entirely from the cloud.
Next steps
For more information on how to get started on this journey, see the Azure AD deployment plans, located at
https://aka.ms/deploymentplans . They provide end-to-end guidance about how to deploy Azure Active Directory
(Azure AD) capabilities. Each plan explains the business value, planning considerations, design, and operational
procedures needed to successfully roll out common Azure AD capabilities. Microsoft continually updates the
deployment plans with best practices learned from customer deployments and other feedback when we add new
capabilities to managing from the cloud with Azure AD.
Four steps to a strong identity foundation with Azure
Active Directory
9/7/2020 • 17 minutes to read • Edit Online
Managing access to apps and data can no longer rely on the traditional network security boundary strategies such
as perimeter networks and firewalls because of the rapid movement of apps to the cloud. Now organizations must
trust their identity solution to control who and what has access to the organization's apps and data. More
organizations are allowing employees to bring their own devices to work and use their devices from anywhere they
can connect to the Internet. Ensuring those devices are compliant and secure has become an important
consideration in the identity solution an organization chooses to implement. In today's digital workplace, identity is
the primary control plane of any organization moving to the cloud.
In adopting an Azure Active Directory (Azure AD) hybrid identity solution, organizations gain access to premium
features that unlock productivity through automation, delegation, self-service, and single sign-on capabilities. It
allows your workers to access company resources from wherever they need to do their work while allowing your IT
team to govern that access by ensuring that the right people have the right access to the right resources to
establish secure productivity.
Based on our learnings, this checklist of best practices will help you quickly deploy recommended actions to build a
strong identity foundation in your organization:
Connect to apps easily
Establish one identity for every user automatically
Empower your users securely
Operationalize your insights
NOTE
If you want to learn more about Azure AD Connect, see What is Azure AD Connect Sync?
Set up a staging server for Azure AD Connect and keep it up-to -date
Azure AD Connect plays a key role in the provisioning process. If the Sync Server goes offline for any reason,
changes to on-premises won't be updated in the cloud and cause access issues to users. It's important to define a
failover strategy that allows administrators to quickly resume synchronization after the sync server goes offline.
To provide high availability in the event your primary Azure AD Connect server goes offline, it's recommended that
you deploy a separate staging server for Azure AD Connect. Deploying a server allows the administrator to
"promote" the staging server to production by a simple configuration switch. Having a standby server configured in
staging mode also allows you to test and deploy new configuration changes and introduce a new server if
decommissioning the old one.
TIP
Azure AD Connect is updated on a regular basis. Therefore, it's strongly recommended that you keep the staging server
current in order to take advantage of the performance improvements, bug fixes, and new capabilities that each new version
provides.
Create custom dashboards for your leadership and your day to day
Organizations that don't have a SIEM solution can download the Power BI Content Pack for Azure AD. The Power BI
content pack contains pre-built reports to help you understand how your users adopt and use Azure AD features,
which allows you to gain insights into all the activities within your directory. You can also create your own custom
dashboard and share with your leadership team to report on day-to-day activities. Dashboards are a great way to
monitor your business and see all of your most important metrics at a glance. The visualizations on a dashboard
may come from one underlying dataset or many, and from one underlying report or many. A dashboard combines
on-premises and cloud data, providing a consolidated view regardless of where the data lives.
Summary
There are many aspects to implementing a hybrid Identity solution, but this four-step checklist will help you quickly
accomplish an identity infrastructure that will enable users to be more productive and secure.
Connect to apps easily
Establish one identity for every user automatically
Empower your users securely
Operationalize your insights
We hope this document is a useful roadmap to establishing a strong identity foundation for your organization.
Identity checklist
We recommend that you print the following checklist for reference as you begin your journey to a more solid
identity foundation in your organization.
Today
DO N E? IT EM
Next month
DO N E? IT EM
Next steps
Learn how you can increase your secure posture using the capabilities of Azure Active Directory and this five-step
checklist - Five steps to securing your identity infrastructure.
Learn how the identity features in Azure AD can help you accelerate your transition to cloud governed
management by providing the solutions and capabilities that allow organizations to quickly adopt and move more
of their identity management from traditional on-premises systems to Azure AD - How Azure AD Delivers Cloud
Governed Management for On-Premises Workloads.
Choose the right authentication method for your
Azure Active Directory hybrid identity solution
9/7/2020 • 15 minutes to read • Edit Online
Choosing the correct authentication method is the first concern for organizations wanting to move their apps to the
cloud. Don't take this decision lightly, for the following reasons:
1. It's the first decision for an organization that wants to move to the cloud.
2. The authentication method is a critical component of an organization’s presence in the cloud. It controls
access to all cloud data and resources.
3. It's the foundation of all the other advanced security and user experience features in Azure AD.
Identity is the new control plane of IT security, so authentication is an organization’s access guard to the new cloud
world. Organizations need an identity control plane that strengthens their security and keeps their cloud apps safe
from intruders.
NOTE
Changing your authentication method requires planning, testing, and potentially downtime. Staged rollout is a great way to
test users migration from federation to cloud authentication.
Out of scope
Organizations that don't have an existing on-premises directory footprint aren't the focus of this article. Typically,
those businesses create identities only in the cloud, which doesn’t require a hybrid identity solution. Cloud-only
identities exist solely in the cloud and aren't associated with corresponding on-premises identities.
Authentication methods
When the Azure AD hybrid identity solution is your new control plane, authentication is the foundation of cloud
access. Choosing the correct authentication method is a crucial first decision in setting up an Azure AD hybrid
identity solution. Implement the authentication method that is configured by using Azure AD Connect, which also
provisions users in the cloud.
To choose an authentication method, you need to consider the time, existing infrastructure, complexity, and cost of
implementing your choice. These factors are different for every organization and might change over time.
Azure AD supports the following authentication methods for hybrid identity solutions.
Cloud authentication
When you choose this authentication method, Azure AD handles users' sign-in process. Coupled with seamless
single sign-on (SSO), users can sign in to cloud apps without having to reenter their credentials. With cloud
authentication, you can choose from two options:
Azure AD password hash synchronization . The simplest way to enable authentication for on-premises
directory objects in Azure AD. Users can use the same username and password that they use on-premises without
having to deploy any additional infrastructure. Some premium features of Azure AD, like Identity Protection and
Azure AD Domain Services, require password hash synchronization, no matter which authentication method you
choose.
NOTE
Passwords are never stored in clear text or encrypted with a reversible algorithm in Azure AD. For more information on the
actual process of password hash synchronization, see Implement password hash synchronization with Azure AD Connect
sync.
Azure AD Pass-through Authentication . Provides a simple password validation for Azure AD authentication
services by using a software agent that runs on one or more on-premises servers. The servers validate the users
directly with your on-premises Active Directory, which ensures that the password validation doesn't happen in the
cloud.
Companies with a security requirement to immediately enforce on-premises user account states, password policies,
and sign-in hours might use this authentication method. For more information on the actual pass-through
authentication process, see User sign-in with Azure AD pass-through authentication.
Federated authentication
When you choose this authentication method, Azure AD hands off the authentication process to a separate trusted
authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user’s
password.
The authentication system can provide additional advanced authentication requirements. Examples are smartcard-
based authentication or third-party multifactor authentication. For more information, see Deploying Active
Directory Federation Services.
The following section helps you decide which authentication method is right for you by using a decision tree. It
helps you determine whether to deploy cloud or federated authentication for your Azure AD hybrid identity
solution.
Decision tree
Details on decision questions:
1. Azure AD can handle sign-in for users without relying on on-premises components to verify passwords.
2. Azure AD can hand off user sign-in to a trusted authentication provider such as Microsoft’s AD FS.
3. If you need to apply, user-level Active Directory security policies such as account expired, disabled account,
password expired, account locked out, and sign-in hours on each user sign-in, Azure AD requires some on-
premises components.
4. Sign-in features not natively supported by Azure AD:
Sign-in using smartcards or certificates.
Sign-in using on-premises MFA Server.
Sign-in using third-party authentication solution.
Multi-site on-premises authentication solution.
5. Azure AD Identity Protection requires Password Hash Sync regardless of which sign-in method you choose, to
provide the Users with leaked credentials report. Organizations can fail over to Password Hash Sync if their
primary sign-in method fails and it was configured before the failure event.
NOTE
Azure AD Identity Protection require Azure AD Premium P2 licenses.
Detailed considerations
Cloud authentication: Password hash synchronization
Effor t . Password hash synchronization requires the least effort regarding deployment, maintenance, and
infrastructure. This level of effort typically applies to organizations that only need their users to sign in to
Office 365, SaaS apps, and other Azure AD-based resources. When turned on, password hash
synchronization is part of the Azure AD Connect sync process and runs every two minutes.
User experience . To improve users' sign-in experience, deploy seamless SSO with password hash
synchronization. Seamless SSO eliminates unnecessary prompts when users are signed in.
Advanced scenarios . If organizations choose to, it's possible to use insights from identities with Azure AD
Identity Protection reports with Azure AD Premium P2. An example is the leaked credentials report. Windows
Hello for Business has specific requirements when you use password hash synchronization. Azure AD
Domain Services requires password hash synchronization to provision users with their corporate credentials
in the managed domain.
Organizations that require multifactor authentication with password hash synchronization must use Azure
Multi-Factor Authentication or Conditional Access custom controls. Those organizations can't use third-party
or on-premises multifactor authentication methods that rely on federation.
NOTE
Azure AD Conditional Access require Azure AD Premium P1 licenses.
Business continuity . Using password hash synchronization with cloud authentication is highly available as
a cloud service that scales to all Microsoft datacenters. To make sure password hash synchronization does
not go down for extended periods, deploy a second Azure AD Connect server in staging mode in a standby
configuration.
Considerations . Currently, password hash synchronization doesn't immediately enforce changes in on-
premises account states. In this situation, a user has access to cloud apps until the user account state is
synchronized to Azure AD. Organizations might want to overcome this limitation by running a new
synchronization cycle after administrators do bulk updates to on-premises user account states. An example is
disabling accounts.
NOTE
The password expired and account locked-out states aren't currently synced to Azure AD with Azure AD Connect. When you
change a user's password and set the user must change password at next logon flag, the password hash will not be synced to
Azure AD with Azure AD Connect until the user changes their password.
NOTE
When you deploy your Azure AD hybrid identity solution, you must implement one of the supported topologies of Azure AD
Connect. Learn more about supported and unsupported configurations at Topologies for Azure AD Connect.
Architecture diagrams
The following diagrams outline the high-level architecture components required for each authentication method
you can use with your Azure AD hybrid identity solution. They provide an overview to help you compare the
differences between the solutions.
Simplicity of a password hash synchronization solution:
Components required for federation in your perimeter and internal network of your organization:
Comparing methods
PA SSW O RD H A SH PA SS- T H RO UGH
SY N C H RO N IZ AT IO N + A UT H EN T IC AT IO N +
C O N SIDERAT IO N SEA M L ESS SSO SEA M L ESS SSO F EDERAT IO N W IT H A D F S
Where does authentication In the cloud In the cloud after a secure On-premises
happen? password verification
exchange with the on-
premises authentication
agent
What are the on-premises None One server for each Two or more AD FS servers
server requirements beyond additional authentication
the provisioning system: agent Two or more WAP servers in
Azure AD Connect? the perimeter/DMZ network
What are the requirements None Outbound Internet access Inbound Internet access to
for on-premises Internet and from the servers running WAP servers in the
networking beyond the authentication agents perimeter
provisioning system?
Inbound network access to
AD FS servers from WAP
servers in the perimeter
Is there a health monitoring Not required Agent status provided by Azure AD Connect Health
solution? Azure Active Directory
admin center
Do users get single sign-on Yes with Seamless SSO Yes with Seamless SSO Yes
to cloud resources from
domain-joined devices within
the company network?
PA SSW O RD H A SH PA SS- T H RO UGH
SY N C H RO N IZ AT IO N + A UT H EN T IC AT IO N +
C O N SIDERAT IO N SEA M L ESS SSO SEA M L ESS SSO F EDERAT IO N W IT H A D F S
Alternate login ID
Is Windows Hello for Key trust model Key trust model Key trust model
Business supported? Requires Windows Server
2016 Domain functional Certificate trust model
level
What are the multifactor Azure MFA Azure MFA Azure MFA
authentication options?
Custom Controls with Custom Controls with Azure MFA server
Conditional Access* Conditional Access*
Third-party MFA
What user account states are Disabled accounts Disabled accounts Disabled accounts
supported? (up to 30-minute delay)
Account locked out Account locked out
What are the Conditional Azure AD Conditional Azure AD Conditional Azure AD Conditional
Access options? Access, with Azure AD Access, with Azure AD Access, with Azure AD
Premium Premium Premium
AD FS claim rules
Can you customize the logo, Yes, with Azure AD Premium Yes, with Azure AD Premium Yes
image, and description on
the sign-in pages?
PA SSW O RD H A SH PA SS- T H RO UGH
SY N C H RO N IZ AT IO N + A UT H EN T IC AT IO N +
C O N SIDERAT IO N SEA M L ESS SSO SEA M L ESS SSO F EDERAT IO N W IT H A D F S
What advanced scenarios are Smart password lockout Smart password lockout Multisite low-latency
supported? authentication system
Leaked credentials reports,
with Azure AD Premium P2 AD FS extranet lockout
NOTE
Custom controls in Azure AD Conditional Access do not currently support device registration.
Recommendations
Your identity system ensures your users' access to cloud apps and the line-of-business apps that you migrate and
make available in the cloud. To keep authorized users productive and bad actors out of your organization’s sensitive
data, authentication controls access to apps.
Use or enable password hash synchronization for whichever authentication method you choose, for the following
reasons:
1. High availability and disaster recover y . Pass-through Authentication and federation rely on on-
premises infrastructure. For pass-through authentication, the on-premises footprint includes the server
hardware and networking the Pass-through Authentication agents require. For federation, the on-premises
footprint is even larger. It requires servers in your perimeter network to proxy authentication requests and
the internal federation servers.
To avoid single points of failure, deploy redundant servers. Then authentication requests will always be
serviced if any component fails. Both pass-through authentication and federation also rely on domain
controllers to respond to authentication requests, which can also fail. Many of these components need
maintenance to stay healthy. Outages are more likely when maintenance isn't planned and implemented
correctly. Avoid outages by using password hash synchronization because the Microsoft Azure AD cloud
authentication service scales globally and is always available.
2. On-premises outage sur vival . The consequences of an on-premises outage due to a cyber-attack or
disaster can be substantial, ranging from reputational brand damage to a paralyzed organization unable to
deal with the attack. Recently, many organizations were victims of malware attacks, including targeted
ransomware, which caused their on-premises servers to go down. When Microsoft helps customers deal
with these kinds of attacks, it sees two categories of organizations:
Organizations that previously also turned on password hash synchronization on top of federated or
pass-through authentication changed their primary authentication method to then use password hash
synchronization. They were back online in a matter of hours. By using access to email via Office 365,
they worked to resolve issues and access other cloud-based workloads.
Organizations that didn’t previously enable password hash synchronization had to resort to untrusted
external consumer email systems for communications to resolve issues. In those cases, it took them
weeks to restore their on-premises identity infrastructure, before users were able to sign in to cloud-
based apps again.
3. Identity protection . One of the best ways to protect users in the cloud is Azure AD Identity Protection with
Azure AD Premium P2. Microsoft continually scans the Internet for user and password lists that bad actors
sell and make available on the dark web. Azure AD can use this information to verify if any of the usernames
and passwords in your organization are compromised. Therefore, it's critical to enable password hash
synchronization no matter which authentication method you use, whether it's federated or pass-through
authentication. Leaked credentials are presented as a report. Use this information to block or force users to
change their passwords when they try to sign in with leaked passwords.
Conclusion
This article outlines various authentication options that organizations can configure and deploy to support access to
cloud apps. To meet various business, security, and technical requirements, organizations can choose between
password hash synchronization, Pass-through Authentication, and federation.
Consider each authentication method. Does the effort to deploy the solution, and the user's experience of the sign-
in process address your business requirements? Evaluate whether your organization needs the advanced scenarios
and business continuity features of each authentication method. Finally, evaluate the considerations of each
authentication method. Do any of them prevent you from implementing your choice?
Next steps
In today’s world, threats are present 24 hours a day and come from everywhere. Implement the correct
authentication method, and it will mitigate your security risks and protect your identities.
Get started with Azure AD and deploy the right authentication solution for your organization.
If you're thinking about migrating from federated to cloud authentication, learn more about changing the sign-in
method. To help you plan and implement the migration, use these project deployment plans or consider using the
new Staged Rollout feature to migrate federated users to using cloud authentication in a staged approach.
What is Azure AD Connect?
9/7/2020 • 3 minutes to read • Edit Online
Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides
the following features:
Password hash synchronization - A sign-in method that synchronizes a hash of a users on-premises AD
password with Azure AD.
Pass-through authentication - A sign-in method that allows users to use the same password on-premises and
in the cloud, but doesn't require the additional infrastructure of a federated environment.
Federation integration - Federation is an optional part of Azure AD Connect and can be used to configure a
hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management
capabilities such as certificate renewal and additional AD FS server deployments.
Synchronization - Responsible for creating users, groups, and other objects. As well as, making sure identity
information for your on-premises users and groups is matching the cloud. This synchronization also includes
password hashes.
- Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal
Healt h Monit oring
Get alerted on all critical ADFS system issues Server configuration and availability
Performance and connectivity
Regular maintenance
Next steps
Hardware and prerequisites
Express settings
Customized settings
Install Azure AD Connect Health agents
Choose the right authentication method for your
Azure Active Directory hybrid identity solution
9/7/2020 • 15 minutes to read • Edit Online
Choosing the correct authentication method is the first concern for organizations wanting to move their apps to
the cloud. Don't take this decision lightly, for the following reasons:
1. It's the first decision for an organization that wants to move to the cloud.
2. The authentication method is a critical component of an organization’s presence in the cloud. It controls
access to all cloud data and resources.
3. It's the foundation of all the other advanced security and user experience features in Azure AD.
Identity is the new control plane of IT security, so authentication is an organization’s access guard to the new cloud
world. Organizations need an identity control plane that strengthens their security and keeps their cloud apps safe
from intruders.
NOTE
Changing your authentication method requires planning, testing, and potentially downtime. Staged rollout is a great way to
test users migration from federation to cloud authentication.
Out of scope
Organizations that don't have an existing on-premises directory footprint aren't the focus of this article. Typically,
those businesses create identities only in the cloud, which doesn’t require a hybrid identity solution. Cloud-only
identities exist solely in the cloud and aren't associated with corresponding on-premises identities.
Authentication methods
When the Azure AD hybrid identity solution is your new control plane, authentication is the foundation of cloud
access. Choosing the correct authentication method is a crucial first decision in setting up an Azure AD hybrid
identity solution. Implement the authentication method that is configured by using Azure AD Connect, which also
provisions users in the cloud.
To choose an authentication method, you need to consider the time, existing infrastructure, complexity, and cost of
implementing your choice. These factors are different for every organization and might change over time.
Azure AD supports the following authentication methods for hybrid identity solutions.
Cloud authentication
When you choose this authentication method, Azure AD handles users' sign-in process. Coupled with seamless
single sign-on (SSO), users can sign in to cloud apps without having to reenter their credentials. With cloud
authentication, you can choose from two options:
Azure AD password hash synchronization . The simplest way to enable authentication for on-premises
directory objects in Azure AD. Users can use the same username and password that they use on-premises without
having to deploy any additional infrastructure. Some premium features of Azure AD, like Identity Protection and
Azure AD Domain Services, require password hash synchronization, no matter which authentication method you
choose.
NOTE
Passwords are never stored in clear text or encrypted with a reversible algorithm in Azure AD. For more information on the
actual process of password hash synchronization, see Implement password hash synchronization with Azure AD Connect
sync.
Azure AD Pass-through Authentication . Provides a simple password validation for Azure AD authentication
services by using a software agent that runs on one or more on-premises servers. The servers validate the users
directly with your on-premises Active Directory, which ensures that the password validation doesn't happen in the
cloud.
Companies with a security requirement to immediately enforce on-premises user account states, password
policies, and sign-in hours might use this authentication method. For more information on the actual pass-
through authentication process, see User sign-in with Azure AD pass-through authentication.
Federated authentication
When you choose this authentication method, Azure AD hands off the authentication process to a separate trusted
authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user’s
password.
The authentication system can provide additional advanced authentication requirements. Examples are
smartcard-based authentication or third-party multifactor authentication. For more information, see Deploying
Active Directory Federation Services.
The following section helps you decide which authentication method is right for you by using a decision tree. It
helps you determine whether to deploy cloud or federated authentication for your Azure AD hybrid identity
solution.
Decision tree
Details on decision questions:
1. Azure AD can handle sign-in for users without relying on on-premises components to verify passwords.
2. Azure AD can hand off user sign-in to a trusted authentication provider such as Microsoft’s AD FS.
3. If you need to apply, user-level Active Directory security policies such as account expired, disabled account,
password expired, account locked out, and sign-in hours on each user sign-in, Azure AD requires some on-
premises components.
4. Sign-in features not natively supported by Azure AD:
Sign-in using smartcards or certificates.
Sign-in using on-premises MFA Server.
Sign-in using third-party authentication solution.
Multi-site on-premises authentication solution.
5. Azure AD Identity Protection requires Password Hash Sync regardless of which sign-in method you choose, to
provide the Users with leaked credentials report. Organizations can fail over to Password Hash Sync if their
primary sign-in method fails and it was configured before the failure event.
NOTE
Azure AD Identity Protection require Azure AD Premium P2 licenses.
Detailed considerations
Cloud authentication: Password hash synchronization
Effor t . Password hash synchronization requires the least effort regarding deployment, maintenance, and
infrastructure. This level of effort typically applies to organizations that only need their users to sign in to
Office 365, SaaS apps, and other Azure AD-based resources. When turned on, password hash
synchronization is part of the Azure AD Connect sync process and runs every two minutes.
User experience . To improve users' sign-in experience, deploy seamless SSO with password hash
synchronization. Seamless SSO eliminates unnecessary prompts when users are signed in.
Advanced scenarios . If organizations choose to, it's possible to use insights from identities with Azure AD
Identity Protection reports with Azure AD Premium P2. An example is the leaked credentials report.
Windows Hello for Business has specific requirements when you use password hash synchronization.
Azure AD Domain Services requires password hash synchronization to provision users with their corporate
credentials in the managed domain.
Organizations that require multifactor authentication with password hash synchronization must use Azure
Multi-Factor Authentication or Conditional Access custom controls. Those organizations can't use third-
party or on-premises multifactor authentication methods that rely on federation.
NOTE
Azure AD Conditional Access require Azure AD Premium P1 licenses.
Business continuity . Using password hash synchronization with cloud authentication is highly available
as a cloud service that scales to all Microsoft datacenters. To make sure password hash synchronization
does not go down for extended periods, deploy a second Azure AD Connect server in staging mode in a
standby configuration.
Considerations . Currently, password hash synchronization doesn't immediately enforce changes in on-
premises account states. In this situation, a user has access to cloud apps until the user account state is
synchronized to Azure AD. Organizations might want to overcome this limitation by running a new
synchronization cycle after administrators do bulk updates to on-premises user account states. An example
is disabling accounts.
NOTE
The password expired and account locked-out states aren't currently synced to Azure AD with Azure AD Connect. When
you change a user's password and set the user must change password at next logon flag, the password hash will not be
synced to Azure AD with Azure AD Connect until the user changes their password.
NOTE
When you deploy your Azure AD hybrid identity solution, you must implement one of the supported topologies of Azure
AD Connect. Learn more about supported and unsupported configurations at Topologies for Azure AD Connect.
Architecture diagrams
The following diagrams outline the high-level architecture components required for each authentication method
you can use with your Azure AD hybrid identity solution. They provide an overview to help you compare the
differences between the solutions.
Simplicity of a password hash synchronization solution:
Components required for federation in your perimeter and internal network of your organization:
Comparing methods
PA SSW O RD H A SH PA SS- T H RO UGH
SY N C H RO N IZ AT IO N + A UT H EN T IC AT IO N +
C O N SIDERAT IO N SEA M L ESS SSO SEA M L ESS SSO F EDERAT IO N W IT H A D F S
Where does authentication In the cloud In the cloud after a secure On-premises
happen? password verification
exchange with the on-
premises authentication
agent
What are the on-premises None One server for each Two or more AD FS servers
server requirements beyond additional authentication
the provisioning system: agent Two or more WAP servers in
Azure AD Connect? the perimeter/DMZ network
What are the requirements None Outbound Internet access Inbound Internet access to
for on-premises Internet from the servers running WAP servers in the
and networking beyond the authentication agents perimeter
provisioning system?
Inbound network access to
AD FS servers from WAP
servers in the perimeter
Is there a health monitoring Not required Agent status provided by Azure AD Connect Health
solution? Azure Active Directory
admin center
Do users get single sign-on Yes with Seamless SSO Yes with Seamless SSO Yes
to cloud resources from
domain-joined devices
within the company
network?
PA SSW O RD H A SH PA SS- T H RO UGH
SY N C H RO N IZ AT IO N + A UT H EN T IC AT IO N +
C O N SIDERAT IO N SEA M L ESS SSO SEA M L ESS SSO F EDERAT IO N W IT H A D F S
Alternate login ID
Is Windows Hello for Key trust model Key trust model Key trust model
Business supported? Requires Windows Server
2016 Domain functional Certificate trust model
level
What are the multifactor Azure MFA Azure MFA Azure MFA
authentication options?
Custom Controls with Custom Controls with Azure MFA server
Conditional Access* Conditional Access*
Third-party MFA
What user account states Disabled accounts Disabled accounts Disabled accounts
are supported? (up to 30-minute delay)
Account locked out Account locked out
What are the Conditional Azure AD Conditional Azure AD Conditional Azure AD Conditional
Access options? Access, with Azure AD Access, with Azure AD Access, with Azure AD
Premium Premium Premium
AD FS claim rules
Can you customize the logo, Yes, with Azure AD Premium Yes, with Azure AD Premium Yes
image, and description on
the sign-in pages?
PA SSW O RD H A SH PA SS- T H RO UGH
SY N C H RO N IZ AT IO N + A UT H EN T IC AT IO N +
C O N SIDERAT IO N SEA M L ESS SSO SEA M L ESS SSO F EDERAT IO N W IT H A D F S
What advanced scenarios Smart password lockout Smart password lockout Multisite low-latency
are supported? authentication system
Leaked credentials reports,
with Azure AD Premium P2 AD FS extranet lockout
NOTE
Custom controls in Azure AD Conditional Access do not currently support device registration.
Recommendations
Your identity system ensures your users' access to cloud apps and the line-of-business apps that you migrate and
make available in the cloud. To keep authorized users productive and bad actors out of your organization’s
sensitive data, authentication controls access to apps.
Use or enable password hash synchronization for whichever authentication method you choose, for the following
reasons:
1. High availability and disaster recover y . Pass-through Authentication and federation rely on on-
premises infrastructure. For pass-through authentication, the on-premises footprint includes the server
hardware and networking the Pass-through Authentication agents require. For federation, the on-premises
footprint is even larger. It requires servers in your perimeter network to proxy authentication requests and
the internal federation servers.
To avoid single points of failure, deploy redundant servers. Then authentication requests will always be
serviced if any component fails. Both pass-through authentication and federation also rely on domain
controllers to respond to authentication requests, which can also fail. Many of these components need
maintenance to stay healthy. Outages are more likely when maintenance isn't planned and implemented
correctly. Avoid outages by using password hash synchronization because the Microsoft Azure AD cloud
authentication service scales globally and is always available.
2. On-premises outage sur vival . The consequences of an on-premises outage due to a cyber-attack or
disaster can be substantial, ranging from reputational brand damage to a paralyzed organization unable to
deal with the attack. Recently, many organizations were victims of malware attacks, including targeted
ransomware, which caused their on-premises servers to go down. When Microsoft helps customers deal
with these kinds of attacks, it sees two categories of organizations:
Organizations that previously also turned on password hash synchronization on top of federated or
pass-through authentication changed their primary authentication method to then use password
hash synchronization. They were back online in a matter of hours. By using access to email via Office
365, they worked to resolve issues and access other cloud-based workloads.
Organizations that didn’t previously enable password hash synchronization had to resort to
untrusted external consumer email systems for communications to resolve issues. In those cases, it
took them weeks to restore their on-premises identity infrastructure, before users were able to sign
in to cloud-based apps again.
3. Identity protection . One of the best ways to protect users in the cloud is Azure AD Identity Protection
with Azure AD Premium P2. Microsoft continually scans the Internet for user and password lists that bad
actors sell and make available on the dark web. Azure AD can use this information to verify if any of the
usernames and passwords in your organization are compromised. Therefore, it's critical to enable
password hash synchronization no matter which authentication method you use, whether it's federated or
pass-through authentication. Leaked credentials are presented as a report. Use this information to block or
force users to change their passwords when they try to sign in with leaked passwords.
Conclusion
This article outlines various authentication options that organizations can configure and deploy to support access
to cloud apps. To meet various business, security, and technical requirements, organizations can choose between
password hash synchronization, Pass-through Authentication, and federation.
Consider each authentication method. Does the effort to deploy the solution, and the user's experience of the
sign-in process address your business requirements? Evaluate whether your organization needs the advanced
scenarios and business continuity features of each authentication method. Finally, evaluate the considerations of
each authentication method. Do any of them prevent you from implementing your choice?
Next steps
In today’s world, threats are present 24 hours a day and come from everywhere. Implement the correct
authentication method, and it will mitigate your security risks and protect your identities.
Get started with Azure AD and deploy the right authentication solution for your organization.
If you're thinking about migrating from federated to cloud authentication, learn more about changing the sign-in
method. To help you plan and implement the migration, use these project deployment plans or consider using the
new Staged Rollout feature to migrate federated users to using cloud authentication in a staged approach.
Identity synchronization and duplicate attribute
resiliency
9/7/2020 • 7 minutes to read • Edit Online
Duplicate Attribute Resiliency is a feature in Azure Active Directory that will eliminate friction caused by
UserPrincipalName and SMTP ProxyAddress conflicts when running one of Microsoft’s synchronization tools.
These two attributes are generally required to be unique across all User , Group , or Contact objects in a given
Azure Active Directory tenant.
NOTE
Only Users can have UPNs.
The new behavior that this feature enables is in the cloud portion of the sync pipeline, therefore it is client agnostic
and relevant for any Microsoft synchronization product including Azure AD Connect, DirSync and MIM +
Connector. The generic term “sync client” is used in this document to represent any one of these products.
Current behavior
If there is an attempt to provision a new object with a UPN or ProxyAddress value that violates this uniqueness
constraint, Azure Active Directory blocks that object from being created. Similarly, if an object is updated with a
non-unique UPN or ProxyAddress, the update fails. The provisioning attempt or update is retried by the sync client
upon each export cycle, and continues to fail until the conflict is resolved. An error report email is generated upon
each attempt and an error is logged by the sync client.
NOTE
Once Duplicate Attribute Resiliency has been turned on it cannot be disabled.
To check if the feature is enabled for your tenant, you can do so by downloading the latest version of the Azure
Active Directory PowerShell module and running:
Get-MsolDirSyncFeatures -Feature DuplicateUPNResiliency
NOTE
You can no longer use Set-MsolDirSyncFeature cmdlet to proactively enable the Duplicate Attribute Resiliency feature before
it is turned on for your tenant. To be able to test the feature, you will need to create a new Azure Active Directory tenant.
Or
Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -PropertyName ProxyAddresses
By conflicting value
To see errors relating to a specific property add the -Proper tyValue flag (-Proper tyName must be used as well
when adding this flag):
Get-MsolDirSyncProvisioningError -ErrorCategory PropertyConflict -PropertyValue User@domain.com -PropertyName
UserPrincipalName
Resolving conflicts
Troubleshooting strategy and resolution tactics for these errors should not differ from the way duplicate attribute
errors were handled in the past. The only difference is that the timer task sweeps through the tenant on the
service-side to automatically add the attribute in question to the proper object once the conflict is resolved.
The following article outlines various troubleshooting and resolution strategies: Duplicate or invalid attributes
prevent directory synchronization in Office 365.
Known issues
None of these known issues causes data loss or service degradation. Several of them are aesthetic, others cause
standard “pre-resiliency” duplicate attribute errors to be thrown instead of quarantining the conflict attribute, and
another causes certain errors to require extra manual fix-up.
Core behavior :
1. Objects with specific attribute configurations continue to receive export errors as opposed to the duplicate
attribute(s) being quarantined.
For example:
a. New user is created in AD with a UPN of Joe@contoso.com and ProxyAddress
smtp:Joe@contoso.com
b. The properties of this object conflict with an existing Group, where ProxyAddress is
SMTP:Joe@contoso.com .
c. Upon export, a ProxyAddress conflict error is thrown instead of having the conflict attributes
quarantined. The operation is retried upon each subsequent sync cycle, as it would have been before the
resiliency feature was enabled.
2. If two Groups are created on-premises with the same SMTP address, one fails to provision on the first
attempt with a standard duplicate ProxyAddress error. However, the duplicate value is properly
quarantined upon the next sync cycle.
Office Por tal Repor t :
1. The detailed error message for two objects in a UPN conflict set is the same. This indicates that they have
both had their UPN changed / quarantined, when in fact only a one of them had any data changed.
2. The detailed error message for a UPN conflict shows the wrong displayName for a user who has had their
UPN changed/quarantined. For example:
a. User A syncs up first with UPN = User@contoso.com .
b. User B is attempted to be synced up next with UPN = User@contoso.com .
c. User B’s UPN is changed to User1234@contoso.onmicrosoft.com and User@contoso.com is
added to DirSyncProvisioningErrors .
d. The error message for User B should indicate that User A already has User@contoso.com as a UPN,
but it shows User B’s own displayName.
Identity synchronization error repor t :
The link for steps on how to resolve this issue is incorrect:
See also
Azure AD Connect sync
Integrating your on-premises identities with Azure Active Directory
Identify directory synchronization errors in Office 365
What is password hash synchronization with Azure
AD?
9/7/2020 • 2 minutes to read • Edit Online
Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD
Connect synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a
cloud-based Azure AD instance.
Password hash synchronization is an extension to the directory synchronization feature implemented by Azure AD
Connect sync. You can use this feature to sign in to Azure AD services like Office 365. You sign in to the service by
using the same password you use to sign in to your on-premises Active Directory instance.
Password hash synchronization helps by reducing the number of passwords, your users need to maintain to just
one. Password hash synchronization can:
Improve the productivity of your users.
Reduce your helpdesk costs.
Password Hash Sync also enables leaked credential detection for your hybrid accounts. Microsoft works alongside
dark web researchers and law enforcement agencies to find publicly available username/password pairs. If any of
these pairs match those of our users, the associated account is moved to high risk.
NOTE
Only new leaked credentials found after you enable PHS will be processed against your tenant. Verifying against previously
found credential pairs is not performed.
Optionally, you can set up password hash synchronization as a backup if you decide to use Federation with Active
Directory Federation Services (AD FS) as your sign-in method.
To use password hash synchronization in your environment, you need to:
Install Azure AD Connect.
Configure directory synchronization between your on-premises Active Directory instance and your Azure
Active Directory instance.
Enable password hash synchronization.
For more information, see What is hybrid identity?.
Next Steps
What is hybrid identity?
What is Azure AD Connect and Connect Health?
What is pass-through authentication (PTA)?
What is federation?
What is single-sign on?
How Password hash synchronization works
Implement password hash synchronization with
Azure AD Connect sync
9/7/2020 • 14 minutes to read • Edit Online
This article provides information that you need to synchronize your user passwords from an on-premises
Active Directory instance to a cloud-based Azure Active Directory (Azure AD) instance.
NOTE
Password sync is only supported for the object type user in Active Directory. It is not supported for the iNetOrgPerson
object type.
Detailed description of how password hash synchronization works
The following section describes, in-depth, how password hash synchronization works between Active Directory
and Azure AD.
1. Every two minutes, the password hash synchronization agent on the AD Connect server requests stored
password hashes (the unicodePwd attribute) from a DC. This request is via the standard MS-DRSR
replication protocol used to synchronize data between DCs. The service account must have Replicate
Directory Changes and Replicate Directory Changes All AD permissions (granted by default on installation)
to obtain the password hashes.
2. Before sending, the DC encrypts the MD4 password hash by using a key that is a MD5 hash of the RPC
session key and a salt. It then sends the result to the password hash synchronization agent over RPC. The
DC also passes the salt to the synchronization agent by using the DC replication protocol, so the agent will
be able to decrypt the envelope.
3. After the password hash synchronization agent has the encrypted envelope, it uses
MD5CryptoServiceProvider and the salt to generate a key to decrypt the received data back to its original
MD4 format. The password hash synchronization agent never has access to the clear text password. The
password hash synchronization agent’s use of MD5 is strictly for replication protocol compatibility with the
DC, and it is only used on premises between the DC and the password hash synchronization agent.
4. The password hash synchronization agent expands the 16-byte binary password hash to 64 bytes by first
converting the hash to a 32-byte hexadecimal string, then converting this string back into binary with UTF-
16 encoding.
5. The password hash synchronization agent adds a per user salt, consisting of a 10-byte length salt, to the 64-
byte binary to further protect the original hash.
6. The password hash synchronization agent then combines the MD4 hash plus the per user salt, and inputs it
into the PBKDF2 function. 1000 iterations of the HMAC-SHA256 keyed hashing algorithm are used.
7. The password hash synchronization agent takes the resulting 32-byte hash, concatenates both the per user
salt and the number of SHA256 iterations to it (for use by Azure AD), then transmits the string from Azure
AD Connect to Azure AD over TLS.
8. When a user attempts to sign in to Azure AD and enters their password, the password is run through the
same MD4+salt+PBKDF2+HMAC-SHA256 process. If the resulting hash matches the hash stored in Azure
AD, the user has entered the correct password and is authenticated.
NOTE
The original MD4 hash is not transmitted to Azure AD. Instead, the SHA256 hash of the original MD4 hash is
transmitted. As a result, if the hash stored in Azure AD is obtained, it cannot be used in an on-premises pass-the-hash
attack.
Security considerations
When synchronizing passwords, the plain-text version of your password is not exposed to the password hash
synchronization feature, to Azure AD, or any of the associated services.
User authentication takes place against Azure AD rather than against the organization's own Active Directory
instance. The SHA256 password data stored in Azure AD--a hash of the original MD4 hash--is more secure
than what is stored in Active Directory. Further, because this SHA256 hash cannot be decrypted, it cannot be
brought back to the organization's Active Directory environment and presented as a valid user password in a
pass-the-hash attack.
Password policy considerations
There are two types of password policies that are affected by enabling password hash synchronization:
Password complexity policy
Password expiration policy
Password complexity policy
When password hash synchronization is enabled, the password complexity policies in your on-premises Active
Directory instance override complexity policies in the cloud for synchronized users. You can use all of the valid
passwords from your on-premises Active Directory instance to access Azure AD services.
NOTE
Passwords for users that are created directly in the cloud are still subject to password policies as defined in the cloud.
If there are synchronized users that only interact with Azure AD integrated services and must also comply with
a password expiration policy, you can force them to comply with your Azure AD password expiration policy by
enabling the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature.
When EnforceCloudPasswordPolicyForPasswordSyncedUsers is disabled (which is the default setting), Azure
AD Connect sets thePasswordPoliciesattribute of synchronized users to "DisablePasswordExpiration". This is
done every time a user's password is synchronized and instructs Azure AD to ignore the cloud password
expiration policy for that user. You can check the value of the attribute using theAzure ADPowerShell module
with the following command:
(Get-AzureADUser -objectID <User Object ID>).passwordpolicies
Once enabled, Azure AD does not go to each synchronized user to remove the DisablePasswordExpiration
value from thePasswordPoliciesattribute. Instead, the value is set to None during thenext password syncfor
each user when they next change their password in on-premises AD.
It is recommended to enable EnforceCloudPasswordPolicyForPasswordSyncedUsers, prior to enabling
password hash sync, so that the initial sync of password hashes does not add the DisablePasswordExpiration
value to the PasswordPolicies attribute for the users.
The default Azure AD password policy requires users to change their passwords every 90 days. Ifyour policy in
AD is also 90 days, the two policies should match. However, if the AD policy is not 90 days, you can update the
Azure AD password policy to match by using the Set-MsolPasswordPolicyPowerShell command.
Azure AD supports a separate password expiration policy per registered domain.
Caveat: If there are synchronized accounts that need to have non-expiring passwords in Azure AD, you must
explicitly add the DisablePasswordExpiration value to the PasswordPolicies attribute of the user object in Azure
AD. You can do this by running the following command.
Set-AzureADUser -ObjectID <User Object ID> -PasswordPolicies "DisablePasswordExpiration"
NOTE
The Set-MsolPasswordPolicy PowerShell command will not work on federated domains.
NOTE
Forcing a user to change their password on next logon requires a password change at the same time. Azure AD Connect
will not pick up the force password change flag by itself; it is supplemental to the detected password change that occurs
during password hash sync.
Cau t i on
You should only use this feature when SSPR and Password Writeback are enabled on the tenant. This is so that
if a user changes their password via SSPR, it will be synchronized to Active Directory.
Account expiration
If your organization uses the accountExpires attribute as part of user account management, this attribute is not
synchronized to Azure AD. As a result, an expired Active Directory account in an environment configured for
password hash synchronization will still be active in Azure AD. We recommend that if the account is expired, a
workflow action should trigger a PowerShell script that disables the user's Azure AD account (use the Set-
AzureADUser cmdlet). Conversely, when the account is turned on, the Azure AD instance should be turned on.
Overwrite synchronized passwords
An administrator can manually reset your password by using Windows PowerShell.
In this case, the new password overrides your synchronized password, and all password policies defined in the
cloud are applied to the new password.
If you change your on-premises password again, the new password is synchronized to the cloud, and it
overrides the manually updated password.
The synchronization of a password has no impact on the Azure user who is signed in. Your current cloud
service session is not immediately affected by a synchronized password change that occurs while you're signed
in to a cloud service. KMSI extends the duration of this difference. When the cloud service requires you to
authenticate again, you need to provide your new password.
Additional advantages
Generally, password hash synchronization is simpler to implement than a federation service. It doesn't
require any additional servers, and eliminates dependence on a highly available federation service to
authenticate users.
Password hash synchronization can also be enabled in addition to federation. It may be used as a fallback if
your federation service experiences an outage.
IMPORTANT
Azure AD Connect should only be installed and configured for synchronization with on-premises AD DS environments.
It's not supported to install Azure AD Connect in an Azure AD DS managed domain to synchronize objects back to
Azure AD.
Azure AD Connect only synchronizes legacy password hashes when you enable Azure AD DS for your Azure AD tenant.
The following steps aren't used if you only use Azure AD Connect to synchronize an on-premises AD DS environment
with Azure AD.
If your legacy applications don't use NTLM authentication or LDAP simple binds, we recommend that you disable NTLM
password hash synchronization for Azure AD DS. For more information, see Disable weak cipher suites and NTLM
credential hash synchronization.
1. Azure AD Connect retrieves the public key for the tenant's instance of Azure AD Domain Services.
2. When a user changes their password, the on-premises domain controller stores the result of the password
change (hashes) in two attributes:
unicodePwd for the NTLM password hash.
supplementalCredentials for the Kerberos password hash.
3. Azure AD Connect detects password changes through the directory replication channel (attribute changes
needing to replicate to other domain controllers).
4. For each user whose password has changed, Azure AD Connect performs the following steps:
Generates a random AES 256-bit symmetric key.
Generates a random initialization vector needed for the first round of encryption.
Extracts Kerberos password hashes from the supplementalCredentials attributes.
Checks the Azure AD Domain Services security configuration SyncNtlmPasswords setting.
If this setting is disabled, generates a random, high-entropy NTLM hash (different from the
user's password). This hash is then combined with the exacted Kerberos password hashes
from the supplementalCrendetials attribute into one data structure.
If enabled, combines the value of the unicodePwd attribute with the extracted Kerberos
password hashes from the supplementalCredentials attribute into one data structure.
Encrypts the single data structure using the AES symmetric key.
Encrypts the AES symmetric key using the tenant's Azure AD Domain Services public key.
5. Azure AD Connect transmits the encrypted AES symmetric key, the encrypted data structure containing the
password hashes, and the initialization vector to Azure AD.
6. Azure AD stores the encrypted AES symmetric key, the encrypted data structure, and the initialization vector
for the user.
7. Azure AD pushes the encrypted AES symmetric key, the encrypted data structure, and the initialization
vector using an internal synchronization mechanism over an encrypted HTTP session to Azure AD Domain
Services.
8. Azure AD Domain Services retrieves the private key for the tenant's instance from Azure Key vault.
9. For each encrypted set of data (representing a single user's password change), Azure AD Domain Services
then performs the following steps:
Uses its private key to decrypt the AES symmetric key.
Uses the AES symmetric key with the initialization vector to decrypt the encrypted data structure that
contains the password hashes.
Writes the Kerberos password hashes it receives to the Azure AD Domain Services domain controller.
The hashes are saved into the user object's supplementalCredentials attribute that is encrypted to the
Azure AD Domain Services domain controller's public key.
Azure AD Domain Services writes the NTLM password hash it received to the Azure AD Domain
Services domain controller. The hash is saved into the user object's unicodePwd attribute that is
encrypted to the Azure AD Domain Services domain controller's public key.
When you install Azure AD Connect by using the Express Settings option, password hash synchronization is
automatically enabled. For more information, see Getting started with Azure AD Connect using express
settings.
If you use custom settings when you install Azure AD Connect, password hash synchronization is available on
the user sign-in page. For more information, see Custom installation of Azure AD Connect.
Password hash synchronization and FIPS
If your server has been locked down according to Federal Information Processing Standard (FIPS), then MD5 is
disabled.
To enable MD5 for password hash synchronization, perform the following steps:
1. Go to %programfiles%\Azure AD Sync\Bin.
2. Open miiserver.exe.config.
3. Go to the configuration/runtime node at the end of the file.
4. Add the following node: <enforceFIPSPolicy enabled="false"/>
5. Save your changes.
For reference, this snippet is what it should look like:
<configuration>
<runtime>
<enforceFIPSPolicy enabled="false"/>
</runtime>
</configuration>
For information about security and FIPS, see Azure AD password hash sync, encryption, and FIPS compliance.
Next steps
Azure AD Connect sync: Customizing synchronization options
Integrating your on-premises identities with Azure Active Directory
Get a step-by-step deployment plan for migrating from ADFS to Password Hash Synchronization
User sign-in with Azure Active Directory Pass-
through Authentication
9/7/2020 • 3 minutes to read • Edit Online
This feature is an alternative to Azure AD Password Hash Synchronization, which provides the same benefit of
cloud authentication to organizations. However, certain organizations wanting to enforce their on-premises
Active Directory security and password policies, can choose to use Pass-through Authentication instead. Review
this guide for a comparison of the various Azure AD sign-in methods and how to choose the right sign-in
method for your organization.
You can combine Pass-through Authentication with the Seamless Single Sign-On feature. This way, when your
users are accessing applications on their corporate machines inside your corporate network, they don't need to
type in their passwords to sign in.
Feature highlights
Supports user sign-in into all web browser-based applications and into Microsoft Office client applications
that use modern authentication.
Sign-in usernames can be either the on-premises default username ( userPrincipalName ) or another
attribute configured in Azure AD Connect (known as Alternate ID ).
The feature works seamlessly with Conditional Access features such as Multi-Factor Authentication (MFA) to
help secure your users.
Integrated with cloud-based self-service password management, including password writeback to on-
premises Active Directory and password protection by banning commonly used passwords.
Multi-forest environments are supported if there are forest trusts between your AD forests and if name
suffix routing is correctly configured.
It is a free feature, and you don't need any paid editions of Azure AD to use it.
It can be enabled via Azure AD Connect.
It uses a lightweight on-premises agent that listens for and responds to password validation requests.
Installing multiple agents provides high availability of sign-in requests.
It protects your on-premises accounts against brute force password attacks in the cloud.
Next steps
Quickstart - Get up and running Azure AD Pass-through Authentication.
Migrate from AD FS to Pass-through Authentication - A detailed guide to migrate from AD FS (or other
federation technologies) to Pass-through Authentication.
Smart Lockout - Configure Smart Lockout capability on your tenant to protect user accounts.
Current limitations - Learn which scenarios are supported and which ones are not.
Technical Deep Dive - Understand how this feature works.
Frequently Asked Questions - Answers to frequently asked questions.
Troubleshoot - Learn how to resolve common issues with the feature.
Security Deep Dive - Additional deep technical information on the feature.
Azure AD Seamless SSO - Learn more about this complementary feature.
UserVoice - For filing new feature requests.
Azure Active Directory Pass-through Authentication:
Technical deep dive
9/7/2020 • 2 minutes to read • Edit Online
This article is an overview of how Azure Active directory (Azure AD) Pass-through Authentication works. For deep
technical and security information, see the Security deep dive article.
When a user tries to sign in to an application secured by Azure AD, and if Pass-through Authentication is enabled
on the tenant, the following steps occur:
1. The user tries to access an application, for example, Outlook Web App.
2. If the user is not already signed in, the user is redirected to the Azure AD User Sign-in page.
3. The user enters their username into the Azure AD sign in page, and then selects the Next button.
4. The user enters their password into the Azure AD sign in page, and then selects the Sign in button.
5. Azure AD, on receiving the request to sign in, places the username and password (encrypted by using the
public key of the Authentication Agents) in a queue.
6. An on-premises Authentication Agent retrieves the username and encrypted password from the queue. Note
that the Agent doesn't frequently poll for requests from the queue, but retrieves requests over a pre-
established persistent connection.
7. The agent decrypts the password by using its private key.
8. The agent validates the username and password against Active Directory by using standard Windows APIs,
which is a similar mechanism to what Active Directory Federation Services (AD FS) uses. The username can be
either the on-premises default username, usually userPrincipalName , or another attribute configured in Azure
AD Connect (known as Alternate ID ).
9. The on-premises Active Directory domain controller (DC) evaluates the request and returns the appropriate
response (success, failure, password expired, or user locked out) to the agent.
10. The Authentication Agent, in turn, returns this response back to Azure AD.
11. Azure AD evaluates the response and responds to the user as appropriate. For example, Azure AD either signs
the user in immediately or requests for Azure Multi-Factor Authentication.
12. If the user sign-in is successful, the user can access the application.
The following diagram illustrates all the components and the steps involved:
Next steps
Current limitations: Learn which scenarios are supported and which ones are not.
Quick Start: Get up and running on Azure AD Pass-through Authentication.
Migrate from AD FS to Pass-through Authentication - A detailed guide to migrate from AD FS (or other
federation technologies) to Pass-through Authentication.
Smart Lockout: Configure the Smart Lockout capability on your tenant to protect user accounts.
Frequently Asked Questions: Find answers to frequently asked questions.
Troubleshoot: Learn how to resolve common problems with the Pass-through Authentication feature.
Security Deep Dive: Get deep technical information on the Pass-through Authentication feature.
Azure AD Seamless SSO: Learn more about this complementary feature.
UserVoice: Use the Azure Active Directory Forum to file new feature requests.
Azure Active Directory Pass-through Authentication:
Current limitations
9/7/2020 • 2 minutes to read • Edit Online
IMPORTANT
Azure Active Directory (Azure AD) Pass-through Authentication is a free feature, and you don't need any paid editions of
Azure AD to use it. Pass-through Authentication is only available in the world-wide instance of Azure AD, and not on the
Microsoft Azure Germany cloud or the Microsoft Azure Government cloud.
Supported scenarios
The following scenarios are supported:
User sign-ins to web browser-based applications.
User sign-ins to Outlook clients using legacy protocols such as Exchange ActiveSync, EAS, SMTP, POP and IMAP.
User sign-ins to legacy Office client applications and Office applications that support modern authentication:
Office 2013 and 2016 versions.
User sign-ins to legacy protocol applications such as PowerShell version 1.0 and others.
Azure AD joins for Windows 10 devices.
App passwords for Multi-Factor Authentication.
Unsupported scenarios
The following scenarios are not supported:
Detection of users with leaked credentials.
Azure AD Domain Services needs Password Hash Synchronization to be enabled on the tenant. Therefore
tenants that use Pass-through Authentication only don't work for scenarios that need Azure AD Domain
Services.
Pass-through Authentication is not integrated with Azure AD Connect Health.
IMPORTANT
As a workaround for unsupported scenarios only (except Azure AD Connect Health integration), enable Password Hash
Synchronization on the Optional features page in the Azure AD Connect wizard.
NOTE
Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is
disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to
switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you'll
require help from Microsoft Support to turn off Pass-through Authentication.
Next steps
Quick start: Get up and running with Azure AD Pass-through Authentication.
Migrate from AD FS to Pass-through Authentication - A detailed guide to migrate from AD FS (or other
federation technologies) to Pass-through Authentication.
Smart Lockout: Learn how to configure the Smart Lockout capability on your tenant to protect user accounts.
Technical deep dive: Understand how the Pass-through Authentication feature works.
Frequently asked questions: Find answers to frequently asked questions about the Pass-through Authentication
feature.
Troubleshoot: Learn how to resolve common problems with the Pass-through Authentication feature.
Security deep dive: Get deep technical information on the Pass-through Authentication feature.
Azure AD Seamless SSO: Learn more about this complementary feature.
UserVoice: Use the Azure Active Directory Forum to file new feature requests.
Azure Active Directory Pass-through Authentication
security deep dive
9/7/2020 • 12 minutes to read • Edit Online
This article provides a more detailed description of how Azure Active Directory (Azure AD) Pass-through
Authentication works. It focuses on the security aspects of the feature. This article is for security and IT
administrators, chief compliance and security officers, and other IT professionals who are responsible for IT
security and compliance at small-to-medium sized organizations or large enterprises.
The topics addressed include:
Detailed technical information about how to install and register the Authentication Agents.
Detailed technical information about the encryption of passwords during user sign-in.
The security of the channels between on-premises Authentication Agents and Azure AD.
Detailed technical information about how to keep the Authentication Agents operationally secure.
Other security-related topics.
Components involved
For general details about Azure AD operational, service, and data security, see the Trust Center. The following
components are involved when you use Pass-through Authentication for user sign-in:
Azure AD STS : A stateless security token service (STS) that processes sign-in requests and issues security
tokens to users' browsers, clients, or services as required.
Azure Ser vice Bus : Provides cloud-enabled communication with enterprise messaging and relays
communication that helps you connect on-premises solutions with the cloud.
Azure AD Connect Authentication Agent : An on-premises component that listens for and responds to
password validation requests.
Azure SQL Database : Holds information about your tenant's Authentication Agents, including their
metadata and encryption keys.
Active Director y : On-premises Active Directory, where your user accounts and their passwords are stored.
IMPORTANT
From a security standpoint, administrators should treat the server running the PTA agent as if it were a domain controller.
The PTA agent servers should be hardened along the same lines as outlined in Securing Domain Controllers Against Attack
NOTE
This CA is not in the Windows Trusted Root Certificate Authorities store.
The CA is used only by the Pass-through Authentication feature. The CA is used only to sign CSRs
during the Authentication Agent registration.
None of the other Azure AD services use this CA.
The certificate’s subject (Distinguished Name or DN) is set to your tenant ID. This DN is a GUID that
uniquely identifies your tenant. This DN scopes the certificate for use only with your tenant.
6. Azure AD stores the public key of the Authentication Agent in a database in Azure SQL Database, which only
Azure AD has access to.
7. The certificate (issued in step 5) is stored on the on-premises server in the Windows certificate store
(specifically in the CERT_SYSTEM_STORE_LOCAL_MACHINE location). It is used by both the Authentication
Agent and the Updater applications.
Authentication Agent initialization
When the Authentication Agent starts, either for the first time after registration or after a server restart, it needs a
way to communicate securely with the Azure AD service and start accepting password validation requests.
NOTE
If the Authentication Agent fails during the sign-in process, the whole sign-in request is dropped. There is no hand-off of
sign-in requests from one Authentication Agent to another Authentication Agent on-premises. These agents only
communicate with the cloud, and not with each other.
13. The Authentication Agent forwards the result back to Azure AD STS over an outbound mutually authenticated
HTTPS channel over port 443. Mutual authentication uses the certificate previously issued to the
Authentication Agent during registration.
14. Azure AD STS verifies that this result correlates with the specific sign-in request on your tenant.
15. Azure AD STS continues with the sign-in procedure as configured. For example, if the password validation was
successful, the user might be challenged for Multi-Factor Authentication or redirected back to the application.
NOTE
This procedure does not remove the certificate itself from the CERT_SYSTEM_STORE_LOCAL_MACHINE location.
9. The new certificate is used for authentication from this point on. Every subsequent renewal of the
certificate replaces the certificate in the CERT_SYSTEM_STORE_LOCAL_MACHINE location.
NOTE
The Updater runs with Local System privileges.
Stops the Authentication Agent service
Installs the new version of the Authentication Agent on the server
Restarts the Authentication Agent service
NOTE
If you have multiple Authentication Agents registered on your tenant, Azure AD does not renew their certificates or update
them at the same time. Instead, Azure AD does so one at a time to ensure the high availability of sign-in requests.
Next steps
Current limitations: Learn which scenarios are supported and which ones are not.
Quickstart: Get up and running on Azure AD Pass-through Authentication.
Migrate from AD FS to Pass-through Authentication - A detailed guide to migrate from AD FS (or other
federation technologies) to Pass-through Authentication.
Smart Lockout: Configure the Smart Lockout capability on your tenant to protect user accounts.
How it works: Learn the basics of how Azure AD Pass-through Authentication works.
Frequently asked questions: Find answers to frequently asked questions.
Troubleshoot: Learn how to resolve common problems with the Pass-through Authentication feature.
Azure AD Seamless SSO: Learn more about this complementary feature.
User Privacy and Azure Active Directory Pass-
through Authentication
9/7/2020 • 3 minutes to read • Edit Online
NOTE
This article provides steps for how to delete personal data from the device or service and can be used to support your
obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.
Overview
Azure AD Pass-through Authentication creates the following log type, which can contain Personal Data:
Azure AD Connect trace log files.
Authentication Agent trace log files.
Windows Event log files.
Improve user privacy for Pass-through Authentication in two ways:
1. Upon request, extract data for a person and remove data from that person from the installations.
2. Ensure no data is retained beyond 48 hours.
We strongly recommend the second option as it is easier to implement and maintain. Following are the instructions
for each log type:
Delete Azure AD Connect trace log files
Check the contents of %ProgramData%\AADConnect folder and delete the trace log contents (trace-*.log files)
of this folder within 48 hours of installing or upgrading Azure AD Connect or modifying Pass-through
Authentication configuration, as this action may create data covered by GDPR.
IMPORTANT
Don’t delete the PersistedState.xml file in this folder, as this file is used to maintain the state of the previous installation of
Azure AD Connect and is used when an upgrade installation is done. This file will never contain any data about a person and
should never be deleted.
You can either review and delete these trace log files using Windows Explorer or you can use the following
PowerShell script to perform the necessary actions:
Save the script in a file with the ".PS1" extension. Run this script as needed.
To learn more about related Azure AD Connect GDPR requirements, see this article.
Delete Authentication Agent event logs
This product may also create Windows Event Logs . To learn more, please read this article.
To view logs related to the Pass-through Authentication Agent, open the Event Viewer application on the server
and check under Application and Ser vice Logs\Microsoft\AzureAdConnect\AuthenticationAgent\Admin .
Delete Authentication Agent trace log files
You should regularly check the contents of %ProgramData%\Microsoft\Azure AD Connect Authentication
Agent\Trace and delete the contents of this folder every 48 hours.
IMPORTANT
If the Authentication Agent service is running, you'll not be able to delete the current log file in the folder. Stop the service
before trying again. To avoid user sign-in failures, you should have already configured Pass-through Authentication for high
availability.
You can either review and delete these files using Windows Explorer or you can use the following script to perform
the necessary actions:
Next steps
Review the Microsoft Privacy policy on Trust Center
Troubleshoot - Learn how to resolve common issues with the feature.
What is federation with Azure AD?
9/7/2020 • 2 minutes to read • Edit Online
Federation is a collection of domains that have established trust. The level of trust may vary, but typically includes
authentication and almost always includes authorization. A typical federation might include a number of
organizations that have established trust for shared access to a set of resources.
You can federate your on-premises environment with Azure AD and use this federation for authentication and
authorization. This sign-in method ensures that all user authentication occurs on-premises. This method allows
administrators to implement more rigorous levels of access control. Federation with AD FS and PingFederate is
available.
TIP
If you decide to use Federation with Active Directory Federation Services (AD FS), you can optionally set up password hash
synchronization as a backup in case your AD FS infrastructure fails.
Next Steps
What is hybrid identity?
What is Azure AD Connect and Connect Health?
What is password hash synchronization?
What is federation?
What is single-sign on?
How federation works
Federation with PingFederate
Azure AD Connect and federation
9/7/2020 • 2 minutes to read • Edit Online
Azure Active Directory (Azure AD) Connect lets you configure federation with on-premises Active Directory
Federation Services (AD FS) and Azure AD. With federation sign-in, you can enable users to sign in to Azure AD-
based services with their on-premises passwords--and, while on the corporate network, without having to enter
their passwords again. By using the federation option with AD FS, you can deploy a new installation of AD FS, or
you can specify an existing installation in a Windows Server 2012 R2 farm.
This topic is the home for information on federation-related functionalities for Azure AD Connect. It lists links to
all related topics. For links to Azure AD Connect, see Integrating your on-premises identities with Azure Active
Directory.
Understand user sign-in options Learn about various user sign-in options and how they affect
the Azure sign-in user experience.
Federate with Azure AD using alternate login ID Configure federation using alternate login ID
Repair the trust Repair the current trust between on-premises AD FS and
Office 365/Azure.
Add a new AD FS WAP server Expand an AD FS farm with an additional Web Application
Proxy (WAP) server after initial installation.
Add a new federated domain Add another domain to be federated with Azure AD.
Update the TLS/SSL certificate Update the TLS/SSL certificate for an AD FS farm.
Renew federation certificates for Office 365 and Azure AD Renew your O365 certificate with Azure AD.
Federate multiple instances of Azure AD with single instance Federate multiple Azure AD with single AD FS farm
of AD FS
Add a custom company logo/illustration Modify the sign-in experience by specifying the custom logo
that is shown on the AD FS sign-in page.
Add a sign-in description Change the sign-in description on the AD FS sign-in page.
Modify AD FS claim rules Modify or add claim rules in AD FS that correspond to Azure
AD Connect sync configuration.
Additional resources
Federating two Azure AD with single AD FS
AD FS deployment in Azure
High-availability cross-geographic AD FS deployment in Azure with Azure Traffic Manager
Azure AD federation compatibility list
9/7/2020 • 2 minutes to read • Edit Online
Azure Active Directory provides single-sign on and enhanced application access security for Office 365 and other
Microsoft Online services for hybrid and cloud-only implementations without requiring any third party solution.
Office 365, like most of Microsoft’s Online services, is integrated with Azure Active Directory for directory services,
authentication, and authorization. Azure Active Directory also provides single sign-on to thousands of SaaS
applications and on-premises web applications. See the Azure Active Directory application gallery for supported
SaaS applications.
IDP Validation
If your organization uses a third-party federation solution, you can configure single sign-on for your on-premises
Active Directory users with Microsoft Online services, such as Office 365, provided the third-party federation
solution is compatible with Azure Active Directory. For questions regarding compatibility, please contact your
identity provider. If you would like to see a list of identity providers who have previously been tested for
compatibility with Azure AD, by Microsoft, click here.
NOTE
Microsoft no longer provides validation testing to independent identity providers for compatibility with Azure Active
Directory. If you would like to test your product for interoperability please refer to these guidelines.
Next Steps
Integrate your on-premises directories with Azure Active Directory
Azure AD Connect and federation
Azure Active Directory Seamless Single Sign-On
9/7/2020 • 3 minutes to read • Edit Online
Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through
Authentication sign-in methods. Seamless SSO is not applicable to Active Directory Federation Services
(ADFS).
IMPORTANT
Seamless SSO needs the user's device to be domain-joined only, but it is not used on Azure AD Joined or Hybrid
Azure AD joined devices. SSO on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices works
based on the primary refresh token.
Key benefits
Great user experience
Users are automatically signed into both on-premises and cloud-based applications.
Users don't have to enter their passwords repeatedly.
Easy to deploy & administer
No additional components needed on-premises to make this work.
Works with any method of cloud authentication - Password Hash Synchronization or Pass-through
Authentication.
Can be rolled out to some or all your users using Group Policy.
Register non-Windows 10 devices with Azure AD without the need for any AD FS infrastructure.
This capability needs you to use version 2.1 or later of the workplace-join client.
Feature highlights
Sign-in username can be either the on-premises default username ( userPrincipalName ) or another
attribute configured in Azure AD Connect ( Alternate ID ). Both use cases work because Seamless SSO
uses the securityIdentifier claim in the Kerberos ticket to look up the corresponding user object in
Azure AD.
Seamless SSO is an opportunistic feature. If it fails for any reason, the user sign-in experience goes back
to its regular behavior - i.e, the user needs to enter their password on the sign-in page.
If an application (for example, https://myapps.microsoft.com/contoso.com ) forwards a domain_hint
(OpenID Connect) or whr (SAML) parameter - identifying your tenant, or login_hint parameter -
identifying the user, in its Azure AD sign-in request, users are automatically signed in without them
entering usernames or passwords.
Users also get a silent sign-on experience if an application (for example, https://contoso.sharepoint.com )
sends sign-in requests to Azure AD's endpoints set up as tenants - that is,
https://login.microsoftonline.com/contoso.com/<..> or
https://login.microsoftonline.com/<tenant_ID>/<..> - instead of Azure AD's common endpoint - that is,
https://login.microsoftonline.com/common/<...> .
Sign out is supported. This allows users to choose another Azure AD account to sign in with, instead of
being automatically signed in using Seamless SSO automatically.
Office 365 Win32 clients (Outlook, Word, Excel, and others) with versions 16.0.8730.xxxx and above are
supported using a non-interactive flow. For OneDrive, you will have to activate the OneDrive silent config
feature for a silent sign-on experience.
It can be enabled via Azure AD Connect.
It is a free feature, and you don't need any paid editions of Azure AD to use it.
It is supported on web browser-based clients and Office clients that support modern authentication on
platforms and browsers capable of Kerberos authentication:
IN T ERN ET M IC RO SO F T GO O GL E M O Z IL L A
O S\ B RO W SER EXP LO RER EDGE C H RO M E F IREF O X SA FA RI
Next steps
Quick Star t - Get up and running Azure AD Seamless SSO.
Deployment Plan - Step-by-step deployment plan.
Technical Deep Dive - Understand how this feature works.
Frequently Asked Questions - Answers to frequently asked questions.
Troubleshoot - Learn how to resolve common issues with the feature.
UserVoice - For filing new feature requests.
Azure Active Directory Seamless Single Sign-On:
Technical deep dive
9/7/2020 • 4 minutes to read • Edit Online
This article gives you technical details into how the Azure Active Directory Seamless Single Sign-On (Seamless
SSO) feature works.
IMPORTANT
The AZUREADSSOACC computer account needs to be strongly protected for security reasons. Only Domain Admins should be
able to manage the computer account. Ensure that Kerberos delegation on the computer account is disabled, and that no
other account in Active Directory has delegation permissions on the AZUREADSSOACC computer account.. Store the
computer account in an Organization Unit (OU) where they are safe from accidental deletions and where only Domain
Admins have access. The Kerberos decryption key on the computer account should also be treated as sensitive. We highly
recommend that you roll over the Kerberos decryption key of the AZUREADSSOACC computer account at least every 30
days.
IMPORTANT
Seamless SSO supports the AES256_HMAC_SHA1, AES128_HMAC_SHA1 and RC4_HMAC_MD5 encryption types for
Kerberos. It is recommended that the encryption type for the AzureADSSOAcc$ account is set to AES256_HMAC_SHA1, or
one of the AES types vs. RC4 for added security. The encryption type is stored on the msDS-SupportedEncryptionTypes
attribute of the account in your Active Directory. If the AzureADSSOAcc$ account encryption type is set to
RC4_HMAC_MD5, and you want to change it to one of the AES encryption types, please make sure that you first roll over
the Kerberos decryption key of the AzureADSSOAcc$ account as explained in the FAQ document under the relevant
question, otherwise Seamless SSO will not happen.
Once the set-up is complete, Seamless SSO works the same way as any other sign-in that uses Integrated
Windows Authentication (IWA).
How does sign-in on a web browser with Seamless SSO work?
The sign-in flow on a web browser is as follows:
1. The user tries to access a web application (for example, the Outlook Web App -
https://outlook.office365.com/owa/) from a domain-joined corporate device inside your corporate network.
2. If the user is not already signed in, the user is redirected to the Azure AD sign-in page.
3. The user types in their user name into the Azure AD sign-in page.
NOTE
For certain applications, steps 2 & 3 are skipped.
4. Using JavaScript in the background, Azure AD challenges the browser, via a 401 Unauthorized response, to
provide a Kerberos ticket.
5. The browser, in turn, requests a ticket from Active Directory for the AZUREADSSOACC computer account (which
represents Azure AD).
6. Active Directory locates the computer account and returns a Kerberos ticket to the browser encrypted with
the computer account's secret.
7. The browser forwards the Kerberos ticket it acquired from Active Directory to Azure AD.
8. Azure AD decrypts the Kerberos ticket, which includes the identity of the user signed into the corporate
device, using the previously shared key.
9. After evaluation, Azure AD either returns a token back to the application or asks the user to perform
additional proofs, such as Multi-Factor Authentication.
10. If the user sign-in is successful, the user is able to access the application.
The following diagram illustrates all the components and the steps involved.
Seamless SSO is opportunistic, which means if it fails, the sign-in experience falls back to its regular behavior - i.e,
the user needs to enter their password to sign in.
How does sign-in on a native client with Seamless SSO work?
The sign-in flow on a native client is as follows:
1. The user tries to access a native application (for example, the Outlook client) from a domain-joined corporate
device inside your corporate network.
2. If the user is not already signed in, the native application retrieves the username of the user from the device's
Windows session.
3. The app sends the username to Azure AD, and retrieves your tenant's WS-Trust MEX endpoint. This WS-Trust
endpoint is used exclusively by the Seamless SSO feature, and is not a general implementation of the WS-Trust
protocol on Azure AD.
4. The app then queries the WS-Trust MEX endpoint to see if integrated authentication endpoint is available. The
integrated authentication endpoint is used exclusively by the Seamless SSO feature.
5. If step 4 succeeds, a Kerberos challenge is issued.
6. If the app is able to retrieve the Kerberos ticket, it forwards it up to Azure AD's integrated authentication
endpoint.
7. Azure AD decrypts the Kerberos ticket and validates it.
8. Azure AD signs the user in, and issues a SAML token to the app.
9. The app then submits the SAML token to Azure AD's OAuth2 token endpoint.
10. Azure AD validates the SAML token, and issues to the app an access token and a refresh token for the specified
resource, and an id token.
11. The user gets access to the app's resource.
The following diagram illustrates all the components and the steps involved.
Next steps
Quick Star t - Get up and running Azure AD Seamless SSO.
Frequently Asked Questions - Answers to frequently asked questions.
Troubleshoot - Learn how to resolve common issues with the feature.
UserVoice - For filing new feature requests.
User Privacy and Azure AD Seamless Single Sign-On
9/7/2020 • 2 minutes to read • Edit Online
NOTE
This article provides steps for how to delete personal data from the device or service and can be used to support your
obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.
Overview
Azure AD Seamless SSO creates the following log type, which can contain Personal Data:
Azure AD Connect trace log files.
Improve user privacy for Seamless SSO in two ways:
1. Upon request, extract data for a person and remove data from that person from the installations.
2. Ensure no data is retained beyond 48 hours.
We strongly recommend the second option as it is easier to implement and maintain. See following instructions for
each log type:
Delete Azure AD Connect trace log files
Check the contents of %ProgramData%\AADConnect folder and delete the trace log contents (trace-*.log files)
of this folder within 48 hours of installing or upgrading Azure AD Connect or modifying Seamless SSO
configuration, as this action may create data covered by GDPR.
IMPORTANT
Don’t delete the PersistedState.xml file in this folder, as this file is used to maintain the state of the previous installation of
Azure AD Connect and is used when an upgrade installation is done. This file will never contain any data about a person and
should never be deleted.
You can either review and delete these trace log files using Windows Explorer or you can use the following
PowerShell script to perform the necessary actions:
Save the script in a file with the ".PS1" extension. Run this script as needed.
To learn more about related Azure AD Connect GDPR requirements, see this article.
Note about Domain controller logs
If audit logging is enabled, this product may generate security logs for your Domain Controllers. To learn more
about configuring audit policies, read this article.
Next steps
Review the Microsoft Privacy policy on Trust Center
Troubleshoot - Learn how to resolve common issues with the feature.
UserVoice - For filing new feature requests.
Azure AD Connect sync: Understand and
customize synchronization
9/7/2020 • 3 minutes to read • Edit Online
The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component
of Azure AD Connect. It takes care of all the operations that are related to synchronize identity data between
your on-premises environment and Azure AD. Azure AD Connect sync is the successor of DirSync, Azure AD
Sync, and Forefront Identity Manager with the Azure Active Directory Connector configured.
This topic is the home for Azure AD Connect sync (also called sync engine ) and lists links to all other
topics related to it. For links to Azure AD Connect, see Integrating your on-premises identities with Azure
Active Directory.
The sync service consists of two components, the on-premises Azure AD Connect sync component and
the service side in Azure AD called Azure AD Connect sync ser vice .
Understanding the architecture For those of you who are new to the sync engine and want
to learn about the architecture and the terms used.
Topologies for Azure AD Connect Describes the different topologies and scenarios the sync
engine supports.
Custom configuration
Running the installation wizard again Explains what options you have available when you run the
Azure AD Connect installation wizard again.
Understanding Declarative Provisioning Expressions Describes the syntax for the expression language used in
declarative provisioning.
Understanding the default configuration Describes the out-of-box rules and the default
configuration. Also describes how the rules work together
for the out-of-box scenarios to work.
Understanding Users and Contacts Continues on the previous topic and describes how the
configuration for users and contacts works together, in
particular in a multi-forest environment.
TO P IC W H AT IT C O VERS A N D W H EN TO REA D
How to make a change to the default configuration Walks you through how to make a common configuration
change to attribute flows.
Best practices for changing the default configuration Support limitations and for making changes to the out-of-
box configuration.
Configure Filtering Describes the different options for how to limit which
objects are being synchronized to Azure AD and step-by-
step how to configure these options.
Prevent accidental deletes Describes the prevent accidental deletes feature and how
to configure it.
Implement password hash synchronization Describes how password synchronization works, how to
implement, and how to operate and troubleshoot.
Directory extensions Describes how to extend the Azure AD schema with your
own custom attributes.
Office 365 PreferredDataLocation Describes how to put the user's Office 365 resources in the
same region as the user.
Azure AD Connect sync service features Describes the sync service side and how to change sync
settings in Azure AD.
Duplicate attribute resiliency Describes how to enable and use userPrincipalName and
proxyAddresses duplicate attribute values resiliency.
Operations and UI
Operational tasks and considerations Describes operational concerns, such as disaster recovery.
How To...
Reset the Azure AD account How to reset the credentials of the service account used to
connect from Azure AD Connect sync to Azure AD.
Ports Lists which ports you need to open between the sync
engine and your on-premises directories and Azure AD.
Attributes synchronized to Azure Active Directory Lists all attributes being synchronized between on-
premises AD and Azure AD.
Additional Resources
Integrating your on-premises identities with Azure Active Directory
ADSync service account
9/7/2020 • 3 minutes to read • Edit Online
Azure AD Connect installs an on-premises service which orchestrates synchronization between Active Directory
and Azure Active Directory. The Microsoft Azure AD Sync synchronization service (ADSync) runs on a server in your
on-premises environment. The credentials for the service are set by default in the Express installations but may be
customized to meet your organizational security requirements. These credentials are not used to connect to your
on-premises forests or Azure Active Directory.
Choosing the ADSync service account is an important planning decision to make prior to installing Azure AD
Connect. Any attempt to change the credentials after installation will result in the service failing to start, losing
access to the synchronization database, and failing to authenticate with your connected directories (Azure and AD
DS). No synchronization will occur until the original credentials are restored.
NOTE
The default service account when installed on a domain controller is of the form Domain\AAD_InstallationIdentifier. The
password for this account is randomly generated and presents significant challenges for recovery and password rotation.
Microsoft recommends customizing the service account during initial installation on a domain controller to use either a
standalone or group Managed Service Account (sMSA / gMSA)
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Azure AD Connect sync service features
9/7/2020 • 3 minutes to read • Edit Online
NOTE
From August 24, 2016 the feature Duplicate attribute resiliency is enabled by default for new Azure AD directories. This
feature will also be rolled out and enabled on directories created before this date. You will receive an email notification when
your directory is about to get this feature enabled.
The following settings are configured by Azure AD Connect and cannot be modified by Set-MsolDirSyncFeature :
If this feature is not enabled for your Azure AD directory, then you can enable it by running:
Enabling this feature allows the sync engine to update the userPrincipalName when it is changed on-premises and
you use password hash sync or pass-through authentication.
This feature is on by default for newly created Azure AD directories. You can see if this feature is enabled for you
by running:
If this feature is not enabled for your Azure AD directory, then you can enable it by running:
After enabling this feature, existing userPrincipalName values will remain as-is. On next change of the
userPrincipalName attribute on-premises, the normal delta sync on users will update the UPN.
See also
Azure AD Connect sync
Integrating your on-premises identities with Azure Active Directory.
Introduction to the Azure AD Connect
Synchronization Service Manager UI
9/7/2020 • 2 minutes to read • Edit Online
The Synchronization Ser vice Manager UI is used to configure more advanced aspects of the sync engine and
to see the operational aspects of the service.
You start the Synchronization Ser vice Manager UI from the start menu. It is named Synchronization
Ser vice and can be found in the Azure AD Connect group.
Next steps
Learn more about the Synchronization Service Manager UI, including Operations, Connectors, Metaverse
Designer, and Metaverse Search tabs.
Learn more about the Azure AD Connect sync configuration.
Learn more about Integrating your on-premises identities with Azure Active Directory.
Azure AD Connect sync: Technical Concepts
9/7/2020 • 4 minutes to read • Edit Online
The following sections provide more details about the following aspects of the FIM Synchronization Service:
Connector
Attribute flow
Connector space
Metaverse
Provisioning
Connector
The code modules that are used to communicate with a connected directory are called connectors (formerly
known as management agents (MAs)).
These are installed on the computer running Azure AD Connect sync. The connectors provide the agentless ability
to converse by using remote system protocols instead of relying on the deployment of specialized agents. This
means decreased risk and deployment times, especially when dealing with critical applications and systems.
In the picture above, the connector is synonymous with the connector space but encompasses all communication
with the external system.
The connector is responsible for all import and export functionality to the system and frees developers from
needing to understand how to connect to each system natively when using declarative provisioning to customize
data transformations.
Imports and exports only occur when scheduled, allowing for further insulation from changes occurring within the
system, since changes do not automatically propagate to the connected data source. In addition, developers may
also create their own connectors for connecting to virtually any data source.
Attribute flow
The metaverse is the consolidated view of all joined identities from neighboring connector spaces. In the figure
above, attribute flow is depicted by lines with arrowheads for both inbound and outbound flow. Attribute flow is
the process of copying or transforming data from one system to another and all attribute flows (inbound or
outbound).
Attribute flow occurs between the connector space and the metaverse bi-directionally when synchronization (full
or delta) operations are scheduled to run.
Attribute flow only occurs when these synchronizations are run. Attribute flows are defined in Synchronization
Rules. These can be inbound (ISR in the picture above) or outbound (OSR in the picture above).
Connected system
Connected system (aka connected directory) is referring to the remote system Azure AD Connect sync has
connected to and reading and writing identity data to and from.
Connector space
Each connected data source is represented as a filtered subset of the objects and attributes in the connector space.
This allows the sync service to operate locally without the need to contact the remote system when synchronizing
the objects and restricts interaction to imports and exports only.
When the data source and the connector have the ability to provide a list of changes (a delta import), then the
operational efficiency increases dramatically as only changes since the last polling cycle are exchanged. The
connector space insulates the connected data source from changes propagating automatically by requiring that
the connector schedule imports and exports. This added insurance grants you peace of mind while testing,
previewing, or confirming the next update.
Metaverse
The metaverse is the consolidated view of all joined identities from neighboring connector spaces.
As identities are linked together and authority is assigned for various attributes through import flow mappings,
the central metaverse object begins to aggregate information from multiple systems. From this object attribute
flow, mappings carry information to outbound systems.
Objects are created when an authoritative system projects them into the metaverse. As soon as all connections are
removed, the metaverse object is deleted.
Objects in the metaverse cannot be edited directly. All data in the object must be contributed through attribute
flow. The metaverse maintains persistent connectors with each connector space. These connectors do not require
reevaluation for each synchronization run. This means that Azure AD Connect sync does not have to locate the
matching remote object each time. This avoids the need for costly agents to prevent changes to attributes that
would normally be responsible for correlating the objects.
When discovering new data sources that may have preexisting objects that need to be managed, Azure AD
Connect sync uses a process called a join rule to evaluate potential candidates with which to establish a link. Once
the link is established, this evaluation does not reoccur and normal attribute flow can occur between the remote
connected data source and the metaverse.
Provisioning
When an authoritative source projects a new object into the metaverse a new connector space object can be
created in another Connector representing a downstream connected data source.
This inherently establishes a link, and attribute flow can proceed bi-directionally.
Whenever a rule determines that a new connector space object needs to be created, it is called provisioning.
However, because this operation only takes place within the connector space, it does not carry over into the
connected data source until an export is performed.
Additional Resources
Azure AD Connect Sync: Customizing Synchronization options
Integrating your on-premises identities with Azure Active Directory
Azure AD Connect sync: Understanding the
architecture
5/6/2019 • 21 minutes to read • Edit Online
This topic covers the basic architecture for Azure AD Connect sync. In many aspects, it is similar to its predecessors
MIIS 2003, ILM 2007, and FIM 2010. Azure AD Connect sync is the evolution of these technologies. If you are
familiar with any of these earlier technologies, the content of this topic will be familiar to you as well. If you are
new to synchronization, then this topic is for you. It is however not a requirement to know the details of this topic
to be successful in making customizations to Azure AD Connect sync (called sync engine in this topic).
Architecture
The sync engine creates an integrated view of objects that are stored in multiple connected data sources and
manages identity information in those data sources. This integrated view is determined by the identity information
retrieved from connected data sources and a set of rules that determine how to process this information.
Connected Data Sources and Connectors
The sync engine processes identity information from different data repositories, such as Active Directory or a SQL
Server database. Every data repository that organizes its data in a database-like format and that provides standard
data-access methods is a potential data source candidate for the sync engine. The data repositories that are
synchronized by sync engine are called connected data sources or connected directories (CD).
The sync engine encapsulates interaction with a connected data source within a module called a Connector . Each
type of connected data source has a specific Connector. The Connector translates a required operation into the
format that the connected data source understands.
Connectors make API calls to exchange identity information (both read and write) with a connected data source. It
is also possible to add a custom Connector using the extensible connectivity framework. The following illustration
shows how a Connector connects a connected data source to the sync engine.
Data can flow in either direction, but it cannot flow in both directions simultaneously. In other words, a Connector
can be configured to allow data to flow from the connected data source to sync engine or from sync engine to the
connected data source, but only one of those operations can occur at any one time for one object and attribute.
The direction can be different for different objects and for different attributes.
To configure a Connector, you specify the object types that you want to synchronize. Specifying the object types
defines the scope of objects that are included in the synchronization process. The next step is to select the
attributes to synchronize, which is known as an attribute inclusion list. These settings can be changed any time in
response to changes to your business rules. When you use the Azure AD Connect installation wizard, these settings
are configured for you.
To export objects to a connected data source, the attribute inclusion list must include at least the minimum
attributes required to create a specific object type in a connected data source. For example, the
sAMAccountName attribute must be included in the attribute inclusion list to export a user object to Active
Directory because all user objects in Active Directory must have a sAMAccountName attribute defined. Again,
the installation wizard does this configuration for you.
If the connected data source uses structural components, such as partitions or containers to organize objects, you
can limit the areas in the connected data source that are used for a given solution.
Internal structure of the sync engine namespace
The entire sync engine namespace consists of two namespaces that store the identity information. The two
namespaces are:
The connector space (CS)
The metaverse (MV)
The connector space is a staging area that contains representations of the designated objects from a connected
data source and the attributes specified in the attribute inclusion list. The sync engine uses the connector space to
determine what has changed in the connected data source and to stage incoming changes. The sync engine also
uses the connector space to stage outgoing changes for export to the connected data source. The sync engine
maintains a distinct connector space as a staging area for each Connector.
By using a staging area, the sync engine remains independent of the connected data sources and is not affected by
their availability and accessibility. As a result, you can process identity information at any time by using the data in
the staging area. The sync engine can request only the changes made inside the connected data source since the
last communication session terminated or push out only the changes to identity information that the connected
data source has not yet received, which reduces the network traffic between the sync engine and the connected
data source.
In addition, sync engine stores status information about all objects that it stages in the connector space. When new
data is received, sync engine always evaluates whether the data has already been synchronized.
The metaverse is a storage area that contains the aggregated identity information from multiple connected data
sources, providing a single global, integrated view of all combined objects. Metaverse objects are created based on
the identity information that is retrieved from the connected data sources and a set of rules that allow you to
customize the synchronization process.
The following illustration shows the connector space namespace and the metaverse namespace within the sync
engine.
The sync engine confirms the export of the object by reimporting the object from the connected data source.
Export objects become import objects when sync engine receives them during the next import from that
connected data source.
Placeholders
The sync engine uses a flat namespace to store objects. However, some connected data sources such as Active
Directory use a hierarchical namespace. To transform information from a hierarchical namespace into a flat
namespace, sync engine uses placeholders to preserve the hierarchy.
Each placeholder represents a component (for example, an organizational unit) of an object's hierarchical name
that has not been imported into sync engine but is required to construct the hierarchical name. They fill gaps
created by references in the connected data source to objects that are not staging objects in the connector space.
The sync engine also uses placeholders to store referenced objects that have not yet been imported. For example,
if sync is configured to include the manager attribute for the Abbie Spencer object and the received value is an
object that has not been imported yet, such as CN=Lee Sperry,CN=Users,DC=fabrikam,DC=com, the manager
information is stored as placeholders in the connector space. If the manager object is later imported, the
placeholder object is overwritten by the staging object that represents the manager.
Metaverse objects
A metaverse object contains the aggregated view that sync engine has of the staging objects in the connector
space. Sync engine creates metaverse objects by using the information in import objects. Several connector space
objects can be linked to a single metaverse object, but a connector space object cannot be linked to more than one
metaverse object.
Metaverse objects cannot be manually created or deleted. The sync engine automatically deletes metaverse objects
that do not have a link to any connector space object in the connector space.
To map objects within a connected data source to a corresponding object type within the metaverse, sync engine
provides an extensible schema with a predefined set of object types and associated attributes. You can create new
object types and attributes for metaverse objects. Attributes can be single-valued or multivalued, and the attribute
types can be strings, references, numbers, and Boolean values.
Relationships between staging objects and metaverse objects
Within the sync engine namespace, the data flow is enabled by the link relationship between staging objects and
metaverse objects. A staging object that is linked to a metaverse object is called a joined object (or connector
object ). A staging object that is not linked to a metaverse object is called a disjoined object (or disconnector
object ). The terms joined and disjoined are preferred to not confuse with the Connectors responsible for
importing and exporting data from a connected directory.
Placeholders are never linked to a metaverse object
A joined object comprises a staging object and its linked relationship to a single metaverse object. Joined objects
are used to synchronize attribute values between a connector space object and a metaverse object.
When a staging object becomes a joined object during synchronization, attributes can flow between the staging
object and the metaverse object. Attribute flow is bidirectional and is configured by using import attribute rules
and export attribute rules.
A single connector space object can be linked to only one metaverse object. However, each metaverse object can
be linked to multiple connector space objects in the same or in different connector spaces, as shown in the
following illustration.
The linked relationship between the staging object and a metaverse object is persistent and can be removed only
by rules that you specify.
A disjoined object is a staging object that is not linked to any metaverse object. The attribute values of a disjoined
object are not processed any further within the metaverse. The attribute values of the corresponding object in the
connected data source are not updated by sync engine.
By using disjoined objects, you can store identity information in sync engine and process it later. Keeping a staging
object as a disjoined object in the connector space has many advantages. Because the system has already staged
the required information about this object, it is not necessary to create a representation of this object again during
the next import from the connected data source. This way, sync engine always has a complete snapshot of the
connected data source, even if there is no current connection to the connected data source. Disjoined objects can
be converted into joined objects, and vice versa, depending on the rules that you specify.
An import object is created as a disjoined object. An export object must be a joined object. The system logic
enforces this rule and deletes every export object that is not a joined object.
Import process
During the import process, sync engine evaluates updates to identity information. Sync engine compares the
identity information received from the connected data source with the identity information about a staging object
and determines whether the staging object requires updates. If it is necessary to update the staging object with
new data, the staging object is flagged as pending import.
By staging objects in the connector space before synchronization, sync engine can process only the identity
information that has changed. This process provides the following benefits:
Efficient synchronization . The amount of data processed during synchronization is minimized.
Efficient resynchronization . You can change how sync engine processes identity information without
reconnecting the sync engine to the data source.
Oppor tunity to preview synchronization . You can preview synchronization to verify that your assumptions
about the identity management process are correct.
For each object specified in the Connector, the sync engine first tries to locate a representation of the object in the
connector space of the Connector. Sync engine examines all staging objects in the connector space and tries to find
a corresponding staging object that has a matching anchor attribute. If no existing staging object has a matching
anchor attribute, sync engine tries to find a corresponding staging object with the same distinguished name.
When sync engine finds a staging object that matches by distinguished name but not by anchor, the following
special behavior occurs:
If the object located in the connector space has no anchor, then sync engine removes this object from the
connector space and marks the metaverse object it is linked to as retr y provisioning on next
synchronization run . Then it creates the new import object.
If the object located in the connector space has an anchor, then sync engine assumes that this object has either
been renamed or deleted in the connected directory. It assigns a temporary, new distinguished name for the
connector space object so that it can stage the incoming object. The old object then becomes transient , waiting
for the Connector to import the rename or deletion to resolve the situation.
If sync engine locates a staging object that corresponds to the object specified in the Connector, it determines what
kind of changes to apply. For example, sync engine might rename or delete the object in the connected data
source, or it might only update the object’s attribute values.
Staging objects with updated data are marked as pending import. Different types of pending imports are available.
Depending on the result of the import process, a staging object in the connector space has one of the following
pending import types:
None . No changes to any of the attributes of the staging object are available. Sync engine does not flag this
type as pending import.
Add . The staging object is a new import object in the connector space. Sync engine flags this type as pending
import for additional processing in the metaverse.
Update . Sync engine finds a corresponding staging object in the connector space and flags this type as
pending import so that updates to the attributes can be processed in the metaverse. Updates include object
renaming.
Delete . Sync engine finds a corresponding staging object in the connector space and flags this type as pending
import so that the joined object can be deleted.
Delete/Add . Sync engine finds a corresponding staging object in the connector space, but the object types do
not match. In this case, a delete-add modification is staged. A delete-add modification indicates to the sync
engine that a complete resynchronization of this object must occur because different sets of rules apply to this
object when the object type changes.
By setting the pending import status of a staging object, it is possible to reduce significantly the amount of data
processed during synchronization because doing so allows the system to process only those objects that have
updated data.
Synchronization process
Synchronization consists of two related processes:
Inbound synchronization, when the content of the metaverse is updated by using the data in the connector
space.
Outbound synchronization, when the content of the connector space is updated by using data in the metaverse.
By using the information staged in the connector space, the inbound synchronization process creates in the
metaverse the integrated view of the data that is stored in the connected data sources. Either all staging objects or
only those with a pending import information are aggregated, depending on how the rules are configured.
The outbound synchronization process updates export objects when metaverse objects change.
Inbound synchronization creates the integrated view in the metaverse of the identity information that is received
from the connected data sources. Sync engine can process identity information at any time by using the latest
identity information that it has from the connected data source.
Inbound synchronization
Inbound synchronization includes the following processes:
Provision (also called Projection if it is important to distinguish this process from outbound synchronization
provisioning). The Sync engine creates a new metaverse object based on a staging object and links them.
Provision is an object-level operation.
Join . The Sync engine links a staging object to an existing metaverse object. A join is an object-level operation.
Impor t attribute flow . Sync engine updates the attribute values, called attribute flow, of the object in the
metaverse. Import attribute flow is an attribute-level operation that requires a link between a staging object
and a metaverse object.
Provision is the only process that creates objects in the metaverse. Provision affects only import objects that are
disjoined objects. During provision, sync engine creates a metaverse object that corresponds to the object type of
the import object and establishes a link between both objects, thus creating a joined object.
The join process also establishes a link between import objects and a metaverse object. The difference between
join and provision is that the join process requires that the import object are linked to an existing metaverse
object, where the provision process creates a new metaverse object.
Sync engine tries to join an import object to a metaverse object by using criteria that is specified in the
Synchronization Rule configuration.
During the provision and join processes, sync engine links a disjoined object to a metaverse object, making them
joined. After these object-level operations are completed, sync engine can update the attribute values of the
associated metaverse object. This process is called import attribute flow.
Import attribute flow occurs on all import objects that carry new data and are linked to a metaverse object.
Outbound synchronization
Outbound synchronization updates export objects when a metaverse object change but is not deleted. The
objective of outbound synchronization is to evaluate whether changes to metaverse objects require updates to
staging objects in the connector spaces. In some cases, the changes can require that staging objects in all
connector spaces be updated. Staging objects that are changed are flagged as pending export, making them export
objects. These export objects are later pushed out to the connected data source during the export process.
Outbound synchronization has three processes:
Provisioning
Deprovisioning
Expor t attribute flow
Provisioning and deprovisioning are both object-level operations. Deprovisioning depends on provisioning
because only provisioning can initiate it. Deprovisioning is triggered when provisioning removes the link between
a metaverse object and an export object.
Provisioning is always triggered when changes are applied to objects in the metaverse. When changes are made to
metaverse objects, sync engine can perform any of the following tasks as part of the provisioning process:
Create joined objects, where a metaverse object is linked to a newly created export object.
Rename a joined object.
Disjoin links between a metaverse object and staging objects, creating a disjoined object.
If provisioning requires sync engine to create a new connector object, the staging object to which the metaverse
object is linked is always an export object, because the object does not yet exist in the connected data source.
If provisioning requires sync engine to disjoin a joined object, creating a disjoined object, deprovisioning is
triggered. The deprovisioning process deletes the object.
During deprovisioning, deleting an export object does not physically delete the object. The object is flagged as
deleted , which means that the delete operation is staged on the object.
Export attribute flow also occurs during the outbound synchronization process, similar to the way that import
attribute flow occurs during inbound synchronization. Export attribute flow occurs only between metaverse and
export objects that are joined.
Export process
During the export process, sync engine examines all export objects that are flagged as pending export in the
connector space, and then sends updates to the connected data source.
The sync engine can determine the success of an export but it cannot sufficiently determine that the identity
management process is complete. Objects in the connected data source can always be changed by other
processes. Because sync engine does not have a persistent connection to the connected data source, it is not
sufficient to make assumptions about the properties of an object in the connected data source based only on a
successful export notification.
For example, a process in the connected data source could change the object’s attributes back to their original
values (that is, the connected data source could overwrite the values immediately after the data is pushed out by
sync engine and successfully applied in the connected data source).
The sync engine stores export and import status information about each staging object. If values of the attributes
that are specified in the attribute inclusion list have changed since the last export, the storage of import and export
status enables sync engine to react appropriately. Sync engine uses the import process to confirm attribute values
that have been exported to the connected data source. A comparison between the imported and exported
information, as shown in the following illustration, enables sync engine to determine whether the export was
successful or if it needs to be repeated.
For example, if sync engine exports attribute C, which has a value of 5, to a connected data source, it stores C=5 in
its export status memory. Each additional export on this object results in an attempt to export C=5 to the
connected data source again because sync engine assumes that this value has not been persistently applied to the
object (that is, unless a different value was imported recently from the connected data source). The export memory
is cleared when C=5 is received during an import operation on the object.
Next steps
Learn more about the Azure AD Connect sync configuration.
Learn more about Integrating your on-premises identities with Azure Active Directory.
Azure AD Connect sync: Understanding Declarative
Provisioning
2/12/2019 • 10 minutes to read • Edit Online
This topic explains the configuration model in Azure AD Connect. The model is called Declarative Provisioning and
it allows you to make a configuration change with ease. Many things described in this topic are advanced and not
required for most customer scenarios.
Overview
Declarative provisioning is processing objects coming in from a source connected directory and determines how
the object and attributes should be transformed from a source to a target. An object is processed in a sync
pipeline and the pipeline is the same for inbound and outbound rules. An inbound rule is from a connector space
to the metaverse and an outbound rule is from the metaverse to a connector space.
The pipeline has several different modules. Each one is responsible for one concept in object synchronization.
Scope
The scope module is evaluating an object and determines the rules that are in scope and should be included in the
processing. Depending on the attributes values on the object, different sync rules are evaluated to be in scope. For
example, a disabled user with no Exchange mailbox does have different rules than an enabled user with a mailbox.
The scope is defined as groups and clauses. The clauses are inside a group. A logical AND is used between all
clauses in a group. For example, (department =IT AND country = Denmark). A logical OR is used between groups.
The scope in this picture should be read as (department = IT AND country = Denmark) OR (country=Sweden). If
either group 1 or group 2 is evaluated to true, then the rule is in scope.
The scope module supports the following operations.
O P ERAT IO N DESC RIP T IO N
EQUAL, NOTEQUAL A string compare that evaluates if value is equal to the value
in the attribute. For multi-valued attributes, see ISIN and
ISNOTIN.
LESSTHAN, LESSTHAN_OR_EQUAL A string compare that evaluates if value is less than of the
value in the attribute.
ENDSWITH, NOTENDSWITH A string compare that evaluates if value is in the end of the
value in the attribute.
GREATERTHAN, GREATERTHAN_OR_EQUAL A string compare that evaluates if value is greater than of the
value in the attribute.
ISNULL, ISNOTNULL Evaluates if the attribute is absent from the object. If the
attribute is not present and therefore null, then the rule is in
scope.
ISIN, ISNOTIN Evaluates if the value is present in the defined attribute. This
operation is the multi-valued variation of EQUAL and
NOTEQUAL. The attribute is supposed to be a multi-valued
attribute and if the value can be found in any of the attribute
values, then the rule is in scope.
ISBITSET, ISNOTBITSET Evaluates if a particular bit is set. For example, can be used to
evaluate the bits in userAccountControl to see if a user is
enabled or disabled.
Join
The join module in the sync pipeline is responsible for finding the relationship between the object in the source
and an object in the target. On an inbound rule, this relationship would be an object in a connector space finding a
relationship to an object in the metaverse.
The goal is to see if there is an object already in the metaverse, created by another Connector, it should be
associated with. For example, in an account-resource forest the user from the account forest should be joined with
the user from the resource forest.
Joins are used mostly on inbound rules to join connector space objects together to the same metaverse object.
The joins are defined as one or more groups. Inside a group, you have clauses. A logical AND is used between all
clauses in a group. A logical OR is used between groups. The groups are processed in order from top to bottom.
When one group has found exactly one match with an object in the target, then no other join rules are evaluated.
If zero or more than one object is found, processing continues to the next group of rules. For this reason, the rules
should be created in the order of most explicit first and more fuzzy at the end.
The joins in this picture are processed from top to bottom. First the sync pipeline sees if there is a match on
employeeID. If not, the second rule sees if the account name can be used to join the objects together. If that is not a
match either, the third and final rule is a more fuzzy match by using the name of user.
If all join rules have been evaluated and there is not exactly one match, the Link Type on the Description page is
used. If this option is set to Provision , then a new object in the target is created.
An object should only have one single sync rule with join rules in scope. If there are multiple sync rules where join
is defined, an error occurs. Precedence is not used to resolve join conflicts. An object must have a join rule in
scope for attributes to flow with the same inbound/outbound direction. If you need to flow attributes both
inbound and outbound to the same object, you must have both an inbound and an outbound sync rule with join.
Outbound join has a special behavior when it tries to provision an object to a target connector space. The DN
attribute is used to first try a reverse-join. If there is already an object in the target connector space with the same
DN, the objects are joined.
The join module is only evaluated once when a new sync rule comes into scope. When an object has joined, it is
not disjoining even if the join criteria is no longer satisfied. If you want to disjoin an object, the sync rule that
joined the objects must go out of scope.
Metaverse delete
A metaverse object remains as long as there is one sync rule in scope with Link Type set to Provision or
StickyJoin . A StickyJoin is used when a Connector is not allowed to provision a new object to the metaverse, but
when it has joined, it must be deleted in the source before the metaverse object is deleted.
When a metaverse object is deleted, all objects associated with an outbound sync rule marked for provision are
marked for a delete.
Transformations
The transformations are used to define how attributes should flow from the source to the target. The flows can
have one of the following flow types : Direct, Constant, or Expression. A direct flow, flows an attribute value as-is
with no additional transformations. A constant value sets the specified value. An expression uses the declarative
provisioning expression language to express how the transformation should be. The details for the expression
language can be found in the understanding declarative provisioning expression language topic.
The Apply once checkbox defines that the attribute should only be set when the object is initially created. For
example, this configuration can be used to set an initial password for a new user object.
Merging attribute values
In the attribute flows there is a setting to determine if multi-valued attributes should be merged from several
different Connectors. The default value is Update , which indicates that the sync rule with highest precedence
should win.
There is also Merge and MergeCaseInsensitive . These options allow you to merge values from different
sources. For example, it can be used to merge the member or proxyAddresses attribute from several different
forests. When you use this option, all sync rules in scope for an object must use the same merge type. You cannot
define Update from one Connector and Merge from another. If you try, you receive an error.
The difference between Merge and MergeCaseInsensitive is how to process duplicate attribute values. The
sync engine makes sure duplicate values are not inserted into the target attribute. With MergeCaseInsensitive ,
duplicate values with only a difference in case are not going to be present. For example, you should not see both
"SMTP:bob@contoso.com" and "smtp:bob@contoso.com" in the target attribute. Merge is only looking at the
exact values and multiple values where there only is a difference in case might be present.
The option Replace is the same as Update , but it is not used.
Control the attribute flow process
When multiple inbound sync rules are configured to contribute to the same metaverse attribute, then precedence
is used to determine the winner. The sync rule with highest precedence (lowest numeric value) is going to
contribute the value. The same happens for outbound rules. The sync rule with highest precedence wins and
contribute the value to the connected directory.
In some cases, rather than contribute a value, the sync rule should determine how other rules should behave.
There are some special literals used for this case.
For inbound Synchronization Rules, the literal NULL can be used to indicate that the flow has no value to
contribute. Another rule with lower precedence can contribute a value. If no rule contributed a value, then the
metaverse attribute is removed. For an outbound rule, if NULL is the final value after all sync rules have been
processed, then the value is removed in the connected directory.
The literal AuthoritativeNull is similar to NULL but with the difference that no lower precedence rules can
contribute a value.
An attribute flow can also use IgnoreThisFlow . It is similar to NULL in the sense that it indicates there is nothing
to contribute. The difference is that it does not remove an already existing value in the target. It is like the attribute
flow has never been there.
Here is an example:
In Out to AD - User Exchange hybrid the following flow can be found:
IIF([cloudSOAExchMailbox] = True,[cloudMSExchSafeSendersHash],IgnoreThisFlow)
This expression should be read as: if the user mailbox is located in Azure AD, then flow the attribute from Azure
AD to AD. If not, do not flow anything back to Active Directory. In this case, it would keep the existing value in AD.
ImportedValue
The function ImportedValue is different than all other functions since the attribute name must be enclosed in
quotes rather than square brackets:
ImportedValue("proxyAddresses") .
Usually during synchronization an attribute uses the expected value, even if it hasn’t been exported yet or an error
was received during export (“top of the tower”). An inbound synchronization assumes that an attribute that hasn’t
yet reached a connected directory eventually reaches it. In some cases, it is important to only synchronize a value
that has been confirmed by the connected directory (“hologram and delta import tower”).
An example of this function can be found in the out-of-box Synchronization Rule In from AD – User Common
from Exchange. In Hybrid Exchange, the value added by Exchange online should only be synchronized when it has
been confirmed that the value was exported successfully:
proxyAddresses <- RemoveDuplicates(Trim(ImportedValue("proxyAddresses")))
Precedence
When several sync rules try to contribute the same attribute value to the target, the precedence value is used to
determine the winner. The rule with highest precedence, lowest numeric value, is going to contribute the attribute
in a conflict.
This ordering can be used to define more precise attribute flows for a small subset of objects. For example, the
out-of-box-rules make sure that attributes from an enabled account (User AccountEnabled ) have precedence
from other accounts.
Precedence can be defined between Connectors. That allows Connectors with better data to contribute values first.
Multiple objects from the same connector space
If you have several objects in the same connector space joined to the same metaverse object, precedence must be
adjusted. If several objects are in scope of the same sync rule, then the sync engine is not able to determine
precedence. It is ambiguous which source object should contribute the value to the metaverse. This configuration
is reported as ambiguous even if the attributes in the source have the same value.
For this scenario, you need to change the scope of the sync rules so the source objects have different sync rules in
scope. That allows you to define different precedence.
Next steps
Read more about the expression language in Understanding Declarative Provisioning Expressions.
See how declarative provisioning is used out-of-box in Understanding the default configuration.
See how to make a practical change using declarative provisioning in How to make a change to the default
configuration.
Continue to read how users and contacts work together in Understanding Users and Contacts.
Over view topics
Azure AD Connect sync: Understand and customize synchronization
Integrating your on-premises identities with Azure Active Directory
Reference topics
Azure AD Connect sync: Functions Reference
Azure AD Connect sync: Understanding Declarative
Provisioning Expressions
9/7/2020 • 3 minutes to read • Edit Online
Azure AD Connect sync builds on declarative provisioning first introduced in Forefront Identity Manager 2010. It
allows you to implement your complete identity integration business logic without the need to write compiled
code.
An essential part of declarative provisioning is the expression language used in attribute flows. The language
used is a subset of Microsoft® Visual Basic® for Applications (VBA). This language is used in Microsoft Office
and users with experience of VBScript will also recognize it. The Declarative Provisioning Expression Language is
only using functions and is not a structured language. There are no methods or statements. Functions are instead
nested to express program flow.
For more details, see Welcome to the Visual Basic for Applications language reference for Office 2013.
The attributes are strongly typed. A function only accepts attributes of the correct type. It is also case-sensitive.
Both function names and attribute names must have proper casing or an error is thrown.
PA RA M ET ER N A M E C O M M EN T
The system provides the following parameter, which is used to get the identifier of the Connector currently
running:
Connector.ID
Here is an example that populates the metaverse attribute domain with the netbios name of the domain where
the user is located:
domain <- %Domain.Netbios%
Operators
The following operators can be used:
Comparison : <, <=, <>, =, >, >=
Mathematics : +, -, *, -
String : & (concatenate)
Logical : && (and), || (or)
Evaluation order : ( )
Operators are evaluated left to right and have the same evaluation priority. That is, the * (multiplier) is not
evaluated before - (subtraction). 2*(5+3) is not the same as 2*5+3. The brackets ( ) are used to change the
evaluation order when left to right evaluation order isn't appropriate.
Multi-valued attributes
The functions can operate on both single-valued and multi-valued attributes. For multi-valued attributes, the
function operates over every value and applies the same function to every value.
For example:
Trim([proxyAddresses]) Do a Trim of every value in the proxyAddress attribute.
Word([proxyAddresses],1,"@") & "@contoso.com" For every value with an @-sign, replace the domain with
@contoso.com.
IIF(InStr([proxyAddresses],"SIP:")=1,NULL,[proxyAddresses]) Look for the SIP-address and remove it from the
values.
Next steps
Read more about the configuration model in Understanding Declarative Provisioning.
See how declarative provisioning is used out-of-box in Understanding the default configuration.
See how to make a practical change using declarative provisioning in How to make a change to the default
configuration.
Over view topics
Azure AD Connect sync: Understand and customize synchronization
Integrating your on-premises identities with Azure Active Directory
Reference topics
Azure AD Connect sync: Functions Reference
Azure AD Connect sync: Understanding the default
configuration
1/23/2020 • 15 minutes to read • Edit Online
This article explains the out-of-box configuration rules. It documents the rules and how these rules impact the
configuration. It also walks you through the default configuration of Azure AD Connect sync. The goal is that the
reader understands how the configuration model, named declarative provisioning, is working in a real-world
example. This article assumes that you have already installed and configure Azure AD Connect sync using the
installation wizard.
To understand the details of the configuration model, read Understanding Declarative Provisioning.
In this configuration, it is assumed there is an enabled account in the account forest and a disabled account in the
resource forest with a linked mailbox.
Our goal with the default configuration is:
Attributes related to sign-in are synchronized from the forest with the enabled account.
Attributes that can be found in the GAL (Global Address List) are synchronized from the forest with the
mailbox. If no mailbox can be found, any other forest is used.
If a linked mailbox is found, the linked enabled account must be found for the object to be exported to Azure
AD.
Synchronization Rule Editor
The configuration can be viewed and changed with the tool Synchronization Rules Editor (SRE) and a shortcut to
it can be found in the start menu.
The SRE is a resource kit tool and it is installed with Azure AD Connect sync. To be able to start it, you must be a
member of the ADSyncAdmins group. When it starts, you see something like this:
In this pane, you see all Synchronization Rules created for your configuration. Each line in the table is one
Synchronization Rule. To the left under Rule Types, the two different types are listed: Inbound and Outbound.
Inbound and Outbound is from the view of the metaverse. You are mainly going to focus on the inbound rules in
this overview. The actual list of Synchronization Rules depends on the detected schema in AD. In the picture
above, the account forest (fabrikamonline.com) does not have any services, such as Exchange and Lync, and no
Synchronization Rules have been created for these services. However, in the resource forest
(res.fabrikamonline.com) you find Synchronization Rules for these services. The content of the rules is different
depending on the version detected. For example, in a deployment with Exchange 2013 there are more attribute
flows configured than in Exchange 2010/2007.
Synchronization Rule
A Synchronization Rule is a configuration object with a set of attributes flowing when a condition is satisfied. It is
also used to describe how an object in a connector space is related to an object in the metaverse, known as join
or match . The Synchronization Rules have a precedence value indicating how they relate to each other. A
Synchronization Rule with a lower numeric value has a higher precedence and in an attribute flow conflict, higher
precedence wins the conflict resolution.
As an example, look at the Synchronization Rule In from AD – User AccountEnabled . Mark this line in the SRE
and select Edit .
Since this rule is an out-of-box rule, you receive a warning when you open the rule. You should not make any
changes to out-of-box rules, so you are asked what your intentions are. In this case, you only want to view the
rule. Select No .
A Synchronization Rule has four configuration sections: Description, Scoping filter, Join rules, and
Transformations.
Description
The first section provides basic information such as a name and description.
You also find information about which connected system this rule is related to, which object type in the connected
system it applies to, and the metaverse object type. The metaverse object type is always person regardless when
the source object type is a user, iNetOrgPerson, or contact. The metaverse object type should never change so it is
created as a generic type. The Link Type can be set to Join, StickyJoin, or Provision. This setting works together
with the Join Rules section and is covered later.
You can also see that this sync rule is used for password sync. If a user is in scope for this sync rule, the password
is synchronized from on-premises to cloud (assuming you have enabled the password sync feature).
Scoping filter
The Scoping Filter section is used to configure when a Synchronization Rule should apply. Since the name of the
Synchronization Rule you are looking at indicates it should only be applied for enabled users, the scope is
configured so the AD attribute userAccountControl must not have the bit 2 set. When the sync engine finds a
user in AD, it applies this sync rule when userAccountControl is set to the decimal value 512 (enabled normal
user). It does not apply the rule when the user has userAccountControl set to 514 (disabled normal user).
The scoping filter has Groups and Clauses that can be nested. All clauses inside a group must be satisfied for a
Synchronization Rule to apply. When multiple groups are defined, then at least one group must be satisfied for
the rule to apply. That is, a logical OR is evaluated between groups and a logical AND is evaluated inside a group.
An example of this configuration can be found in the outbound Synchronization Rule Out to AAD – Group Join .
There are several synchronization filter groups, for example one for security groups ( securityEnabled EQUAL True )
and one for distribution groups ( securityEnabled EQUAL False ).
This rule is used to define which Groups should be provisioned to Azure AD. Distribution Groups must be mail
enabled to be synchronized with Azure AD, but for security groups an email is not required.
Join rules
The third section is used to configure how objects in the connector space relate to objects in the metaverse. The
rule you have looked at earlier does not have any configuration for Join Rules, so instead you are going to look at
In from AD – User Join .
The content of the join rule depends on the matching option selected in the installation wizard. For an inbound
rule, the evaluation starts with an object in the source connector space and each group in the join rules is
evaluated in sequence. If a source object is evaluated to match exactly one object in the metaverse using one of
the join rules, the objects are joined. If all rules have been evaluated and there is no match, then the Link Type on
the description page is used. If this configuration is set to Provision , then a new object is created in the target, the
metaverse, if at least one attribute in the join criteria is present (has a value). To provision a new object to the
metaverse is also known as to project an object to the metaverse.
The join rules are only evaluated once. When a connector space object and a metaverse object are joined, they
remain joined as long as the scope of the Synchronization Rule is still satisfied.
When evaluating Synchronization Rules, only one Synchronization Rule with join rules defined must be in scope.
If multiple Synchronization Rules with join rules are found for one object, an error is thrown. For this reason, the
best practice is to have only one Synchronization Rule with join defined when multiple Synchronization Rules are
in scope for an object. In the out-of-box configuration for Azure AD Connect sync, these rules can be found by
looking at the name and find those with the word Join at the end of the name. A Synchronization Rule without
any join rules defined applies the attribute flows when another Synchronization Rule joined the objects together
or provisioned a new object in the target.
If you look at the picture above, you can see that the rule is trying to join objectSID with
msExchMasterAccountSid (Exchange) and msRTCSIP-OriginatorSid (Lync), which is what we expect in an
account-resource forest topology. You find the same rule on all forests. The assumption is that every forest could
be either an account or resource forest. This configuration also works if you have accounts that live in a single
forest and do not have to be joined.
Transformations
The transformation section defines all attribute flows that apply to the target object when the objects are joined
and the scope filter is satisfied. Going back to the In from AD – User AccountEnabled Synchronization Rule,
you find the following transformations:
To put this configuration in context, in an Account-Resource forest deployment, it is expected to find an enabled
account in the account forest and a disabled account in the resource forest with Exchange and Lync settings. The
Synchronization Rule you are looking at contains the attributes required for sign-in and these attributes should
flow from the forest where there is an enabled account. All these attribute flows are put together in one
Synchronization Rule.
A transformation can have different types: Constant, Direct, and Expression.
A constant flow always flows a hardcoded value. In the case above, it always sets the value True in the
metaverse attribute named accountEnabled .
A direct flow always flows the value of the attribute in the source to the target attribute as-is.
The third flow type is Expression and it allows for more advanced configurations.
The expression language is VBA (Visual Basic for Applications), so people with experience of Microsoft Office or
VBScript will recognize the format. Attributes are enclosed in square brackets, [attributeName]. Attribute names
and function names are case-sensitive, but the Synchronization Rules Editor evaluates the expressions and
provide a warning if the expression is not valid. All expressions are expressed on a single line with nested
functions. To show the power of the configuration language, here is the flow for pwdLastSet, but with additional
comments inserted:
// If-then-else
IIF(
// (The evaluation for IIF) Is the attribute pwdLastSet present in AD?
IsPresent([pwdLastSet]),
// (The True part of IIF) If it is, then from right to left, convert the AD time format to a .NET datetime,
change it to the time format used by Azure AD, and finally convert it to a string.
CStr(FormatDateTime(DateFromNum([pwdLastSet]),"yyyyMMddHHmmss.0Z")),
// (The False part of IIF) Nothing to contribute
NULL
)
See Understanding Declarative Provisioning Expressions for more information on the expression language for
attribute flows.
Precedence
You have now looked at some individual Synchronization Rules, but the rules work together in the configuration.
In some cases, an attribute value is contributed from multiple synchronization rules to the same target attribute.
In this case, attribute precedence is used to determine which attribute wins. As an example, look at the attribute
sourceAnchor. This attribute is an important attribute to be able to sign in to Azure AD. You can find an attribute
flow for this attribute in two different Synchronization Rules, In from AD – User AccountEnabled and In from
AD – User Common . Due to Synchronization Rule precedence, the sourceAnchor attribute is contributed from
the forest with an enabled account first when there are several objects joined to the metaverse object. If there are
no enabled accounts, then the sync engine uses the catch-all Synchronization Rule In from AD – User
Common . This configuration ensures that even for accounts that are disabled, there is still a sourceAnchor.
The precedence for Synchronization Rules is set in groups by the installation wizard. All rules in a group have the
same name, but they are connected to different connected directories. The installation wizard gives the rule In
from AD – User Join highest precedence and it iterates over all connected AD directories. It then continues with
the next groups of rules in a predefined order. Inside a group, the rules are added in the order the Connectors
were added in the wizard. If another Connector is added through the wizard, the Synchronization Rules are
reordered and the new Connector’s rules are inserted last in each group.
Putting it all together
We now know enough about Synchronization Rules to be able to understand how the configuration works with
the different Synchronization Rules. If you look at a user and the attributes that are contributed to the metaverse,
the rules are applied in the following order:
NAME C O M M EN T
In from AD – User Join Rule for joining connector space objects with metaverse.
In from AD – UserAccount Enabled Attributes required for sign-in to Azure AD and Office 365.
We want these attributes from the enabled account.
NAME C O M M EN T
In from AD – User Common from Exchange Attributes found in the Global Address List. We assume the
data quality is best in the forest where we have found the
user’s mailbox.
In from AD – User Common Attributes found in the Global Address List. In case we didn’t
find a mailbox, any other joined object can contribute the
attribute value.
In from AD – User Exchange Only exists if Exchange has been detected. It flows all
infrastructure Exchange attributes.
In from AD – User Lync Only exists if Lync has been detected. It flows all infrastructure
Lync attributes.
Next steps
Read more about the configuration model in Understanding Declarative Provisioning.
Read more about the expression language in Understanding Declarative Provisioning Expressions.
Continue reading how the out-of-box configuration works in Understanding Users and Contacts
See how to make a practical change using declarative provisioning in How to make a change to the default
configuration.
Over view topics
Azure AD Connect sync: Understand and customize synchronization
Integrating your on-premises identities with Azure Active Directory
Azure AD Connect sync: Understanding Users,
Groups, and Contacts
9/7/2020 • 5 minutes to read • Edit Online
There are several different reasons why you would have multiple Active Directory forests and there are several
different deployment topologies. Common models include an account-resource deployment and GAL sync’ed
forests after a merger & acquisition. But even if there are pure models, hybrid models are common as well. The
default configuration in Azure AD Connect sync does not assume any particular model but depending on how
user matching was selected in the installation guide, different behaviors can be observed.
In this topic, we will go through how the default configuration behaves in certain topologies. We will go through
the configuration and the Synchronization Rules Editor can be used to look at the configuration.
There are a few general rules the configuration assumes:
Regardless of which order we import from the source Active Directories, the end result should always be the
same.
An active account will always contribute sign-in information, including userPrincipalName and
sourceAnchor .
A disabled account will contribute userPrincipalName and sourceAnchor, unless it is a linked mailbox, if there is
no active account to be found.
An account with a linked mailbox will never be used for userPrincipalName and sourceAnchor. It is assumed
that an active account will be found later.
A contact object might be provisioned to Azure AD as a contact or as a user. You don’t really know until all
source Active Directory forests have been processed.
Groups
Important points to be aware of when synchronizing groups from Active Directory to Azure AD:
Azure AD Connect excludes built-in security groups from directory synchronization.
Azure AD Connect does not support synchronizing Primary Group memberships to Azure AD.
Azure AD Connect does not support synchronizing Dynamic Distribution Group memberships to Azure AD.
To synchronize an Active Directory group to Azure AD as a mail-enabled group:
If the group's proxyAddress attribute is empty, its mail attribute must have a value
If the group's proxyAddress attribute is non-empty, it must contain at least one SMTP proxy address
value. Here are some examples:
An Active Directory group whose proxyAddress attribute has value
{"X500:/0=contoso.com/ou=users/cn=testgroup"} will not be mail-enabled in Azure AD. It
does not have an SMTP address.
An Active Directory group whose proxyAddress attribute has values
{"X500:/0=contoso.com/ou=users/cn=testgroup","SMTP:johndoe@contoso.com"} will be
mail-enabled in Azure AD.
An Active Directory group whose proxyAddress attribute has values
{"X500:/0=contoso.com/ou=users/cn=testgroup", "smtp:johndoe@contoso.com"} will also be
mail-enabled in Azure AD.
Contacts
Having contacts representing a user in a different forest is common after a merger & acquisition where a
GALSync solution is bridging two or more Exchange forests. The contact object is always joining from the
connector space to the metaverse using the mail attribute. If there is already a contact object or user object with
the same mail address, the objects are joined together. This is configured in the rule In from AD – Contact Join .
There is also a rule named In from AD – Contact Common with an attribute flow to the metaverse attribute
sourceObjectType with the constant Contact . This rule has very low precedence so if any user object is joined
to the same metaverse object, then the rule In from AD – User Common will contribute the value User to this
attribute. With this rule, this attribute will have the value Contact if no user has been joined and the value User if at
least one user has been found.
For provisioning an object to Azure AD, the outbound rule Out to AAD – Contact Join will create a contact
object if the metaverse attribute sourceObjectType is set to Contact . If this attribute is set to User , then the rule
Out to AAD – User Join will create a user object instead. It is possible that an object is promoted from Contact
to User when more source Active Directories are imported and synchronized.
For example, in a GALSync topology we will find contact objects for everyone in the second forest when we
import the first forest. This will stage new contact objects in the AAD Connector. When we later import and
synchronize the second forest, we will find the real users and join them to the existing metaverse objects. We will
then delete the contact object in AAD and create a new user object instead.
If you have a topology where users are represented as contacts, make sure you select to match users on the mail
attribute in the installation guide. If you select another option, then you will have an order-dependent
configuration. Contact objects will always join on the mail attribute, but user objects will only join on the mail
attribute if this option was selected in the installation guide. You could then end up with two different objects in
the metaverse with the same mail attribute if the contact object was imported before the user object. During
export to Azure AD, an error will be thrown. This behavior is by design and would indicate bad data or that the
topology was not correctly identified during the installation.
Disabled accounts
Disabled accounts are synchronized as well to Azure AD. Disabled accounts are common to represent resources in
Exchange, for example conference rooms. The exception is users with a linked mailbox; as previously mentioned,
these will never provision an account to Azure AD.
The assumption is that if a disabled user account is found, then we will not find another active account later and
the object is provisioned to Azure AD with the userPrincipalName and sourceAnchor found. In case another active
account will join to the same metaverse object, then its userPrincipalName and sourceAnchor will be used.
Changing sourceAnchor
When an object has been exported to Azure AD then it is not allowed to change the sourceAnchor anymore. When
the object has been exported the metaverse attribute cloudSourceAnchor is set with the sourceAnchor value
accepted by Azure AD. If sourceAnchor is changed and not match cloudSourceAnchor , the rule Out to AAD –
User Join will throw the error sourceAnchor attribute has changed . In this case, the configuration or data
must be corrected so the same sourceAnchor is present in the metaverse again before the object can be
synchronized again.
Additional Resources
Azure AD Connect Sync: Customizing Synchronization options
Integrating your on-premises identities with Azure Active Directory
Azure AD Connect sync service shadow attributes
9/7/2020 • 2 minutes to read • Edit Online
Most attributes are represented the same way in Azure AD as they are in your on-premises Active Directory. But
some attributes have some special handling and the attribute value in Azure AD might be different than what Azure
AD Connect synchronizes.
They have multiple UPN suffixes in their on-premises Active Directory, but they have only verified one.
userPrincipalName
A user has the following attribute values in a non-verified domain:
AT T RIB UT E VA L UE
The userPrincipalName attribute is the value you see when using PowerShell.
Since the real on-premises attribute value is stored in Azure AD, when you verify the fabrikam.com domain, Azure
AD updates the userPrincipalName attribute with the value from the shadowUserPrincipalName. You do not have
to synchronize any changes from Azure AD Connect for these values to be updated.
proxyAddresses
The same process for only including verified domains also occurs for proxyAddresses, but with some additional
logic. The check for verified domains only happens for mailbox users. A mail-enabled user or contact represent a
user in another Exchange organization and you can add any values in proxyAddresses to these objects.
For a mailbox user, either on-premises or in Exchange Online, only values for verified domains appear. It could look
like this:
AT T RIB UT E VA L UE
In this case smtp:abbie.spencer@fabrikam.com was removed since that domain has not been verified. But
Exchange also added SIP:abbie.spencer@fabrikamonline.com . Fabrikam has not used Lync/Skype on-
premises, but Azure AD and Exchange Online prepare for it.
This logic for proxyAddresses is referred to as ProxyCalc . ProxyCalc is invoked with every change on a user when:
The user has been assigned a service plan that includes Exchange Online even if the user was not licensed for
Exchange. For example, if the user is assigned the Office E3 SKU, but only was assigned SharePoint Online. This
is true even if your mailbox is still on-premises.
The attribute msExchRecipientTypeDetails has a value.
You make a change to proxyAddresses or userPrincipalName.
ProxyCalc might take some time to process a change on a user and is not synchronous with the Azure AD Connect
export process.
NOTE
The ProxyCalc logic has some additional behaviors for advanced scenarios not documented in this topic. This topic is
provided for you to understand the behavior and not document all internal logic.
See also
Azure AD Connect sync
Integrating your on-premises identities with Azure Active Directory.
Azure AD Connect and Azure AD Connect Health
installation roadmap
9/7/2020 • 8 minutes to read • Edit Online
You can find the download for Azure AD Connect on Microsoft Download Center.
SO L UT IO N SC EN A RIO
Before you start - Hardware and prerequisites Steps to complete before you start to install Azure AD
Connect.
Express settings If you have a single forest AD then this is the recommended
option to use.
User sign in with the same password using password
synchronization.
Customized settings Used when you have multiple forests. Supports many on-
premises topologies.
Customize your sign-in option, such as pass-through
authentication, ADFS for federation or use a 3rd party identity
provider.
Customize synchronization features, such as filtering and
writeback.
Upgrade from DirSync Used when you have an existing DirSync server already
running.
Upgrade from Azure AD Sync or Azure AD Connect There are several different methods depending on your
preference.
After installation you should verify it is working as expected and assign licenses to the users.
Next steps to Install Azure AD Connect
TO P IC L IN K
TO P IC L IN K
Accounts used for installation More about Azure AD Connect credentials and permissions
Understanding the default configuration Azure AD Connect sync: Understanding the default
configuration
Understanding users and contacts Azure AD Connect sync: Understanding Users and Contacts
Change the default configuration Best practices for changing the default configuration
Configure ADFS with subdomains Multiple Domain Support for Federating with Azure AD
Manually updating federation certificates Renewing Federation Certificates for Office 365 and Azure AD
NOTE
Remember that before you see data in your Azure AD Connect Health dashboard, you need to install the Azure AD Connect
Health Agents on your targeted servers.
NOTE
For licensing information, see the Azure AD Connect Health FAQ or the Azure AD Pricing page.
Quick Star t : When you select this option, the Quick Star t blade opens. You can download the Azure AD
Connect Health Agent by selecting Get Tools . You can also access documentation and provide feedback.
Azure Active Director y Connect (sync) : This option shows your Azure AD Connect servers that Azure
AD Connect Health is currently monitoring. Sync errors entry will show basic sync errors of your first
onboarded sync service by categories. When you select the Sync ser vices entry, the blade that opens
shows information about your Azure AD Connect servers. Read more about the capabilities at Using Azure
AD Connect Health for sync.
Active Director y Federation Ser vices : This option shows all the AD FS services that Azure AD Connect
Health is currently monitoring. When you select an instance, the blade that opens shows information about
that service instance. This information includes an overview, properties, alerts, monitoring, and usage
analytics. Read more about the capabilities at Using Azure AD Connect Health with AD FS.
Active Director y Domain Ser vices : This option shows all the AD DS forests that Azure AD Connect
Health is currently monitoring. When you select a forest, the blade that opens shows information about that
forest. This information includes an overview of essential information, the Domain Controllers dashboard,
the Replication Status dashboard, alerts, and monitoring. Read more about the capabilities at Using Azure
AD Connect Health with AD DS.
Configure : This section includes options to turn the following on or off:
The automatic update of the Azure AD Connect Health agent to the latest version: the Azure AD
Connect Health agent is automatically updated whenever new versions are available. This option is
enabled by default.
Access to data from the Azure AD directory integrity by Microsoft only for troubleshooting purposes: if
this option is enabled, Microsoft can access the same data viewed by the user. This information can be
useful for troubleshooting and to provide the necessary assistance. This option is disabled by default
Role based access control (IAM) is the section to manage the access to Connect Health data in role base.
Next Steps
Hardware and prerequisites
Express settings
Customized settings
Password hash synchronization|
Pass-through authentication
Azure AD Connect and federation
Install Azure AD Connect Health agents
Azure AD Connect sync
Prerequisites for Azure AD Connect
9/7/2020 • 13 minutes to read • Edit Online
This article describes the prerequisites and the hardware requirements for Azure Active Directory (Azure AD)
Connect.
<system.net>
<defaultProxy>
<proxy
usesystemdefault="true"
proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"
bypassonlocal="true"
/>
</defaultProxy>
</system.net>
If your proxy server requires authentication, the service account must be located in the domain. Use the
customized settings installation path to specify a custom service account. You also need a different
change to machine.config. With this change in machine.config, the installation wizard and sync engine
respond to authentication requests from the proxy server. In all installation wizard pages, excluding the
Configure page, the signed-in user's credentials are used. On the Configure page at the end of the
installation wizard, the context is switched to the service account that you created. The machine.config
section should look like this:
<system.net>
<defaultProxy enabled="true" useDefaultCredentials="true">
<proxy
usesystemdefault="true"
proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"
bypassonlocal="true"
/>
</defaultProxy>
</system.net>
If the proxy configuration is being done in an existing setup, the Microsoft Azure AD Sync ser vice
needs to be restarted once for the Azure AD Connect to read the proxy configuration and update the
behviour.
When Azure AD Connect sends a web request to Azure AD as part of directory synchronization, Azure AD
can take up to 5 minutes to respond. It's common for proxy servers to have connection idle timeout
configuration. Ensure the configuration is set to at least 6 minutes or more.
For more information, see MSDN about the default proxy element. For more information when you have
problems with connectivity, see Troubleshoot connectivity problems.
Other
Optional: Use a test user account to verify synchronization.
Component prerequisites
PowerShell and .NET Framework
Azure AD Connect depends on Microsoft PowerShell and .NET Framework 4.5.1. You need this version or a later
version installed on your server. Depending on your Windows Server version, take the following actions:
Windows Server 2012 R2
Microsoft PowerShell is installed by default. No action is required.
.NET Framework 4.5.1 and later releases are offered through Windows Update. Make sure you've
installed the latest updates to Windows Server in Control Panel.
Windows Server 2012
The latest version of Microsoft PowerShell is available in Windows Management Framework 4.0,
available on the Microsoft Download Center.
.NET Framework 4.5.1 and later releases are available on the Microsoft Download Center.
Enable TLS 1.2 for Azure AD Connect
Prior to version 1.1.614.0, Azure AD Connect by default uses TLS 1.0 for encrypting the communication between
the sync engine server and Azure AD. You can configure .NET applications to use TLS 1.2 by default on the
server. For more information about TLS 1.2, see Microsoft Security Advisory 2960358.
1. Make sure you have the .NET 4.5.1 hotfix installed for your operating system. For more information, see
Microsoft Security Advisory 2960358. You might have this hotfix or a later release installed on your
server already.
2. For all operating systems, set this registry key and restart the server.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
"SchUseStrongCrypto"=dword:00000001
3. If you also want to enable TLS 1.2 between the sync engine server and a remote SQL Server, make sure
you have the required versions installed for TLS 1.2 support for Microsoft SQL Server.
N UM B ER O F O B JEC T S IN
A C T IVE DIREC TO RY CPU M EM O RY H A RD DRIVE SIZ E
The minimum requirements for computers running AD FS or Web Application Proxy servers are:
CPU: Dual core 1.6 GHz or higher
Memory: 2 GB or higher
Azure VM: A2 configuration or higher
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Select which installation type to use for Azure AD
Connect
9/7/2020 • 2 minutes to read • Edit Online
Azure AD Connect has two installation types for new installation: Express and customized. This topic helps you to
decide which option to use during installation.
Express
Express is the most common option and is used by about 90% of all new installations. It was designed to provide a
configuration that works for the most common customer scenarios.
It assumes:
You have a single Active Directory forest on-premises.
You have an enterprise administrator account you can use for the installation.
You have less than 100,000 objects in your on-premises Active Directory.
You get:
Password hash synchronization from on-premises to Azure AD for single sign-on.
A configuration that synchronizes users, groups, contacts, and Windows 10 computers.
Synchronization of all eligible objects in all domains and all OUs.
Automatic upgrade is enabled to make sure you always use the latest available version.
Options where you can still use Express:
If you do not want to synchronize all OUs, you can still use Express and on the last page, unselect Star t the
synchronization process...*. Then run the installation wizard again and change the OUs in configuration
options and enable scheduled sync.
You want to enable one of the features in Azure AD Premium, such as Password writeback. First go through
express to get the initial installation completed. Then run the installation wizard again and change the
configuration options.
Custom
The customized path allows many more options than express. It should be used in all cases where the configuration
described in previous section for express is not representative for your organization.
Use when:
You do not have access to an enterprise admin account in Active Directory.
You have more than one forest or you plan to synchronize more than one forest in the future.
You have domains in your forest not reachable from the Connect server.
You plan to use federation or pass-through authentication for user sign-in.
You have more than 100,000 objects and need to use a full SQL Server.
You plan to use group-based filtering and not only domain or OU-based filtering.
Next steps
Depending on the option you have selected to use, use the table of content to the left to find your article with the
detailed steps.
Getting started with Azure AD Connect using
express settings
9/7/2020 • 2 minutes to read • Edit Online
Azure AD Connect Express Settings is used when you have a single-forest topology and password hash
synchronization for authentication. Express Settings is the default option and is used for the most commonly
deployed scenario. You are only a few short clicks away to extend your on-premises directory to the cloud.
Before you start installing Azure AD Connect, make sure to download Azure AD Connect and complete the pre-
requisite steps in Azure AD Connect: Hardware and prerequisites.
If express settings does not match your topology, see related documentation for other scenarios.
5. On the Connect to Azure AD screen, enter the username and password of a global administrator for your
Azure AD. Click Next .
If you receive an error and have problems with connectivity, then see Troubleshoot connectivity problems.
6. On the Connect to AD DS screen, enter the username and password for an enterprise admin account. You can
enter the domain part in either NetBios or FQDN format, that is, FABRIKAM\administrator or
fabrikam.com\administrator. Click Next .
7. The Azure AD sign-in configuration page only shows if you did not complete verify your domains in the
prerequisites.
If you see this page, then review every domain marked Not Added and Not Verified . Make sure those
domains you use have been verified in Azure AD. Click the Refresh symbol when you have verified your
domains.
8. On the Ready to configure screen, click Install .
Optionally on the Ready to configure page, you can unselect the Star t the synchronization
process as soon as configuration completes checkbox. You should unselect this checkbox if you
want to do additional configuration, such as filtering. If you unselect this option, the wizard configures
sync but leaves the scheduler disabled. It does not run until you enable it manually by rerunning the
installation wizard.
Leaving the Star t the synchronization process as soon as configuration completes checkbox
enabled will immediately trigger a full synchronization to Azure AD of all users, groups, and contacts.
If you have Exchange in your on-premises Active Directory, then you also have an option to enable
Exchange Hybrid deployment . Enable this option if you plan to have Exchange mailboxes both in
the cloud and on-premises at the same time.
9. When the installation completes, click Exit .
10. After the installation has completed, sign off and sign in again before you use Synchronization Service
Manager or Synchronization Rule Editor.
Videos
For a video on using the express installation, see:
Next steps
Now that you have Azure AD Connect installed you can verify the installation and assign licenses.
Learn more about these features, which were enabled with the installation: Automatic upgrade, Prevent
accidental deletes, and Azure AD Connect Health.
Learn more about these common topics: scheduler and how to trigger sync.
Learn more about Integrating your on-premises identities with Azure Active Directory.
Related documentation
TO P IC L IN K
Azure AD Connect overview Integrate your on-premises directories with Azure Active
Directory
Accounts used for installation More about Azure AD Connect credentials and permissions
Custom installation of Azure AD Connect
9/7/2020 • 26 minutes to read • Edit Online
Azure AD Connect Custom settings is used when you want more options for the installation. It is used if you
have multiple forests or if you want to configure optional features not covered in the express installation. It is
used in all cases where the express installation option does not satisfy your deployment or topology.
Before you start installing Azure AD Connect, make sure to download Azure AD Connect and complete the
pre-requisite steps in Azure AD Connect: Hardware and prerequisites. Also make sure you have required
accounts available as described in Azure AD Connect accounts and permissions.
If customized settings does not match your topology, for example to upgrade DirSync, see related
documentation for other scenarios.
Use an existing SQL Server Allows you to specify the SQL Server name and the
instance name. Choose this option if you already have a
database server that you would like to use. Enter the
instance name followed by a comma and port number in
Instance Name if your SQL Server does not have
browsing enabled. Then specify the name of the Azure AD
Connect database. Your SQL privileges determine whether a
new database will be created or your SQL administrator
must create the database in advance. If you have SQL SA
permissions see How to install using an existing database. If
you have been delegated permissions (DBO) see Install
Azure AD Connect with SQL delegated administrator
permissions.
Use an existing service account By default Azure AD Connect uses a virtual service account
for the synchronization services to use. If you use a remote
SQL server or use a proxy that requires authentication, you
need to use a managed ser vice account or use a service
account in the domain and know the password. In those
cases, enter the account to use. Make sure the user
running the installation is an SA in SQL so a login for the
service account can be created. See Azure AD Connect
accounts and permissions.
With the latest build, provisioning the database can now be
performed out of band by the SQL administrator and then
installed by the Azure AD Connect administrator with
database owner rights. For more information see Install
Azure AD Connect using SQL delegated administrator
permissions.
Specify custom sync groups By default Azure AD Connect creates four groups local to
the server when the synchronization services are installed.
These groups are: Administrators group, Operators group,
Browse group, and the Password Reset Group. You can
specify your own groups here. The groups must be local on
the server and cannot be located in the domain.
User sign-in
After installing the required components, you are asked to select your users single sign-on method. The
following table provides a brief description of the available options. For a full description of the sign-in
methods, see User sign-in.
SIN GL E SIGN O N O P T IO N DESC RIP T IO N
Password Hash Sync Users are able to sign in to Microsoft cloud services, such
as Office 365, using the same password they use in their
on-premises network. The users passwords are
synchronized to Azure AD as a password hash and
authentication occurs in the cloud. See Password hash
synchronization for more information.
Pass-through Authentication Users are able to sign in to Microsoft cloud services, such
as Office 365, using the same password they use in their
on-premises network. The users password is passed
through to the on-premises Active Directory domain
controller to be validated.
Federation with AD FS Users are able to sign in to Microsoft cloud services, such
as Office 365, using the same password they use in their
on-premises network. The users are redirected to their on-
premises AD FS instance to sign in and authentication
occurs on-premises.
Federation with PingFederate Users are able to sign in to Microsoft cloud services, such
as Office 365, using the same password they use in their
on-premises network. The users are redirected to their on-
premises PingFederate instance to sign in and
authentication occurs on-premises.
Enable Single Sign on This options is available with both password hash sync and
pass-through authentication and provides a single sign on
experience for desktop users on the corporate network. See
Single sign-on for more information.
Note for AD FS customers this option is not available
because AD FS already offers the same level of single sign
on.
Connect to Azure AD
On the Connect to Azure AD screen, enter a global admin account and password. If you selected Federation
with AD FS on the previous page, do not sign in with an account in a domain you plan to enable for
federation. A recommendation is to use an account in the default onmicrosoft.com domain, which comes
with your Azure AD tenant.
This account is only used to create a service account in Azure AD and is not used after the wizard has
completed.
If your global admin account has MFA enabled, then you need to provide the password again in the sign-in
popup and complete the MFA challenge. The challenge could be a providing a verification code or a phone call.
The global admin account can also have Privileged Identity Management enabled.
If you receive an error and have problems with connectivity, then see Troubleshoot connectivity problems.
O P T IO N DESC RIP T IO N
Create new account Select this option if you want Azure AD Connect wizard to
create the AD DS account required by Azure AD Connect
for connecting to the AD forest during directory
synchronization. When this option is selected, enter the
username and password for an enterprise admin account.
The enterprise admin account provided will be used by
Azure AD Connect wizard to create the required AD DS
account. You can enter the domain part in either NetBios or
FQDN format, that is, FABRIKAM\administrator or
fabrikam.com\administrator.
Use existing account Select this option if you want to provide an existing AD DS
account to be used Azure AD Connect for connecting to
the AD forest during directory synchronization. You can
enter the domain part in either NetBios or FQDN format,
that is, FABRIKAM\syncuser or fabrikam.com\syncuser. This
account can be a regular user account because it only
needs the default read permissions. However, depending on
your scenario, you may need more permissions. For more
information, see Azure AD Connect Accounts and
permissions.
Enterprise Admin and Domain Admin accounts not supported
As of build 1.4.18.0 it is no longer supported to use an Enterprise Admin or a Domain Admin account as the
AD DS Connector account. If you attempt to enter an account that is an enterprise admin or domain admin
when specifying use existing account , you will receive the following error:
“Using an Enterprise or Domain administrator account for your AD forest account is not allowed.
Let Azure AD Connect create the account for you or specify a synchronization account with the
correct permissions. <Learn More>”
Azure AD sign-in configuration
This page allows you to review the UPN domains present in on-premises AD DS and which have been verified
in Azure AD. This page also allows you to configure the attribute to use for the userPrincipalName.
Review every domain marked Not Added and Not Verified . Make sure those domains you use have been
verified in Azure AD. Click the Refresh symbol when you have verified your domains. For more information,
see add and verify the domain
UserPrincipalName - The attribute userPrincipalName is the attribute users use when they sign in to Azure
AD and Office 365. The domains used, also known as the UPN-suffix, should be verified in Azure AD before
the users are synchronized. Microsoft recommends to keep the default attribute userPrincipalName. If this
attribute is non-routable and cannot be verified, then it is possible to select another attribute. You can for
example select email as the attribute holding the sign-in ID. Using another attribute than userPrincipalName is
known as Alternate ID . The Alternate ID attribute value must follow the RFC822 standard. An Alternate ID
can be used with password hash sync, pass-through authentication, and federation. The attribute must not be
defined in Active Directory as multi-valued, even if it only has a single value. For more information on the
Alternate ID, see the Frequently asked questions topic.
NOTE
When you enable Pass-through Authentication you must have at least one verified domain in order to continue
through the wizard.
WARNING
Using an Alternate ID is not compatible with all Office 365 workloads. For more information, refer to Configuring
Alternate Login ID.
If you see this warning, make sure that these domains are indeed unreachable and the warning is expected.
Uniquely identifying your users
Select how users should be identified in your on-premises directories
The Matching across forests feature allows you to define how users from your AD DS forests are represented
in Azure AD. A user might either be represented only once across all forests or have a combination of enabled
and disabled accounts. The user might also be represented as a contact in some forests.
SET T IN G DESC RIP T IO N
Users are only represented once across all forests All users are created as individual objects in Azure AD. The
objects are not joined in the metaverse.
Mail attribute This option joins users and contacts if the mail attribute has
the same value in different forests. Use this option when
your contacts have been created using GALSync. If this
option is chosen, User objects whose Mail attribute aren't
populated will not be synchronized to Azure AD.
ObjectSID and msExchangeMasterAccountSID/ msRTCSIP- This option joins an enabled user in an account forest with
OriginatorSid a disabled user in a resource forest. In Exchange, this
configuration is known as a linked mailbox. This option can
also be used if you only use Lync and Exchange is not
present in the resource forest.
sAMAccountName and MailNickName This option joins on attributes where it is expected the
sign-in ID for the user can be found.
A specific attribute This option allows you to select your own attribute. If this
option is chosen, User objects whose (selected) attribute
aren't populated will not be synchronized to Azure AD.
Limitation: Only attributes that can already be found in
the metaverse are available for this option.".
Let Azure manage the source anchor for me Select this option if you want Azure AD to pick the attribute
for you. If you select this option, Azure AD Connect wizard
applies the sourceAnchor attribute selection logic described
in article section Azure AD Connect: Design concepts -
Using ms-DS-ConsistencyGuid as sourceAnchor. The wizard
informs you which attribute has been picked as the Source
Anchor attribute after Custom installation completes.
Since the attribute cannot be changed, you must plan for a good attribute to use. A good candidate is
objectGUID. This attribute is not changed, unless the user account is moved between forests/domains. Avoid
attributes that would change when a person marries or change assignments. You cannot use attributes with an
@-sign, so email and userPrincipalName cannot be used. The attribute is also case-sensitive so when you
move an object between forests, make sure to preserve the upper/lower case. Binary attributes are base64-
encoded, but other attribute types remain in its unencoded state. In federation scenarios and some Azure AD
interfaces, this attribute is also known as immutableID. More information about the source anchor can be
found in the design concepts.
Sync filtering based on groups
The filtering on groups feature allows you to sync only a small subset of objects for a pilot. To use this feature,
create a group for this purpose in your on-premises Active Directory. Then add users and groups that should
be synchronized to Azure AD as direct members. You can later add and remove users to this group to maintain
the list of objects that should be present in Azure AD. All objects you want to synchronize must be a direct
member of the group. Users, groups, contacts, and computers/devices must all be direct members. Nested
group membership is not resolved. When you add a group as a member, only the group itself is added and
not its members.
WARNING
This feature is only intended to support a pilot deployment. Do not use it in a full-blown production deployment.
In a full-blown production deployment, it is going to be hard to maintain a single group with all objects to
synchronize. Instead you should use one of the methods in Configure filtering.
Optional Features
This screen allows you to select the optional features for your specific scenarios.
WARNING
Azure AD Connect versions 1.0.8641.0 and older rely on the Azure Access Control service for password writeback.
This service will be retired on November 7th 2018 . If you are using any of these versions of Azure AD Connect and
have enabled password writeback, users may lose the ability to change or reset their passwords once the service is
retired. Password writeback with these versions of Azure AD Connect will not be supported.
For more information on the Azure Access Control service see How to: Migrate from the Azure Access Control service
To download the latest version of Azure AD Connect click here.
WARNING
If you currently have DirSync or Azure AD Sync active, do not activate any of the writeback features in Azure AD
Connect.
Exchange Hybrid Deployment The Exchange Hybrid Deployment feature allows for the co-
existence of Exchange mailboxes both on-premises and in
Office 365. Azure AD Connect is synchronizing a specific set
of attributes from Azure AD back into your on-premises
directory.
Exchange Mail Public Folders The Exchange Mail Public Folders feature allows you to
synchronize mail-enabled Public Folder objects from your
on-premises Active Directory to Azure AD.
Azure AD app and attribute filtering By enabling Azure AD app and attribute filtering, the set of
synchronized attributes can be tailored. This option adds
two more configuration pages to the wizard. For more
information, see Azure AD app and attribute filtering.
Password hash synchronization If you selected federation as the sign-in solution, then you
can enable this option. Password hash synchronization can
then be used as a backup option. For additional
information, see Password hash synchronization.
If you selected Pass-through Authentication this option can
also be enabled to ensure support for legacy clients and as
a backup option. For additional information, see Password
hash synchronization.
Group writeback If you use the Office 365 Groups feature, then you can
have these groups represented in your on-premises Active
Directory. This option is only available if you have Exchange
present in your on-premises Active Directory. For more
information see Azure AD Connect group writeback
Directory extension attribute sync By enabling directory extensions attribute sync, attributes
specified are synced to Azure AD. For more information, see
Directory extensions.
WARNING
Removing attributes can impact functionality. For best practices and recommendations, see attributes synchronized.
Directory Extension attribute sync
You can extend the schema in Azure AD with custom attributes added by your organization or other attributes
in Active Directory. To use this feature, select Director y Extension attribute sync on the Optional
Features page. You can select more attributes to sync on this page.
NOTE
The Available attributes box is case sensitive.
NOTE
You can update a TLS/SSL certificate for your AD FS farm using Azure AD Connect even if you do not use it to manage
your federation trust.
NOTE
Azure AD Connect can be used to manage only one AD FS farm. If you have existing federation trust with Azure AD
configured on the selected AD FS farm, the trust will be re-created again from scratch by Azure AD Connect.
NOTE
Ensure that all your servers are joined to an AD domain before you do this configuration.
Specify the Web Application Proxy servers
Enter the servers that you want as your Web Application proxy servers. The web application proxy server is
deployed in your DMZ (extranet facing) and supports authentication requests from the extranet. You can add
one or more servers based on your capacity planning needs. Microsoft recommends installing a single Web
application proxy server for test and pilot deployments. Then add and deploy more servers to meet your
scaling needs by running Azure AD Connect again after initial configuration. We recommend having an
equivalent number of proxy servers to satisfy authentication from the intranet.
NOTE
If the account you use is not a local admin on the WAP servers, then you are prompted for admin credentials.
Ensure that there is HTTP/HTTPS connectivity between the Azure AD Connect server and the Web Application Proxy
server before you run this step.
Ensure that there is HTTP/HTTPS connectivity between the Web Application Server and the AD FS server to allow
authentication requests to flow through.
You are prompted to enter credentials so that the web application server can establish a secure connection to
the AD FS server. These credentials need to be a local administrator on the AD FS server.
NOTE
Azure AD Connect performs a check to detect if the AD FS service is already registered as a SPN in the domain. AD DS
will not allow duplicate SPN’s to be registered at once. If a duplicate SPN is found, you will not be able to proceed
further until the SPN is removed.
NOTE
Before you continue installation and if you configured federation, make sure that you have configured Name resolution
for federation servers.
Staging mode
It is possible to setup a new sync server in parallel with staging mode. It is only supported to have one sync
server exporting to one directory in the cloud. But if you want to move from another server, for example one
running DirSync, then you can enable Azure AD Connect in staging mode. When enabled, the sync engine
import and synchronize data as normal, but it does not export anything to Azure AD or AD. The features
password sync and password writeback are disabled while in staging mode.
While in staging mode, it is possible to make required changes to the sync engine and review what is about to
be exported. When the configuration looks good, run the installation wizard again and disable staging mode.
Data is now exported to Azure AD from this server. Make sure to disable the other server at the same time so
only one server is actively exporting.
For more information, see Staging mode.
Verify your federation configuration
Azure AD Connect verifies the DNS settings for you when you click the Verify button.
Intranet connectivity checks
Resolve federation FQDN: Azure AD Connect checks if the federation FQDN can be resolved by DNS to
ensure connectivity. If Azure AD Connect cannot resolve the FQDN, the verification will fail. Ensure that a
DNS record is present for the federation service FQDN in order to successfully complete the verification.
DNS A record: Azure AD Connect checks if there is an A record for your federation service. In the absence
of an A record, the verification will fail. Create an A record and not CNAME record for your federation
FQDN in order to successfully complete the verification.
Extranet connectivity checks
Resolve federation FQDN: Azure AD Connect checks if the federation FQDN can be resolved by DNS to
ensure connectivity.
To validate end-to-end authentication is successful you should manually perform one or more the following
tests:
Once synchronization in complete, use the Verify federated login additional task in Azure AD Connect to
verify authentication for an on-premises user account of your choice.
Validate that you can sign in from a browser from a domain joined machine on the intranet: Connect to
https://myapps.microsoft.com and verify the sign-in with your logged in account. The built-in AD DS
administrator account is not synchronized and cannot be used for verification.
Validate that you can sign in from a device from the extranet. On a home machine or a mobile device,
connect to https://myapps.microsoft.com and supply your credentials.
Validate rich client sign-in. Connect to https://testconnectivity.microsoft.com, choose the Office 365 tab
and chose the Office 365 Single Sign-On Test .
Troubleshooting
The following section contains troubleshooting and information that you can use if you encounter an issue
installing Azure AD Connect.
“The ADSync database already contains data and cannot be overwritten”
When you custom install Azure AD Connect and select the option Use an existing SQL ser ver on the
Install required components page, you might encounter an error that states The ADSync database
already contains data and cannot be over written. Please remove the existing database and tr y
again.
This is because there is already an existing database named ADSync on the SQL instance of the SQL server,
which you specified in the above textboxes.
This typically occurs after you have uninstalled Azure AD Connect. The database will not be deleted from the
SQL Server when you uninstall.
To fix this issue, first verify that the ADSync database that was used by Azure AD Connect prior to being
uninstalled, is no longer being used.
Next, it is recommended that you backup the database prior to deleting it.
Finally, you need to delete the database. You can do this by using Microsoft SQL Ser ver Management
Studio and connect to the SQL instance. Find the ADSync database, right click on it, and select Delete from
the context menu. Then click OK button to delete it.
After you delete the ADSync database, you can click the install button, to retry installation.
Next steps
After the installation has completed, sign out and sign in again to Windows before you use Synchronization
Service Manager or Synchronization Rule Editor.
Now that you have Azure AD Connect installed you can verify the installation and assign licenses.
Learn more about these features, which were enabled with the installation: Prevent accidental deletes and
Azure AD Connect Health.
Learn more about these common topics: scheduler and how to trigger sync.
Learn more about Integrating your on-premises identities with Azure Active Directory.
Import and export Azure AD Connect configuration
settings (public preview)
9/7/2020 • 6 minutes to read • Edit Online
Azure Active Directory (Azure AD) Connect deployments vary from a single forest Express mode installation to
complex deployments that synchronize across multiple forests by using custom synchronization rules. Because of
the large number of configuration options and mechanisms, it's essential to understand what settings are in effect
and be able to quickly deploy a server with an identical configuration. This feature introduces the ability to catalog
the configuration of a given synchronization server and import the settings into a new deployment. Different
synchronization settings snapshots can be compared to easily visualize the differences between two servers, or the
same server over time.
Each time the configuration is changed from the Azure AD Connect wizard, a new time-stamped JSON settings file
is automatically exported to%ProgramData%\AADConnect . The settings file name is of the form Applied-
SynchronizationPolicy-*.JSON , where the last part of the file name is a time stamp.
IMPORTANT
Only changes made by Azure AD Connect are automatically exported. Any changes made by using PowerShell, the
Synchronization Service Manager, or the Synchronization Rules Editor must be exported on demand as needed to maintain
an up-to-date copy. Export on demand can also be used to place a copy of the settings in a secure location for disaster
recovery purposes.
3. Run the script as shown here, and save the entire down-level server configuration directory. Copy this
directory to the new staging server. You must copy the entire Expor ted-Ser verConfiguration- * folder to
the new server.
4. Start Azure AD Connect by double-clicking the icon on the desktop. Accept the Microsoft Software License
Terms, and on the next page, select Customize .
5. Select the Impor t synchronization settings check box. Select Browse to browse the copied-over
Exported-ServerConfiguration-* folder. Select the MigratedPolicy.json to import the migrated settings.
Post-installation verification
Comparing the originally imported settings file with the exported settings file of the newly deployed server is an
essential step in understanding any differences between the intended versus the resulting deployment. Using your
favorite side-by-side text comparison application yields an instant visualization that quickly highlights any desired
or accidental changes.
While many formerly manual configuration steps are now eliminated, you should still follow your organization's
certification process to ensure no additional configuration is required. This configuration might occur if you use
advanced settings, which aren't currently captured in the public preview release of settings management.
Here are known limitations:
Synchronization rules : The precedence for a custom rule must be in the reserved range of 0 to 99 to avoid
conflicts with Microsoft's standard rules. Placing a custom rule outside the reserved range might result in your
custom rule being shifted around as standard rules are added to the configuration. A similar issue will occur if
your configuration contains modified standard rules. Modifying a standard rule is discouraged, and rule
placement is likely to be incorrect.
Device writeback : These settings are cataloged. They aren't currently applied during configuration. If device
writeback was enabled for your original server, you must manually configure the feature on the newly deployed
server.
Synchronized object types : Although it's possible to constrain the list of synchronized object types (such as
users, contacts, and groups) by using the Synchronization Service Manager, this feature isn't currently
supported via synchronization settings. After you finish the installation, you must manually reapply the
advanced configuration.
Custom run profiles : Although it's possible to modify the default set of run profiles by using the
Synchronization Service Manager, this feature isn't currently supported via synchronization settings. After you
finish the installation, you must manually reapply the advanced configuration.
Configuring the provisioning hierarchy : This advanced feature of the Synchronization Service Manager
isn't supported via synchronization settings. It must be manually reconfigured after you finish the initial
deployment.
Active Director y Federation Ser vices (AD FS) and PingFederate authentication : The sign-on methods
associated with these authentication features are automatically preselected. You must interactively supply all
other required configuration parameters.
A disabled custom synchronization rule will be impor ted as enabled : A disabled custom
synchronization rule is imported as enabled. Make sure to disable it on the new server too.
Next steps
Hardware and prerequisites
Express settings
Customized settings
Install Azure AD Connect Health agents
Azure Active Directory Pass-through Authentication:
Quickstart
9/7/2020 • 9 minutes to read • Edit Online
IMPORTANT
If you are migrating from AD FS (or other federation technologies) to Pass-through Authentication, we highly recommend
that you follow our detailed deployment guide published here.
NOTE
If you deploying Pass Through Authentication with the Azure Government cloud, view Hybrid Identity Considerations for
Azure Government.
IMPORTANT
From a security standpoint, administrators should treat the server running the PTA agent as if it were a domain controller. The
PTA agent servers should be hardened along the same lines as outlined in Securing Domain Controllers Against Attack
3. Identify one or more additional servers (running Windows Server 2012 R2 or later, with TLS 1.2 enabled)
where you can run standalone Authentication Agents. These additional servers are needed to ensure the high
availability of requests to sign in. Add the servers to the same Active Directory forest as the users whose
passwords you need to validate.
IMPORTANT
In production environments, we recommend that you have a minimum of 3 Authentication Agents running on your
tenant. There is a system limit of 40 Authentication Agents per tenant. And as best practice, treat all servers running
Authentication Agents as Tier 0 systems (see reference).
4. If there is a firewall between your servers and Azure AD, configure the following items:
Ensure that Authentication Agents can make outbound requests to Azure AD over the following ports:
P O RT N UM B ER H O W IT 'S USED
If your firewall enforces rules according to the originating users, open these ports for traffic from
Windows services that run as a network service.
If your firewall or proxy allows DNS whitelisting, add connections to *.msappproxy.net and
*.ser vicebus.windows.net . If not, allow access to the Azure datacenter IP ranges, which are updated
weekly.
Your Authentication Agents need access to login.windows.net and login.microsoftonline.com for
initial registration. Open your firewall for those URLs as well.
For certificate validation, unblock the following URLs: mscrl.microsoft.com:80 ,
crl.microsoft.com:80 , ocsp.msocsp.com:80 , and www.microsoft.com:80 . Since these URLs are
used for certificate validation with other Microsoft products you may already have these URLs
unblocked.
Azure Government cloud prerequisite
Prior to enabling Pass-through Authentication through Azure AD Connect with Step 2, download the latest release
of the PTA agent from the Azure portal. You need to ensure that your agent is versions 1.5.1742.0. or later. To verify
your agent see Upgrade authentication agents
After downloading the latest release of the agent, proceed with the below instructions to configure Pass-Through
Authentication through Azure AD Connect.
Step 2: Enable the feature
Enable Pass-through Authentication through Azure AD Connect.
IMPORTANT
You can enable Pass-through Authentication on the Azure AD Connect primary or staging server. It is highly recommended
that you enable it from the primary server. If you are setting up an Azure AD Connect staging server in the future, you must
continue to choose Pass-through Authentication as the sign-in option; choosing another option will disable Pass-through
Authentication on the tenant and override the setting in the primary server.
If you're installing Azure AD Connect for the first time, choose the custom installation path. At the User sign-in
page, choose Pass-through Authentication as the Sign On method . On successful completion, a Pass-through
Authentication Agent is installed on the same server as Azure AD Connect. In addition, the Pass-through
Authentication feature is enabled on your tenant.
If you have already installed Azure AD Connect by using the express installation or the custom installation path,
select the Change user sign-in task on Azure AD Connect, and then select Next . Then select Pass-through
Authentication as the sign-in method. On successful completion, a Pass-through Authentication Agent is installed
on the same server as Azure AD Connect and the feature is enabled on your tenant.
IMPORTANT
Pass-through Authentication is a tenant-level feature. Turning it on affects the sign-in for users across all the managed
domains in your tenant. If you're switching from Active Directory Federation Services (AD FS) to Pass-through Authentication,
you should wait at least 12 hours before shutting down your AD FS infrastructure. This wait time is to ensure that users can
keep signing in to Exchange ActiveSync during the transition. For more help on migrating from AD FS to Pass-through
Authentication, check out our detailed deployment plan published here.
IMPORTANT
In production environments, we recommend that you have a minimum of 3 Authentication Agents running on your tenant.
There is a system limit of 40 Authentication Agents per tenant. And as best practice, treat all servers running Authentication
Agents as Tier 0 systems (see reference).
Installing multiple Pass-through Authentication Agents ensures high availability, but not deterministic load
balancing between the Authentication Agents. To determine how many Authentication Agents you need for your
tenant, consider the peak and average load of sign-in requests that you expect to see on your tenant. As a
benchmark, a single Authentication Agent can handle 300 to 400 authentications per second on a standard 4-core
CPU, 16-GB RAM server.
To estimate network traffic, use the following sizing guidance:
Each request has a payload size of (0.5K + 1K * num_of_agents) bytes, that is, data from Azure AD to the
Authentication Agent. Here, "num_of_agents" indicates the number of Authentication Agents registered on your
tenant.
Each response has a payload size of 1K bytes, that is, data from the Authentication Agent to Azure AD.
For most customers, three Authentication Agents in total are sufficient for high availability and capacity. You should
install Authentication Agents close to your domain controllers to improve sign-in latency.
To begin, follow these instructions to download the Authentication Agent software:
1. To download the latest version of the Authentication Agent (version 1.5.193.0 or later), sign in to the Azure Active
Directory admin center with your tenant's global administrator credentials.
2. Select Azure Active Director y in the left pane.
3. Select Azure AD Connect , select Pass-through authentication , and then select Download Agent .
4. Select the Accept terms & download button.
NOTE
You can also directly download the Authentication Agent software. Review and accept the Authentication Agent's Terms of
Service before installing it.
There are two ways to deploy a standalone Authentication Agent:
First, you can do it interactively by just running the downloaded Authentication Agent executable and providing
your tenant's global administrator credentials when prompted.
Second, you can create and run an unattended deployment script. This is useful when you want to deploy multiple
Authentication Agents at once, or install Authentication Agents on Windows servers that don't have user interface
enabled, or that you can't access with Remote Desktop. Here are the instructions on how to use this approach:
1. Run the following command to install an Authentication Agent:
AADConnectAuthAgentSetup.exe REGISTERCONNECTOR="false" /q .
2. You can register the Authentication Agent with our service using Windows PowerShell. Create a PowerShell
Credentials object $cred that contains a global administrator username and password for your tenant. Run the
following command, replacing <username> and <password>:
$User = "<username>"
$PlainPassword = '<password>'
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $SecurePassword
3. Go to C:\Program Files\Microsoft Azure AD Connect Authentication Agent and run the following script
using the $cred object that you created:
IMPORTANT
If an Authentication Agent is installed on a Virtual Machine, you can't clone the Virtual Machine to setup another
Authentication Agent. This method is unsuppor ted .
Next steps
Migrate from AD FS to Pass-through Authentication - A detailed guide to migrate from AD FS (or other
federation technologies) to Pass-through Authentication.
Smart Lockout: Learn how to configure the Smart Lockout capability on your tenant to protect user accounts.
Current limitations: Learn which scenarios are supported with the Pass-through Authentication and which ones
are not.
Technical deep dive: Understand how the Pass-through Authentication feature works.
Frequently asked questions: Find answers to frequently asked questions.
Troubleshoot: Learn how to resolve common problems with the Pass-through Authentication feature.
Security deep dive: Get technical information on the Pass-through Authentication feature.
Azure AD Seamless SSO: Learn more about this complementary feature.
UserVoice: Use the Azure Active Directory Forum to file new feature requests.
Azure AD Connect Health Agent Installation
9/7/2020 • 16 minutes to read • Edit Online
This document walks you through installing and configuring the Azure AD Connect Health Agents. You can
download the agents from here.
Requirements
The following table is a list of requirements for using Azure AD Connect Health.
You must be a global administrator of your Azure AD to get By default, only the global administrators can install and
started with Azure AD Connect Health configure the health agents to get started, access the portal,
and perform any operations within Azure AD Connect
Health. For more information, see Administering your Azure
AD directory.
Azure AD Connect Health Agent is installed on each targeted Azure AD Connect Health requires the Health Agents to be
server installed and configured on targeted servers to receive the
data and provide the Monitoring and Analytics capabilities.
Outbound connectivity to the Azure service endpoints During installation and runtime, the agent requires
connectivity to Azure AD Connect Health service endpoints.
If outbound connectivity is blocked using Firewalls, ensure
that the following endpoints are added to the allowed list.
See outbound connectivity endpoints
Outbound connectivity based on IP Addresses For IP address based filtering on firewalls, refer to the Azure
IP Ranges.
REQ UIREM EN T DESC RIP T IO N
TLS Inspection for outbound traffic is filtered or disabled The agent registration step or data upload operations may
fail if there is TLS inspection or termination for outbound
traffic at the network layer. Read more about how to setup
TLS inspection
Firewall ports on the server running the agent The agent requires the following firewall ports to be open in
order for the agent to communicate with the Azure AD
Health service endpoints.
Allow the following websites if IE Enhanced Security is If IE Enhanced Security is enabled, then the following
enabled websites must be allowed on the server that is going to have
the agent installed.
https://login.microsoftonline.com
https://secure.aadcdn.microsoftonline-p.com
https://login.windows.net
https://aadcdn.msftauth.net
The federation server for your organization trusted by
Azure Active Directory. For example: https://sts.contoso.com
Read more about how to configure IE. In case you have a
proxy within your network , please see note below.
Ensure PowerShell v4.0 or newer is installed Windows Server 2008 R2 ships with PowerShell v2.0,
which is insufficient for the agent. Update PowerShell as
explained below under Agent installation on Windows Server
2008 R2 Servers.
Windows Server 2012 ships with PowerShell v3.0, which is
insufficient for the agent.
Windows Server 2012 R2 and later ship with a sufficiently
recent version of PowerShell.
NOTE
If you have a highly locked-down and extremely restricted environment, you would require to add the URLs mentioned in
the Service endpoint lists below in addition to the ones listed in the Allowed IE enhanced Security configuration above.
Before installation, make sure your AD FS server host name is unique and not present in the AD FS service. To
start the agent installation, double-click the .exe file that you downloaded. On the first screen, click Install.
Once the installation is finished, click Configure Now.
This launches a PowerShell window to initiate the agent registration process. When prompted, sign in with an
Azure AD account that has access to perform agent registration. By default the Global Admin account has access.
After signing in, PowerShell will continue. Once it completes, you can close PowerShell and the configuration is
complete.
At this point, the agent services should be started automatically allowing the agent upload the required data to
the cloud service in a secure manner.
If you have not met all the pre-requisites outlined in the previous sections, warnings appear in the PowerShell
window. Be sure to complete the requirements before installing the agent. The following screenshot is an
example of these errors.
To verify the agent has been installed, look for the following services on the server. If you completed the
configuration, they should already be running. Otherwise, they are stopped until the configuration is complete.
Azure AD Connect Health AD FS Diagnostics Service
Azure AD Connect Health AD FS Insights Service
Azure AD Connect Health AD FS Monitoring Service
Agent installation on Windows Server 2008 R2 Servers
Steps for Windows Server 2008 R2 servers:
1. Ensure that the server is running at Service Pack 1 or higher.
2. Turn off IE ESC for agent installation:
3. Install Windows PowerShell 4.0 on each of the servers ahead of installing the AD Health agent. To install
Windows PowerShell 4.0:
Install Microsoft .NET Framework 4.5 using the following link to download the offline installer.
Install PowerShell ISE (From Windows Features)
Install Internet Explorer version 10 or above on the server. (Required by the Health Service to
authenticate, using your Azure Admin credentials.)
4. For more information on installing Windows PowerShell 4.0 on Windows Server 2008 R2, see the wiki article
here.
Enable Auditing for AD FS
NOTE
This section only applies to AD FS servers. You do not have to follow these steps on the Web Application Proxy Servers.
In order for the Usage Analytics feature to gather and analyze data, the Azure AD Connect Health agent needs the
information in the AD FS Audit Logs. These logs are not enabled by default. Use the following procedures to
enable AD FS auditing and to locate the AD FS audit logs, on your AD FS servers.
To enable auditing for AD FS on Windows Server 2008 R2
1. Click Star t , point to Programs , point to Administrative Tools , and then click Local Security Policy .
2. Navigate to the Security Settings\Local Policies\User Rights Assignment folder, and then double-click
Generate security audits .
3. On the Local Security Setting tab, verify that the AD FS 2.0 service account is listed. If it is not present, click
Add User or Group and add it to the list, and then click OK .
4. To enable auditing, open a Command Prompt with elevated privileges and run the following command:
auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable
5. Close Local Security Policy .
-- The following steps are only required for primar y AD FS ser vers. --
6. Open the AD FS Management snap-in. To open the AD FS Management snap-in, click Star t , point to
Programs , point to Administrative Tools , and then click AD FS 2.0 Management .
7. In the Actions pane, click Edit Federation Ser vice Proper ties .
8. In the Federation Ser vice Proper ties dialog box, click the Events tab.
9. Select the Success audits and Failure audits check boxes.
10. Click OK .
To enable auditing for AD FS on Windows Server 2012 R2
1. Open Local Security Policy by opening Ser ver Manager on the Start screen, or Server Manager in the
taskbar on the desktop, then click Tools/Local Security Policy .
2. Navigate to the Security Settings\Local Policies\User Rights Assignment folder, and then double-click
Generate security audits .
3. On the Local Security Setting tab, verify that the AD FS service account is listed. If it is not present, click
Add User or Group and add it to the list, and then click OK .
4. To enable auditing, open a command prompt with elevated privileges and run the following command:
auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable
5. Close Local Security Policy .
-- The following steps are only required for primar y AD FS ser vers. --
6. Open the AD FS Management snap-in (in Server Manager, click Tools, and then select AD FS Management).
7. In the Actions pane, click Edit Federation Ser vice Proper ties .
8. In the Federation Ser vice Proper ties dialog box, click the Events tab.
9. Select the Success audits and Failure audits check boxes and then click OK .
10. Verbose logging can be enabled through powershell using the command:
Set-AdfsProperties -LOGLevel Verbose .
Note that "basic" audit level is enabled by default. Read more about the AD FS Audit enhancement in Windows
Server 2016
To locate the AD FS audit logs
1. Open Event Viewer .
2. Go to Windows Logs and select Security .
3. On the right, click Filter Current Logs .
4. Under Event Source, select AD FS Auditing .
And quick FAQ note for Audit logs.
WARNING
A group policy can disable AD FS auditing. If AD FS auditing is disabled, usage analytics about login activities are not
available. Ensure that you don’t have a group policy that disables AD FS auditing.>
IMPORTANT
Using this PowerShell command is only required if the agent registration fails after installing Azure AD Connect.
The following PowerShell command is required ONLY when the health agent registration fails even after a
successful installation and configuration of Azure AD Connect. The Azure AD Connect Health services will start
after the agent has been successfully registered.
You can manually register the Azure AD Connect Health agent for sync using the following PowerShell command:
Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $false
After signing in, PowerShell will continue. Once it completes, you can close PowerShell and the configuration is
complete.
At this point, the services should be started automatically allowing the agent to monitor and gather data. If you
have not met all the pre-requisites outlined in the previous sections, warnings appear in the PowerShell window.
Be sure to complete the requirements before installing the agent. The following screenshot is an example of
these errors.
To verify the agent has been installed, look for the following services on the domain controller.
Azure AD Connect Health AD DS Insights Service
Azure AD Connect Health AD DS Monitoring Service
If you completed the configuration, these services should already be running. Otherwise, they are stopped until
the configuration is complete.
1. Once you are done, you can remove access for the local account by doing one or more of the following:
Remove the role assignment for the local account for AAD Connect Health
Rotate the password for the local account.
Disable the AAD local account
Delete the AAD local account
Register-AzureADConnectHealthADFSAgent
Register-AzureADConnectHealthADDSAgent
Register-AzureADConnectHealthSyncAgent
These commands accept "Credential" as a parameter to complete the registration in a non-interactive manner or
on a Server-Core machine.
The Credential can be captured in a PowerShell variable that is passed as a parameter.
You can provide any Azure AD Identity that has access to register the agents and does NOT have MFA enabled.
By default Global Admins have access to perform agent registration. You can also allow other less privileged
identities to perform this step. Read more about Azure role-based access control (Azure RBAC).
$cred = Get-Credential
Register-AzureADConnectHealthADFSAgent -Credential $cred
NOTE
Using “Netsh WinHttp set ProxyServerAddress” is not supported as the agent uses System.Net to make web requests
instead of Microsoft Windows HTTP Services.
The configured Http Proxy address is used to pass-through encrypted Https messages.
Authenticated proxies (using HTTPBasic) are not supported.
Internet Explorer HTTP proxy settings can be imported, to be used by the Azure AD Connect Health Agents. On
each of the servers running the Health agent, execute the following PowerShell command:
Set-AzureAdConnectHealthProxySettings -ImportFromInternetSettings
I m p o r t fr o m W i n H T T P
WinHTTP proxy settings can be imported, to be used by the Azure AD Connect Health Agents. On each of the
servers running the Health agent, execute the following PowerShell command:
Set-AzureAdConnectHealthProxySettings -ImportFromWinHttp
Set-AzureAdConnectHealthProxySettings -NoProxy
Get-AzureAdConnectHealthProxySettings
NOTE
To use the connectivity tool, you must first complete the agent registration. If you are not able to complete the agent
registration, make sure that you have met all the requirements for Azure AD Connect Health. This connectivity test is
performed by default during agent registration.
Related links
Azure AD Connect Health
Azure AD Connect Health Operations
Using Azure AD Connect Health with AD FS
Using Azure AD Connect Health for sync
Using Azure AD Connect Health with AD DS
Azure AD Connect Health FAQ
Azure AD Connect Health Version History
Azure AD Connect: Automatic upgrade
9/7/2020 • 4 minutes to read • Edit Online
This feature was introduced with build 1.1.105.0 (released February 2016). This feature was updated in build
1.1.561 and now supports additional scenarios that were previously not supported.
Overview
Making sure your Azure AD Connect installation is always up to date has never been easier with the automatic
upgrade feature. This feature is enabled by default for express installations and DirSync upgrades. When a new
version is released, your installation is automatically upgraded. Automatic upgrade is enabled by default for the
following:
Express settings installation and DirSync upgrades.
Using SQL Express LocalDB, which is what Express settings always use. DirSync with SQL Express also use
LocalDB.
The AD account is the default MSOL_ account created by Express settings and DirSync.
Have less than 100,000 objects in the metaverse.
The current state of automatic upgrade can be viewed with the PowerShell cmdlet Get-ADSyncAutoUpgrade . It has
the following states:
STAT E C O M M EN T
Suspended Set by the system only. The system is not currently eligible
to receive automatic upgrades.
You can change between Enabled and Disabled with Set-ADSyncAutoUpgrade . Only the system should set the
state Suspended . Prior to 1.1.750.0 the Set-ADSyncAutoUpgrade cmdlet would block Autoupgrade if the auto-
upgrade state was set to Suspended. This functionality has now changed so it does not block AutoUpgrade.
Automatic upgrade is using Azure AD Connect Health for the upgrade infrastructure. For automatic upgrade to
work, make sure you have opened the URLs in your proxy server for Azure AD Connect Health as
documented in Office 365 URLs and IP address ranges.
If the Synchronization Ser vice Manager UI is running on the server, then the upgrade is suspended until the
UI is closed.
Troubleshooting
If your Connect installation does not upgrade itself as expected, then follow these steps to find out what could be
wrong.
First, you should not expect the automatic upgrade to be attempted the first day a new version is released. There
is an intentional randomness before an upgrade is attempted so don't be alarmed if your installation isn't
upgraded immediately.
If you think something is not right, then first run Get-ADSyncAutoUpgrade to ensure automatic upgrade is enabled.
If the state is suspended, you can use the Get-ADSyncAutoUpgrade -Detail to view the reason. The suspension
reason can contain any string value but will usually contain the string value of the UpgradeResult, that is,
UpgradeNotSupportedNonLocalDbInstall or UpgradeAbortedAdSyncExeInUse . A compound value may also be
returned, such as UpgradeFailedRollbackSuccess-GetPasswordHashSyncStateFailed .
It is also possible to get a result that is not an UpgradeResult i.e. 'AADHealthEndpointNotDefined' or
'DirSyncInPlaceUpgradeNonLocalDb'.
Then, make sure you have opened the required URLs in your proxy or firewall. Automatic update is using Azure
AD Connect Health as described in the overview. If you use a proxy, make sure Health has been configured to use
a proxy server. Also test the Health connectivity to Azure AD.
With the connectivity to Azure AD verified, it is time to look into the eventlogs. Start the event viewer and look in
the Application eventlog. Add an eventlog filter for the source Azure AD Connect Upgrade and the event id
range 300-399 .
You can now see the eventlogs associated with the status for automatic upgrade.
UpgradeAbor ted
UpgradeAbortedSecurityGroupsNotPresent Could not find and resolve all security groups used by the
sync engine.
UpgradeNotSuppor ted
UpgradeNotSupportedCustomizedSyncRules You have added your own custom rules to the configuration.
UpgradeNotSupportedNonLocalDbInstall You are not using a SQL Server Express LocalDB database.
UpgradeNotSupportedAADHealthUploadDisabled Health data uploads have been disabled from the portal
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Azure AD Connect sync: Running the installation
wizard a second time
9/7/2020 • 2 minutes to read • Edit Online
The first time you run the Azure AD Connect installation wizard, it walks you through how to configure your
installation. If you run the installation wizard again, it offers options for maintenance.
IMPORTANT
Be aware that you cannot run the installation wizard while a synchronization is in progress. Please verify that a
synchronization is not running before launching the wizard.
You can find the installation wizard in the start menu named Azure AD Connect .
When you start the installation wizard, you see a page with these options:
If you have installed ADFS with Azure AD Connect, you have even more options. The additional options you have
for ADFS are documented in ADFS management.
Select one of the tasks and click Next to continue.
IMPORTANT
While you have the installation wizard open, all operations in the sync engine are suspended. Make sure you close the
installation wizard as soon as you have completed your configuration changes.
Click Previous to go back. If you select Exit , you close the installation wizard.
To change the state, select this option and select or unselect the checkbox.
Next steps
Learn more about the configuration model used by Azure AD Connect sync in Understanding Declarative
Provisioning.
Over view topics
Azure AD Connect sync: Understand and customize synchronization
Integrating your on-premises identities with Azure Active Directory
Azure AD Connect: Upgrade from a previous version
to the latest
9/7/2020 • 10 minutes to read • Edit Online
This topic describes the different methods that you can use to upgrade your Azure Active Directory (Azure AD)
Connect installation to the latest release. We recommend that you keep yourself current with the releases of
Azure AD Connect. You also use the steps in the Swing migration section when you make a substantial
configuration change.
NOTE
It is currently supported to upgrade from any version of Azure AD Connect to the current version. In-place upgrades of
DirSync or ADSync are not supported and a swing migration is required. If you want to upgrade from DirSync, see Upgrade
from Azure AD sync tool (DirSync) or the Swing migration section.
In practice, customers on extremely old versions may encounter problems not directly related to Azure AD Connect. Servers
that have been in production for several years, typically have had several patches applied to them and not all of these can
be accounted for. Generally, customers who have not upgraded in 12-18 months should consider a swing upgrade instead
as this is the most conservative and least risky option.
If you want to upgrade from DirSync, see Upgrade from Azure AD sync tool (DirSync) instead.
There are a few different strategies that you can use to upgrade Azure AD Connect.
M ET H O D DESC RIP T IO N
Automatic upgrade This is the easiest method for customers with an express
installation.
In-place upgrade If you have a single server, you can upgrade the installation
in-place on the same server.
Swing migration With two servers, you can prepare one of the servers with
the new release or configuration, and change the active
server when you're ready.
NOTE
After you've enabled your new Azure AD Connect server to start synchronizing changes to Azure AD, you must not roll
back to using DirSync or Azure AD Sync. Downgrading from Azure AD Connect to legacy clients, including DirSync and
Azure AD Sync, isn't supported and can lead to issues such as data loss in Azure AD.
In-place upgrade
An in-place upgrade works for moving from Azure AD Sync or Azure AD Connect. It doesn't work for moving
from DirSync or for a solution with Forefront Identity Manager (FIM) + Azure AD Connector.
This method is preferred when you have a single server and less than about 100,000 objects. If there are any
changes to the out-of-box sync rules, a full import and full synchronization occur after the upgrade. This method
ensures that the new configuration is applied to all existing objects in the system. This run might take a few hours,
depending on the number of objects that are in scope of the sync engine. The normal delta synchronization
scheduler (which synchronizes every 30 minutes by default) is suspended, but password synchronization
continues. You might consider doing the in-place upgrade during a weekend. If there are no changes to the out-
of-box configuration with the new Azure AD Connect release, then a normal delta import/sync starts instead.
If you've made changes to the out-of-box synchronization rules, then these rules are set back to the default
configuration on upgrade. To make sure that your configuration is kept between upgrades, make sure that you
make changes as they're described in Best practices for changing the default configuration.
During in-place upgrade, there may be changes introduced that require specific synchronization activities
(including Full Import step and Full Synchronization step) to be executed after upgrade completes. To defer such
activities, refer to section How to defer full synchronization after upgrade.
If you are using Azure AD Connect with non-standard connector (for example, Generic LDAP Connector and
Generic SQL Connector), you must refresh the corresponding connector configuration in the Synchronization
Service Manager after in-place upgrade. For details on how to refresh the connector configuration, refer to article
section Connector Version Release History - Troubleshooting. If you do not refresh the configuration, import and
export run steps will not work correctly for the connector. You will receive the following error in the application
event log with message "Assembly version in AAD Connector configuration ("X.X.XXX.X") is earlier than the actual
version ("X.X.XXX.X") of "C:\Program Files\Microsoft Azure AD
Sync\Extensions\Microsoft.IAM.Connector.GenericLdap.dll".
Swing migration
If you have a complex deployment or many objects, it might be impractical to do an in-place upgrade on the live
system. For some customers, this process might take multiple days--and during this time, no delta changes are
processed. You can also use this method when you plan to make substantial changes to your configuration and
you want to try them out before they're pushed to the cloud.
The recommended method for these scenarios is to use a swing migration. You need (at least) two servers--one
active server and one staging server. The active server (shown with solid blue lines in the following picture) is
responsible for the active production load. The staging server (shown with dashed purple lines) is prepared with
the new release or configuration. When it's fully ready, this server is made active. The previous active server,
which now has the old version or configuration installed, is made into the staging server and is upgraded.
The two servers can use different versions. For example, the active server that you plan to decommission can use
Azure AD Sync, and the new staging server can use Azure AD Connect. If you use swing migration to develop a
new configuration, it's a good idea to have the same versions on the two servers.
NOTE
Some customers prefer to have three or four servers for this scenario. When the staging server is upgraded, you don't have
a backup server for disaster recovery. With three or four servers, you can prepare one set of primary/standby servers with
the new version, which ensures that there is always a staging server that's ready to take over.
These steps also work to move from Azure AD Sync or a solution with FIM + Azure AD Connector. These steps
don't work for DirSync, but the same swing migration method (also called parallel deployment) with steps for
DirSync is in Upgrade Azure Active Directory sync (DirSync).
Use a swing migration to upgrade
1. If you use Azure AD Connect on both servers and plan to only make a configuration change, make sure that
your active server and staging server are both using the same version. That makes it easier to compare
differences later. If you're upgrading from Azure AD Sync, then these servers have different versions. If you're
upgrading from an older version of Azure AD Connect, it's a good idea to start with the two servers that are
using the same version, but it's not required.
2. If you've made a custom configuration and your staging server doesn't have it, follow the steps under Move a
custom configuration from the active server to the staging server.
3. If you're upgrading from an earlier release of Azure AD Connect, upgrade the staging server to the latest
version. If you're moving from Azure AD Sync, then install Azure AD Connect on your staging server.
4. Let the sync engine run full import and full synchronization on your staging server.
5. Verify that the new configuration didn't cause any unexpected changes by using the steps under "Verify" in
Verify the configuration of a server. If something isn't as expected, correct it, run the import and sync, and
verify the data until it looks good, by following the steps.
6. Switch the staging server to be the active server. This is the final step "Switch active server" in Verify the
configuration of a server.
7. If you're upgrading Azure AD Connect, upgrade the server that's now in staging mode to the latest release.
Follow the same steps as before to get the data and configuration upgraded. If you upgraded from Azure AD
Sync, you can now turn off and decommission your old server.
Move a custom configuration from the active server to the staging server
If you've made configuration changes to the active server, you need to make sure that the same changes are
applied to the staging server. To help with this move, you can use the Azure AD Connect configuration
documenter.
You can move the custom sync rules that you've created by using PowerShell. You must apply other changes the
same way on both systems, and you can't migrate the changes. The configuration documenter can help you
comparing the two systems to make sure they are identical. The tool can also help in automating the steps found
in this section.
You need to configure the following things the same way on both servers:
Connection to the same forests
Any domain and OU filtering
The same optional features, such as password sync and password writeback
Move custom synchronization rules
To move custom synchronization rules, do the following:
1. Open Synchronization Rules Editor on your active server.
2. Select a custom rule. Click Expor t . This brings up a Notepad window. Save the temporary file with a PS1
extension. This makes it a PowerShell script. Copy the PS1 file to the staging server.
3. The Connector GUID is different on the staging server, and you must change it. To get the GUID, start
Synchronization Rules Editor , select one of the out-of-box rules that represent the same connected system,
and click Expor t . Replace the GUID in your PS1 file with the GUID from the staging server.
4. In a PowerShell prompt, run the PS1 file. This creates the custom synchronization rule on the staging server.
5. Repeat this for all your custom rules.
2. After upgrade completes, run the following cmdlet to find out what overrides have been added:
Get-ADSyncSchedulerConnectorOverride | fl
NOTE
The overrides are connector-specific. In the following example, Full Import step and Full Synchronization step have
been added to both the on-premises AD Connector and Azure AD Connector.
5. To resume the scheduler, run the following cmdlet: Set-ADSyncScheduler -SyncCycleEnabled $true
IMPORTANT
Remember to execute the required synchronization steps at your earliest convenience. You can either manually
execute these steps using the Synchronization Service Manager or add the overrides back using the Set-
ADSyncSchedulerConnectorOverride cmdlet.
To add the overrides for both full import and full synchronization on an arbitrary connector, run the following
cmdlet:
Set-ADSyncSchedulerConnectorOverride -ConnectorIdentifier <Guid> -FullImportRequired $true -FullSyncRequired
$true
Troubleshooting
The following section contains troubleshooting and information that you can use if you encounter an issue
upgrading Azure AD Connect.
Azure Active Directory connector missing error during Azure AD Connect upgrade
When you upgrade Azure AD Connect from a previous version, you might hit following error at the beginning of
the upgrade
This error happens because the Azure Active Directory connector with identifier, b891884f-051e-4a83-95af-
2544101c9083, does not exist in the current Azure AD Connect configuration. To verify this is the case, open a
PowerShell window, run Cmdlet Get-ADSyncConnector -Identifier b891884f-051e-4a83-95af-2544101c9083
PS C:\> Get-ADSyncConnector -Identifier b891884f-051e-4a83-95af-2544101c9083
Get-ADSyncConnector : Operation failed because the specified MA could not be found.
At line:1 char:1
+ Get-ADSyncConnector -Identifier b891884f-051e-4a83-95af-2544101c9083
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ReadError: (Microsoft.Ident...ConnectorCmdlet:GetADSyncConnectorCmdlet) [Get-
ADSyncConne
ctor], ConnectorNotFoundException
+ FullyQualifiedErrorId : Operation failed because the specified MA could not be
found.,Microsoft.IdentityManageme
nt.PowerShell.Cmdlet.GetADSyncConnectorCmdlet
The PowerShell Cmdlet reports the error the specified MA could not be found .
The reason that this occurs is because the current Azure AD Connect configuration is not supported for upgrade.
If you want to install a newer version of Azure AD Connect: close the Azure AD Connect wizard, uninstall the
existing Azure AD Connect, and perform a clean install of the newer Azure AD Connect.
Next steps
Learn more about integrating your on-premises identities with Azure Active Directory.
Azure AD Connect: Upgrade from DirSync
9/7/2020 • 10 minutes to read • Edit Online
Azure AD Connect is the successor to DirSync. You find the ways you can upgrade from DirSync in this topic.
These steps do not work for upgrading from another release of Azure AD Connect or from Azure AD Sync.
Before you start installing Azure AD Connect, make sure to download Azure AD Connect and complete the pre-
requisite steps in Azure AD Connect: Hardware and prerequisites. In particular, you want to read about the
following, since these areas are different from DirSync:
The required version of .NET and PowerShell. Newer versions are required to be on the server than what
DirSync needed.
The proxy server configuration. If you use a proxy server to reach the internet, this setting must be configured
before you upgrade. DirSync always used the proxy server configured for the user installing it, but Azure AD
Connect uses machine settings instead.
The URLs required to be open in the proxy server. For basic scenarios, those scenarios also supported by
DirSync, the requirements are the same. If you want to use any of the new features included with Azure AD
Connect, some new URLs must be opened.
NOTE
Once you have enabled your new Azure AD Connect server to start synchronizing changes to Azure AD, you must not roll
back to using DirSync or Azure AD Sync. Downgrading from Azure AD Connect to legacy clients including DirSync and
Azure AD Sync is not supported and can lead to issues such as data loss in Azure AD.
If you are not upgrading from DirSync, see related documentation for other scenarios.
SC EN A RIO
In-place upgrade
Parallel deployment
NOTE
When you plan to upgrade from DirSync to Azure AD Connect, do not uninstall DirSync yourself before the upgrade. Azure
AD Connect will read and migrate the configuration from DirSync and uninstall after inspecting the server.
In-place upgrade
The expected time to complete the upgrade is displayed by the wizard. This estimate is based on the assumption
that it takes three hours to complete an upgrade for a database with 50,000 objects (users, contacts, and groups).
If the number of objects in your database is less than 50,000, then Azure AD Connect recommends an in-place
upgrade. If you decide to continue, your current settings are automatically applied during upgrade and your
server automatically resumes active synchronization.
If you want to do a configuration migration and do a parallel deployment, then you can override the in-place
upgrade recommendation. You might for example take the opportunity to refresh the hardware and operating
system. For more information, see the parallel deployment section.
Parallel deployment
If you have more than 50,000 objects, then a parallel deployment is recommended. This deployment avoids any
operational delays experienced by your users. The Azure AD Connect installation attempts to estimate the
downtime for the upgrade, but if you've upgraded DirSync in the past, your own experience is likely to be the
best guide.
Supported DirSync configurations to be upgraded
The following configuration changes are supported with upgraded DirSync:
Domain and OU filtering
Alternate ID (UPN)
Password sync and Exchange hybrid settings
Your forest/domain and Azure AD settings
Filtering based on user attributes
The following change cannot be upgraded. If you have this configuration, the upgrade is blocked:
Unsupported DirSync changes, for example removed attributes and using a custom extension DLL
In those cases, the recommendation is to install a new Azure AD Connect server in staging mode and verify the
old DirSync and new Azure AD Connect configuration. Reapply any changes using custom configuration, as
described in Azure AD Connect Sync custom configuration.
The passwords used by DirSync for the service accounts cannot be retrieved and are not migrated. These
passwords are reset during the upgrade.
High-level steps for upgrading from DirSync to Azure AD Connect
1. Welcome to Azure AD Connect
2. Analysis of current DirSync configuration
3. Collect Azure AD global admin password
4. Collect credentials for an enterprise admin account (only used during the installation of Azure AD Connect)
5. Installation of Azure AD Connect
Uninstall DirSync (or temporarily disable it)
Install Azure AD Connect
Optionally begin synchronization
Additional steps are required when:
You're currently using Full SQL Server - local or remote
You have more than 50,000 objects in scope for synchronization
In-place upgrade
1. Launch the Azure AD Connect installer (MSI).
2. Review and agree to license terms and privacy notice.
If you use a full SQL Server for DirSync, you see this page instead:
The information regarding the existing SQL Server database server being used by DirSync is displayed.
Make appropriate adjustments if needed. Click Next to continue the installation.
If you have more than 50,000 objects, you see this screen instead:
To proceed with an in-place upgrade, click the checkbox next to this message: Continue upgrading
DirSync on this computer. To do a parallel deployment instead, you export the DirSync
configuration settings and move the configuration to the new server.
5. Provide the password for the account you currently use to connect to Azure AD. This must be the account
currently used by DirSync.
If you receive an error and have problems with connectivity, see Troubleshoot connectivity problems.
6. Provide an enterprise admin account for Active Directory.
7. You're now ready to configure. When you click Upgrade , DirSync is uninstalled and Azure AD Connect is
configured and begins synchronizing.
8. After the installation has completed, sign out and sign in again to Windows before you use Synchronization
Service Manager, Synchronization Rule Editor, or try to make any other configuration changes.
Parallel deployment
Export the DirSync configuration
Parallel deployment with more than 50,000 objects
If you have more than 50,000 objects, then the Azure AD Connect installation recommends a parallel
deployment.
A screen similar to the following is displayed:
If you want to proceed with parallel deployment, you need to perform the following steps:
Click the Expor t settings button. When you install Azure AD Connect on a separate server, these settings are
migrated from your current DirSync to your new Azure AD Connect installation.
Once your settings have been successfully exported, you can exit the Azure AD Connect wizard on the DirSync
server. Continue with the next step to install Azure AD Connect on a separate server
Parallel deployment with less than 50,000 objects
If you have less than 50,000 objects but still want to do a parallel deployment, then do the following:
1. Run the Azure AD Connect installer (MSI).
2. When you see the Welcome to Azure AD Connect screen, exit the installation wizard by clicking the "X" in
the top right corner of the window.
3. Open a command prompt.
4. From the install location of Azure AD Connect (Default: C:\Program Files\Microsoft Azure Active Directory
Connect) execute the following command: AzureADConnect.exe /ForceExport .
5. Click the Expor t settings button. When you install Azure AD Connect on a separate server, these settings are
migrated from your current DirSync to your new Azure AD Connect installation.
Once your settings have been successfully exported, you can exit the Azure AD Connect wizard on the DirSync
server. Continue with the next step to install Azure AD Connect on a separate server.
Install Azure AD Connect on separate server
When you install Azure AD Connect on a new server, the assumption is that you want to perform a clean install of
Azure AD Connect. Since you want to use the DirSync configuration, there are some extra steps to take:
1. Run the Azure AD Connect installer (MSI).
2. When you see the Welcome to Azure AD Connect screen, exit the installation wizard by clicking the "X" in
the top right corner of the window.
3. Open a command prompt.
4. From the install location of Azure AD Connect (Default: C:\Program Files\Microsoft Azure Active Directory
Connect) execute the following command: AzureADConnect.exe /migrate . The Azure AD Connect installation
wizard starts and presents you with the following screen:
5. Select the settings file that exported from your DirSync installation.
6. Configure any advanced options including:
A custom installation location for Azure AD Connect.
An existing instance of SQL Server (Default: Azure AD Connect installs SQL Server 2012 Express). Do
not use the same database instance as your DirSync server.
A service account used to connect to SQL Server (If your SQL Server database is remote then this
account must be a domain service account). These options can be seen on this screen:
7. Click Next .
8. On the Ready to configure page, leave the Star t the synchronization process as soon as the
configuration completes checked. The server is now in staging mode so changes are not exported to Azure
AD.
9. Click Install .
10. After the installation has completed, sign out and sign in again to Windows before you use Synchronization
Service Manager, Synchronization Rule Editor, or try to make any other configuration changes.
NOTE
Synchronization between Windows Server Active Directory and Azure Active Directory begins, but no changes are
exported to Azure AD. Only one synchronization tool can be actively exporting changes at a time. This state is called
staging mode.
Review the result from these operations and ensure there are no errors.
If you want to see and inspect the changes that are about to be exported to Azure AD, then read how to verify the
configuration under staging mode. Make required configuration changes until you do not see anything
unexpected.
You are ready to switch from DirSync to Azure AD when you have completed these steps and are happy with the
result.
Uninstall DirSync (old server)
In Programs and features find Windows Azure Active Director y sync tool
Uninstall Windows Azure Active Director y sync tool
The uninstallation might take up to 15 minutes to complete.
If you prefer to uninstall DirSync later, you can also temporarily shut down the server or disable the service. If
something goes wrong, this method allows you to re-enable it. However, it is not expected that the next step will
fail so this should not be needed.
With DirSync uninstalled or disabled, there is no active server exporting to Azure AD. The next step to enable
Azure AD Connect must be completed before any changes in your on-premises Active Directory will continue to
be synchronized to Azure AD.
Enable Azure AD Connect (new server)
After installation, reopening Azure AD connect will allow you to make additional configuration changes. Start
Azure AD Connect from the start menu or from the shortcut on the desktop. Make sure you do not try to run
the installation MSI again.
You should see the following:
Next steps
Now that you have Azure AD Connect installed you can verify the installation and assign licenses.
Learn more about these new features, which were enabled with the installation: Automatic upgrade, Prevent
accidental deletes, and Azure AD Connect Health.
Learn more about these common topics: scheduler and how to trigger sync.
Learn more about Integrating your on-premises identities with Azure Active Directory.
Install Azure AD Connect using an existing ADSync
database
9/7/2020 • 8 minutes to read • Edit Online
Azure AD Connect requires a SQL Server database to store data. You can either use the default SQL Server 2012
Express LocalDB installed with Azure AD Connect or use your own full version of SQL. Previously, when you
installed Azure AD Connect, a new database named ADSync was always created. With Azure AD Connect version
1.1.613.0 (or after), you have the option to install Azure AD Connect by pointing it to an existing ADSync database.
Prerequisite information
Important notes to take note of before you proceed:
Make sure to review the pre-requisites for installing Azure AD Connect at Hardware and prerequisites, and
account and permissions required for installing Azure AD Connect. The permissions required for installing
Azure AD Connect using “use existing database” mode is the same as “custom” installation.
Deploying Azure AD Connect against an existing ADSync database is only supported with full SQL. It is not
supported with SQL Express LocalDB. If you have an existing ADSync database in LocalDB that you wish to use,
you must first backup the ADSync database (LocalDB) and restore it to full SQL. After which, you can deploy
Azure AD Connect against the restored database using this method.
The version of the Azure AD Connect used for installation must satisfy the following criteria:
1.1.613.0 or above, AND
Same or higher than the version of the Azure AD Connect last used with the ADSync database. If the
Azure AD Connect version used for installation is higher than the version last used with the ADSync
database, then a full sync may be required. Full sync is required if there are schema or sync rule changes
between the two versions.
The ADSync database used should contain a synchronization state that is relatively recent. The last
synchronization activity with the existing ADSync database should be within the last three weeks.
When installing Azure AD Connect using “use existing database” method, sign-in method configured on the
previous Azure AD Connect server is not preserved. Further, you cannot configure sign-in method during
installation. You can only configure sign-in method after installation is complete.
You cannot have multiple Azure AD Connect servers share the same ADSync database. The “use existing
database” method allows you to reuse an existing ADSync database with a new Azure AD Connect server. It
does not support sharing.
3. Start a new command prompt or PowerShell session. Navigate to folder "C:\Program Files\Microsoft Azure
Active Directory Connect". Run command .\AzureADConnect.exe /useexistingdatabase to start the Azure AD
Connect wizard in “Use existing database” setup mode.
NOTE
Use the switch /UseExistingDatabase only when the database already contains data from an earlier Azure AD Connect
installation. For instance, when you are moving from a local database to a full SQL Server database or when the Azure AD
Connect server was rebuilt and you restored a SQL backup of the ADSync database from an earlier installation of Azure AD
Connect. If the database is empty, that is, it doesn't contain any data from a previous Azure AD Connect installation, skip
this step.
1. You are greeted with the Welcome to Azure AD Connect screen. Once you agree to the license terms and
privacy notice, click Continue .
2. On the Install required components screen, the Use an existing SQL Ser ver option is enabled.
Specify the name of the SQL server that is hosting the ADSync database. If the SQL engine instance used to
host the ADSync database is not the default instance on the SQL server, you must specify the SQL engine
instance name. Further, if SQL browsing is not enabled, you must also specify the SQL engine instance port
number. For example:
3. On the Connect to Azure AD screen, you must provide the credentials of a global admin of your Azure
AD directory. The recommendation is to use an account in the default onmicrosoft.com domain. This
account is only used to create a service account in Azure AD and is not used after the wizard has completed.
4. On the Connect your directories screen, the existing AD forest configured for directory synchronization
is listed with a red cross icon beside it. To synchronize changes from an on-premises AD forest, an AD DS
account is required. The Azure AD Connect wizard is unable to retrieve the credentials of the AD DS account
stored in the ADSync database because the credentials are encrypted and can only be decrypted by the
previous Azure AD Connect server. Click Change Credentials to specify the AD DS account for the AD
forest.
5. In the pop-up dialog, you can either (i) provide an Enterprise Admin credential and let Azure AD Connect
create the AD DS account for you, or (ii) create the AD DS account yourself and provide its credential to
Azure AD Connect. Once you have selected an option and provide the necessary credentials, click OK to
close the pop-up dialog.
6. Once the credentials are provided, the red cross icon is replaced with a green tick icon. Click Next .
7. On the Ready to configure screen, click Install .
8. Once installation completes, the Azure AD Connect server is automatically enabled for Staging Mode. It is
recommended that you review the server configuration and pending exports for unexpected changes
before disabling Staging Mode.
F EAT URE ST EP S
Password Hash Synchronization the Password Hash Synchronization and Password writeback
settings are fully restored for versions of Azure AD Connect
starting with 1.2.65.0. If restoring using an older version of
Azure AD Connect, review the synchronization option settings
for these features to ensure they match your active
synchronization server. No other configuration steps should
be necessary.
Pass-through authentication and Desktop Single Sign-On Update the sign in method to match the configuration on
your active synchronization server. If this is not followed
before promoting the server to primary, pass-through
authentication along with Seamless Single Sign on will be
disabled and your tenant might be locked out if you don’t
have password hash sync as back-up sign in option. Also note
that when you enable pass-through authentication in staging
mode, a new authentication agent will be installed, registered
and will run as a high-availability agent which will accept sign
in requests.
Federation with PingFederate Azure authentications will continue to use the PingFederate
policy configured for your active synchronization server. You
may optionally change the sign-in method to PingFederate in
preparation for your standby server becoming the active
synchronization instance. This step may be deferred until you
need to federate additional domains with PingFederate.
Next steps
Now that you have Azure AD Connect installed you can verify the installation and assign licenses.
Learn more about these features, which were enabled with the installation: Prevent accidental deletes and
Azure AD Connect Health.
Learn more about these common topics: scheduler and how to trigger sync.
Learn more about Integrating your on-premises identities with Azure Active Directory.
Install Azure AD Connect using SQL delegated
administrator permissions
9/7/2020 • 2 minutes to read • Edit Online
Prior to the latest Azure AD Connect build, administrative delegation, when deploying configurations that required
SQL, was not supported. Users who wanted to install Azure AD Connect needed to have server administrator (SA)
permissions on the SQL server.
With the latest release of Azure AD Connect, provisioning the database can now be performed out of band by the
SQL administrator and then installed by the Azure AD Connect administrator with database owner rights.
RO L E DESC RIP T IO N
Domain or Forest AD administrator Creates the domain level service account that is used by
Azure AD Connect to run the sync service. For more
information on service accounts, see Accounts and
permissions.
SQL administrator Creates the ADSync database and grants login + dbo access
to the Azure AD Connect administrator and the service
account created by the domain/forest admin.
Azure AD Connect administrator Installs Azure AD Connect and specifies the service account
during custom installation.
NOTE
Although it is not required, it is highly recommended that the Latin1_General_CI_AS collation is selected when creating
the database.
1. Have the SQL Administrator create the ADSync database with a case insensitive collation sequence
(Latin1_General_CI_AS) . The database must be named ADSync . The recovery model, compatibility level,
and containment type are updated to the correct values when Azure AD Connect is installed. However the
collation sequence must be set correctly by the SQL administrator otherwise Azure AD Connect will block
the installation. To recover the SA must delete and recreate the database.
2. Grant the Azure AD Connect administrator and the domain service account the following permissions:
SQL Login
database owner(dbo) rights.
NOTE
Azure AD Connect does not support logins with a nested membership. This means your Azure AD Connect
administrator account and domain service account must be linked to a login that is granted dbo rights. It cannot
simply be the member of a group that is assigned to a login with dbo rights.
3. Send an email to the Azure AD Connect administrator indicating the SQL server and instance name that
should be used when installing Azure AD Connect.
Additional information
Once the database is provisioned, the Azure AD Connect administrator can install and configure on-premises
synchronization at their convenience.
In case the SQL Administrator has restored ADSync database from a previous Azure AD Connect backup, you will
need to install the new Azure AD Connect server by using an existing database. For more information on installing
Azure AD Connect with an existing database, see Install Azure AD Connect using an existing ADSync database.
Next steps
Getting started with Azure AD Connect using express settings
Custom installation of Azure AD Connect
Install Azure AD Connect using an existing ADSync database
Azure Active Directory Pass-through Authentication:
Upgrade preview Authentication Agents
9/7/2020 • 4 minutes to read • Edit Online
Overview
This article is for customers using Azure AD Pass-through Authentication through preview. We recently upgraded
(and rebranded) the Authentication Agent software. You need to manually upgrade preview Authentication Agents
installed on your on-premises servers. This manual upgrade is a one-time action only. All future updates to
Authentication Agents are automatic. The reasons to upgrade are as follows:
The preview versions of Authentication Agents will not receive any further security or bug fixes.
The preview versions of Authentication Agents can't be installed on additional servers, for high availability.
NOTE
If you check the Pass-through Authentication blade on the Azure Active Directory admin center after completing the
preceding steps, you'll see two Authentication Agent entries per server - one entry showing the Authentication Agent as
Active and the other as Inactive . This is expected. The Inactive entry is automatically dropped after a few days.
NOTE
If you check the Pass-through Authentication blade on the Azure Active Directory admin center after completing the
preceding steps, you'll see two Authentication Agent entries per server - one entry showing the Authentication Agent as
Active and the other as Inactive . This is expected. The Inactive entry is automatically dropped after a few days.
Next steps
Troubleshoot - Learn how to resolve common issues with the feature.
Move Azure AD Connect database from SQL Server
Express to SQL Server
9/7/2020 • 3 minutes to read • Edit Online
This document describes how to move the Azure AD Connect database from the local SQL Server Express server to
a remote SQL Server. You can use the following procedures below to accomplish this task.
8. Once the database is attached, go back to the Azure AD Connect server and install Azure AD Connect.
9. Once the MSI installation completes, the Azure AD Connect wizard starts with the Express mode setup. Close
the screen by clicking the Exit icon.
10. Start a new command prompt or PowerShell session. Navigate to folder <drive>\program files\Microsoft
Azure AD Connect. Run command .\AzureADConnect.exe /useexistingdatabase to start the Azure AD
Connect wizard in “Use existing database” setup mode.
11. You are greeted with the Welcome to Azure AD Connect screen. Once you agree to the license terms and
privacy notice, click Continue .
12. On the Install required components screen, the Use an existing SQL Ser ver option is enabled. Specify
the name of the SQL server that is hosting the ADSync database. If the SQL engine instance used to host the
ADSync database is not the default instance on the SQL server, you must specify the SQL engine instance
name. Further, if SQL browsing is not enabled, you must also specify the SQL engine instance port number.
For example:
13. On the Connect to Azure AD screen, you must provide the credentials of a global admin of your Azure AD
directory. The recommendation is to use an account in the default onmicrosoft.com domain. This account is
only used to create a service account in Azure AD and is not used after the wizard has completed.
14. On the Connect your directories screen, the existing AD forest configured for directory synchronization is
listed with a red cross icon beside it. To synchronize changes from an on-premises AD forest, an AD DS
account is required. The Azure AD Connect wizard is unable to retrieve the credentials of the AD DS account
stored in the ADSync database because the credentials are encrypted and can only be decrypted by the
previous Azure AD Connect server. Click Change Credentials to specify the AD DS account for the AD
forest.
15. In the pop-up dialog, you can either (i) provide an Enterprise Admin credential and let Azure AD Connect
create the AD DS account for you, or (ii) create the AD DS account yourself and provide its credential to
Azure AD Connect. Once you have selected an option and provide the necessary credentials, click OK to
close the pop-up dialog.
16. Once the credentials are provided, the red cross icon is replaced with a green tick icon. Click Next .
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Install Azure AD Connect using an existing ADSync database
Install Azure AD Connect using SQL delegated administrator permissions
Azure AD Connect: When you have an existing
tenant
9/7/2020 • 4 minutes to read • Edit Online
Most of the topics for how to use Azure AD Connect assumes you start with a new Azure AD tenant and that there
are no users or other objects there. But if you have started with an Azure AD tenant, populated it with users and
other objects, and now want to use Connect, then this topic is for you.
The basics
An object in Azure AD is either mastered in the cloud (Azure AD) or on-premises. For one single object, you cannot
manage some attributes on-premises and some other attributes in Azure AD. Each object has a flag indicating
where the object is managed.
You can manage some users on-premises and other in the cloud. A common scenario for this configuration is an
organization with a mix of accounting workers and sales workers. The accounting workers have an on-premises AD
account, but the sales workers do not, they have an account in Azure AD. You would manage some users on-
premises and some in Azure AD.
If you started to manage users in Azure AD that are also in on-premises AD and later want to use Connect, then
there are some additional concerns you need to consider.
WARNING
Since all attributes in Azure AD are going to be overwritten by the on-premises value, make sure you have good data on-
premises. For example, if you only have managed email address in Office 365 and not kept it updated in on-premises AD DS,
then you lose any values in Azure AD/Office 365 not present in AD DS.
IMPORTANT
If you use password sync, which is always used by express settings, then the password in Azure AD is overwritten with the
password in on-premises AD. If your users are used to manage different passwords, then you need to inform them that they
should use the on-premises password when you have installed Connect.
The previous section and warning must be considered in your planning. If you have made many changes in Azure
AD not reflected in on-premises AD DS, then you need to plan for how to populate AD DS with the updated values
before you sync your objects with Azure AD Connect.
If you matched your objects with a soft-match, then the sourceAnchor is added to the object in Azure AD so a
hard match can be used later.
IMPORTANT
Microsoft strongly recommends against synchronizing on-premises accounts with pre-existing administrative accounts in
Azure Active Directory.
Hard-match vs Soft-match
For a new installation of Connect, there is no practical difference between a soft- and a hard-match. The difference
is in a disaster recovery situation. If you have lost your server with Azure AD Connect, you can reinstall a new
instance without losing any data. An object with a sourceAnchor is sent to Connect during initial install. The match
can then be evaluated by the client (Azure AD Connect), which is a lot faster than doing the same in Azure AD. A
hard match is evaluated both by Connect and by Azure AD. A soft match is only evaluated by Azure AD.
Other objects than users
For mail-enabled groups and contacts, you can soft-match based on proxyAddresses. Hard-match is not applicable
since you can only update the sourceAnchor/immutableID (using PowerShell) on Users only. For groups that aren't
mail-enabled, there is currently no support for soft-match or hard-match.
Admin role considerations
To prevent untrusted on-premises users from matching with a cloud user that has any admin role, Azure AD
Connect will not match on-premises user objects with objects that have an admin role. This is by default. To
workaround this behavior you can do the following:
1. Remove the directory roles from the cloud-only user object.
2. If there was a failed user sync attempt, hard delete the Quarantined object in the cloud.
3. Trigger a sync.
4. Optionally add the directory roles back to the user object in cloud once the matching has occurred.
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Next steps and how to manage Azure AD Connect
9/7/2020 • 2 minutes to read • Edit Online
Use the operational procedures in this article to customize Azure Active Directory (Azure AD) Connect to meet
your organization's needs and requirements.
Privacy Settings View what telemetry data is being shared with Microsoft.
View current configuration View your current Azure AD Connect solution. This includes
general settings, synchronized directories, and sync settings.
Customize synchronization options Change the current configuration like adding additional
Active Directory forests to the configuration, or enabling sync
options such as user, group, device, or password write-back.
Refresh director y schema Allows you to add new on-premises directory objects for
synchronization
Configure Staging Mode Stage information that is not immediately synchronized and is
not exported to Azure AD or on-premises Active Directory.
With this feature, you can preview the synchronizations
before they occur.
Change user sign-in Change the authentication method users are using to sign-in
Next steps
Learn more about integrating your on-premises identities with Azure Active Directory.
Azure AD Connect: Design concepts
9/7/2020 • 12 minutes to read • Edit Online
The purpose of this document is to describe areas that must be thought through during the implementation
design of Azure AD Connect. This document is a deep dive on certain areas and these concepts are briefly
described in other documents as well.
sourceAnchor
The sourceAnchor attribute is defined as an attribute immutable during the lifetime of an object. It uniquely
identifies an object as being the same object on-premises and in Azure AD. The attribute is also called
immutableId and the two names are used interchangeable.
The word immutable, that is "cannot be changed", is important to this document. Since this attribute’s value
cannot be changed after it has been set, it is important to pick a design that supports your scenario.
The attribute is used for the following scenarios:
When a new sync engine server is built, or rebuilt after a disaster recovery scenario, this attribute links existing
objects in Azure AD with objects on-premises.
If you move from a cloud-only identity to a synchronized identity model, then this attribute allows objects to
"hard match" existing objects in Azure AD with on-premises objects.
If you use federation, then this attribute together with the userPrincipalName is used in the claim to uniquely
identify a user.
This topic only talks about sourceAnchor as it relates to users. The same rules apply to all object types, but it is
only for users this problem usually is a concern.
Selecting a good sourceAnchor attribute
The attribute value must follow the following rules:
Fewer than 60 characters in length
Characters not being a-z, A-Z, or 0-9 are encoded and counted as 3 characters
Not contain a special character: \ ! # $ % & * + / = ? ^ ` { } | ~ < > ( ) ' ; : , [ ] " @ _
Must be globally unique
Must be either a string, integer, or binary
Should not be based on user's name because these can change
Should not be case-sensitive and avoid values that may vary by case
Should be assigned when the object is created
If the selected sourceAnchor is not of type string, then Azure AD Connect Base64Encode the attribute value to
ensure no special characters appear. If you use another federation server than ADFS, make sure your server can
also Base64Encode the attribute.
The sourceAnchor attribute is case-sensitive. A value of “JohnDoe” is not the same as “johndoe”. But you should
not have two different objects with only a difference in case.
If you have a single forest on-premises, then the attribute you should use is objectGUID . This is also the attribute
used when you use express settings in Azure AD Connect and also the attribute used by DirSync.
If you have multiple forests and do not move users between forests and domains, then objectGUID is a good
attribute to use even in this case.
If you move users between forests and domains, then you must find an attribute that does not change or can be
moved with the users during the move. A recommended approach is to introduce a synthetic attribute. An
attribute that could hold something that looks like a GUID would be suitable. During object creation, a new GUID is
created and stamped on the user. A custom sync rule can be created in the sync engine server to create this value
based on the objectGUID and update the selected attribute in ADDS. When you move the object, make sure to
also copy the content of this value.
Another solution is to pick an existing attribute you know does not change. Commonly used attributes include
employeeID . If you consider an attribute that contains letters, make sure there is no chance the case (upper case
vs. lower case) can change for the attribute's value. Bad attributes that should not be used include those attributes
with the name of the user. In a marriage or divorce, the name is expected to change, which is not allowed for this
attribute. This is also one reason why attributes such as userPrincipalName , mail , and targetAddress are not
even possible to select in the Azure AD Connect installation wizard. Those attributes also contain the "@" character,
which is not allowed in the sourceAnchor.
Changing the sourceAnchor attribute
The sourceAnchor attribute value cannot be changed after the object has been created in Azure AD and the
identity is synchronized.
For this reason, the following restrictions apply to Azure AD Connect:
The sourceAnchor attribute can only be set during initial installation. If you rerun the installation wizard, this
option is read-only. If you need to change this setting, then you must uninstall and reinstall.
If you install another Azure AD Connect server, then you must select the same sourceAnchor attribute as
previously used. If you have earlier been using DirSync and move to Azure AD Connect, then you must use
objectGUID since that is the attribute used by DirSync.
If the value for sourceAnchor is changed after the object has been exported to Azure AD, then Azure AD
Connect sync throws an error and does not allow any more changes on that object before the issue has been
fixed and the sourceAnchor is changed back in the source directory.
Permission required
For this feature to work, the AD DS account used to synchronize with on-premises Active Directory must be
granted write permission to the ms-DS-ConsistencyGuid attribute in on-premises Active Directory.
How to enable the ConsistencyGuid feature - New installation
You can enable the use of ConsistencyGuid as sourceAnchor during new installation. This section covers both
Express and Custom installation in details.
NOTE
Only newer versions of Azure AD Connect (1.1.524.0 and after) support the use of ConsistencyGuid as sourceAnchor during
new installation.
NOTE
Only newer versions of Azure AD Connect (1.1.524.0 and after) store information in your Azure AD tenant about the
sourceAnchor attribute used during installation. Older versions of Azure AD Connect do not.
If information about the sourceAnchor attribute used isn't available, the wizard checks the state of the ms-
DS-ConsistencyGuid attribute in your on-premises Active Directory. If the attribute isn't configured on any
object in the directory, the wizard uses the ms-DS-ConsistencyGuid as the sourceAnchor attribute. If the
attribute is configured on one or more objects in the directory, the wizard concludes the attribute is being
used by other applications and is not suitable as sourceAnchor attribute...
In which case, the wizard falls back to using objectGUID as the sourceAnchor attribute.
Once the sourceAnchor attribute is decided, the wizard stores the information in your Azure AD tenant. The
information will be used by future installation of Azure AD Connect.
Once Express installation completes, the wizard informs you which attribute has been picked as the Source Anchor
attribute.
Custom installation
When installing Azure AD Connect with Custom mode, the Azure AD Connect wizard provides two options when
configuring sourceAnchor attribute:
Let Azure manage the source anchor for me Select this option if you want Azure AD to pick the attribute
for you. If you select this option, Azure AD Connect wizard
applies the same sourceAnchor attribute selection logic used
during Express installation. Similar to Express installation, the
wizard informs you which attribute has been picked as the
Source Anchor attribute after Custom installation completes.
NOTE
Only newer versions of Azure AD Connect (1.1.552.0 and after) support switching from ObjectGuid to ConsistencyGuid as
the Source Anchor attribute.
6. Once the configuration completes, the wizard indicates that ms-DS-ConsistencyGuid is now being used as
the Source Anchor attribute.
During the analysis (step 4), if the attribute is configured on one or more objects in the directory, the wizard
concludes the attribute is being used by another application and returns an error as illustrated in the diagram
below. This error can also occur if you have previously enabled the ConsistencyGuid feature on your primary
Azure AD Connect server and you are trying to do the same on your staging server.
If you are certain that the attribute isn't used by other existing applications, you can suppress the error by
restarting the Azure AD Connect wizard with the /SkipLdapSearch switch specified. To do so, run the following
command in command prompt:
"c:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe" /SkipLdapSearch
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Topologies for Azure AD Connect
9/7/2020 • 10 minutes to read • Edit Online
This article describes various on-premises and Azure Active Directory (Azure AD) topologies that use Azure AD
Connect sync as the key integration solution. This article includes both supported and unsupported
configurations.
Here's the legend for pictures in the article:
DESC RIP T IO N SY M B O L
Azure AD
Unsupported scenario
IMPORTANT
Microsoft doesn't support modifying or operating Azure AD Connect sync outside of the configurations or actions that are
formally documented. Any of these configurations or actions might result in an inconsistent or unsupported state of Azure
AD Connect sync. As a result, Microsoft can't provide technical support for such deployments.
The most common topology is a single on-premises forest, with one or multiple domains, and a single Azure AD
tenant. For Azure AD authentication, password hash synchronization is used. The express installation of Azure AD
Connect supports only this topology.
Single forest, multiple sync servers to one Azure AD tenant
Having multiple Azure AD Connect sync servers connected to the same Azure AD tenant is not supported, except
for a staging server. It's unsupported even if these servers are configured to synchronize with a mutually
exclusive set of objects. You might have considered this topology if you can't reach all domains in the forest from
a single server, or if you want to distribute load across several servers.
Many organizations have environments with multiple on-premises Active Directory forests. There are various
reasons for having more than one on-premises Active Directory forest. Typical examples are designs with
account-resource forests and the result of a merger or acquisition.
When you have multiple forests, all forests must be reachable by a single Azure AD Connect sync server. The
server must be joined to a domain. If necessary to reach all forests, you can place the server in a perimeter
network (also known as DMZ, demilitarized zone, and screened subnet).
The Azure AD Connect installation wizard offers several options to consolidate users who are represented in
multiple forests. The goal is that a user is represented only once in Azure AD. There are some common topologies
that you can configure in the custom installation path in the installation wizard. On the Uniquely identifying
your users page, select the corresponding option that represents your topology. The consolidation is configured
only for users. Duplicated groups are not consolidated with the default configuration.
Common topologies are discussed in the sections about separate topologies, full mesh, and the account-resource
topology.
The default configuration in Azure AD Connect sync assumes:
Each user has only one enabled account, and the forest where this account is located is used to authenticate
the user. This assumption is for password hash sync, pass-through authentication and federation.
UserPrincipalName and sourceAnchor/immutableID come from this forest.
Each user has only one mailbox.
The forest that hosts the mailbox for a user has the best data quality for attributes visible in the Exchange
Global Address List (GAL). If there's no mailbox for the user, any forest can be used to contribute these attribute
values.
If you have a linked mailbox, there's also an account in a different forest used for sign-in.
If your environment does not match these assumptions, the following things happen:
If you have more than one active account or more than one mailbox, the sync engine picks one and ignores
the other.
A linked mailbox with no other active account is not exported to Azure AD. The user account is not represented
as a member in any group. A linked mailbox in DirSync is always represented as a normal mailbox. This
change is intentionally a different behavior to better support multiple-forest scenarios.
You can find more details in Understanding the default configuration.
Multiple forests, multiple sync servers to one Azure AD tenant
Having more than one Azure AD Connect sync server connected to a single Azure AD tenant is not supported. The
exception is the use of a staging server.
This topology differs from the one below in that multiple sync ser vers connected to a single Azure AD tenant is
not supported.
Multiple forests, single sync server, users are represented in only one directory
In this environment, all on-premises forests are treated as separate entities. No user is present in any other forest.
Each forest has its own Exchange organization, and there's no GALSync between the forests. This topology might
be the situation after a merger/acquisition or in an organization where each business unit operates
independently. These forests are in the same organization in Azure AD and appear with a unified GAL. In the
preceding picture, each object in every forest is represented once in the metaverse and aggregated in the target
Azure AD tenant.
Multiple forests: match users
Common to all these scenarios is that distribution and security groups can contain a mix of users, contacts, and
Foreign Security Principals (FSPs). FSPs are used in Active Directory Domain Services (AD DS) to represent
members from other forests in a security group. All FSPs are resolved to the real object in Azure AD.
Multiple forests: full mesh with optional GALSync
A full mesh topology allows users and resources to be located in any forest. Commonly, there are two-way trusts
between the forests.
If Exchange is present in more than one forest, there might be (optionally) an on-premises GALSync solution.
Every user is then represented as a contact in all other forests. GALSync is commonly implemented through FIM
2010 or MIM 2016. Azure AD Connect cannot be used for on-premises GALSync.
In this scenario, identity objects are joined via the mail attribute. A user who has a mailbox in one forest is joined
with the contacts in the other forests.
Multiple forests: account-resource forest
In an account-resource forest topology, you have one or more account forests with active user accounts. You also
have one or more resource forests with disabled accounts.
In this scenario, one (or more) resource forest trusts all account forests. The resource forest typically has an
extended Active Directory schema with Exchange and Lync. All Exchange and Lync services, along with other
shared services, are located in this forest. Users have a disabled user account in this forest, and the mailbox is
linked to the account forest.
W O RK LO A D REST RIC T IO N S
Skype for Business When you're using multiple on-premises forests, only the
account-resource forest topology is supported. For more
information, see Environmental requirements for Skype for
Business Server 2015.
If you are a larger organization, then you should consider to use the Office 365 PreferredDataLocation feature. It
allows you to define in which datacenter region the user's resources are located.
Staging server
Azure AD Connect supports installing a second server in staging mode. A server in this mode reads data from all
connected directories but does not write anything to connected directories. It uses the normal synchronization
cycle and therefore has an updated copy of the identity data.
In a disaster where the primary server fails, you can fail over to the staging server. You do this in the Azure AD
Connect wizard. This second server can be located in a different datacenter because no infrastructure is shared
with the primary server. You must manually copy any configuration change made on the primary server to the
second server.
You can use a staging server to test a new custom configuration and the effect that it has on your data. You can
preview the changes and adjust the configuration. When you're happy with the new configuration, you can make
the staging server the active server and set the old active server to staging mode.
You can also use this method to replace the active sync server. Prepare the new server and set it to staging mode.
Make sure it's in a good state, disable staging mode (making it active), and shut down the currently active server.
It's possible to have more than one staging server when you want to have multiple backups in different
datacenters.
In this topology, one Azure AD Connect sync server is connected to each Azure AD tenant. The Azure AD Connect
sync servers must be configured for filtering so that each has a mutually exclusive set of objects to operate on.
You can, for example, scope each server to a particular domain or organizational unit.
A DNS domain can be registered in only a single Azure AD tenant. The UPNs of the users in the on-premises
Active Directory instance must also use separate namespaces. For example, in the preceding picture, three
separate UPN suffixes are registered in the on-premises Active Directory instance: contoso.com, fabrikam.com,
and wingtiptoys.com. The users in each on-premises Active Directory domain use a different namespace.
NOTE
Global Address List Synchronization (GalSync) is not done automatically in this topology and requires an additional custom
MIM implementation to ensure each tenant has a complete Global Address List (GAL) in Exchange Online and Skype for
Business Online.
You can use FIM 2010 or MIM 2016 on-premises to sync users (via GALSync) between two Exchange
organizations. The users in one organization appear as foreign users/contacts in the other organization. These
different on-premises Active Directory instances can then be synchronized with their own Azure AD tenants.
Using unauthorized clients to access the Azure AD Connect backend
The Azure Active Directory Connect server communicates with Azure Active Directory through the Azure Active
Directory Connect backend. The only software that can be used to communicate with this backend is Azure Active
Directory Connect. It is not supported to communicate with the Azure Active Directory Connect backend using
any other software or method.
Next steps
To learn how to install Azure AD Connect for these scenarios, see Custom installation of Azure AD Connect.
Learn more about the Azure AD Connect sync configuration.
Learn more about integrating your on-premises identities with Azure Active Directory.
Factors influencing the performance of Azure AD
Connect
9/7/2020 • 11 minutes to read • Edit Online
Azure AD Connect syncs your Active Directory to Azure AD. This server is a critical component of moving your user
identities to the cloud. The primary factors that affect the performance of an Azure AD Connect are:
DESIGN FA C TO R DEF IN IT IO N
Scale The number of objects like the users, groups, and OUs, to be
managed by Azure AD Connect.
The purpose of this document is to describe the factors influencing the performance of the Azure AD Connect
provisioning engine. Large or complex organizations (organizations provisioning more than 100,000 objects) can
use the recommendations to optimize their Azure AD Connect implementation, if they experience any performance
issues outlined here. The other components of Azure AD Connect, such as Azure AD Connect health and agents
aren't covered here.
IMPORTANT
Microsoft doesn't support modifying or operating Azure AD Connect outside of the actions that are formally documented.
Any of these actions might result in an inconsistent or unsupported state of Azure AD Connect sync. As a result, Microsoft
can't provide technical support for such deployments.
NOTE
Careful planning is required when doing bulk updates to many objects in your Active Directory or Azure AD. Bulk updates will
cause the delta sync process to take longer when importing, since a lot of objects have changed. Long imports can happen
even if the bulk update doesn't influence the sync process. For example, assigning licenses to many users in Azure AD will
cause a long import cycle from Azure AD, but will not result in any attribute changes in Active Directory.
Synchronization
The sync process runtime has the following performance characteristics:
Sync is single threaded, meaning the provisioning engine doesn't do any parallel processing of run profiles of
connected directories, objects, or attributes.
Import time grows linearly with the number of objects being synced. For example, if 10,000 objects take 10
minutes to import, then 20,000 objects will take approximately 20 minutes on the same server.
Export is also linear.
The sync will grow exponentially based on the number of objects with references to other objects. Group
memberships and nested groups have the main performance impact, because their members refer to user
objects or other groups. These references must be found and referenced to actual objects in the MV to complete
the sync cycle.
Filtering
The size of the Active Directory topology you want to import is the number one factor influencing the performance
and overall time the internal components of the provisioning engine will take.
Filtering should be used to reduce the objects to the synced. It will prevent unnecessary objects from being
processed and exported to Azure AD. In order of preference, the following techniques of filtering are available:
Domain-based filtering – use this option to select specific domains to sync to Azure AD. You must add and
remove domains from the sync engine configuration when you make changes to your on-premises
infrastructure after you install Azure AD Connect sync.
Organization Unit (OU) filtering - uses OUs to target specific objects in Active Directory domains for
provisioning to Azure AD. OU filtering is the second recommended filtering mechanism, because it uses simple
LDAP scope queries to import a smaller subset of objects from Active Directory.
Attribute filtering per object - uses the attribute values on objects to decide whether specific object in Active
Directory is provisioned in Azure AD. Attribute filtering is great for fine-tuning your filters, when domain and OU
filtering doesn't meet the specific filtering requirements. Attribute filtering doesn't reduce the import time but
can reduce sync and export times.
Group-based filtering - uses group membership to decide whether objects should be provisioned in Azure
AD. Group-based filtering is only suited for testing situations and not recommended for production, because of
the extra overhead required to check group membership during the sync cycle.
Many persistent disconnector objects in your Active Directory CS can cause longer sync times, because the
provisioning engine must reevaluate each disconnector object for possible connection in the sync cycle. To
overcome this issue, consider one of the following recommendations:
Place the disconnector objects out of scope for import using domain or OU filtering.
Project/join the objects to the MV and set the cloudFiltered attribute equal to True, to prevent provisioning of
these objects in the Azure AD CS.
NOTE
Users can get confused or application permissions issues can occur, when too many objects are filtered. For example, in a
hybrid Exchange online implementation, users with on-premises mailboxes will see more users in their global address list than
users with mailboxes in Exchange online. In other cases, a user may want to grant access in a cloud app to another user which
is not part of the scope of the filtered set of objects.
Attribute flows
Attribute flows is the process for copying or transforming the attribute values of objects from one connected
directory to another connected directory. They're defined as part of the sync rules. For example, when the
telephone number of a user is changed in your Active Directory, the telephone number in Azure AD will be updated.
Organizations can modify the attribute flows to suite various requirements. It's recommended you copy the existing
attribute flows before changing them.
Simple redirects, like flowing an attribute value to a different attribute doesn't have material performance impact.
An example of a redirect is flowing a mobile number in Active Directory to the office phone number in Azure AD.
Transforming attribute values can have a performance impact on the sync process. Transforming attribute values
includes modifying, reformatting, concatenating, or subtracting values of attributes.
Organizations can prevent certain attributes to flow to Azure AD, but it won't influence the performance of the
provisioning engine.
NOTE
Don’t delete unwanted attribute flows in your sync rules. It is recommended you rather disable them, because deleted rules
are recreated during Azure AD Connect upgrades.
Conclusion
To optimize the performance of your Azure AD Connect implementation, consider the following recommendations:
Use the recommended hardware configuration based on your implementation size for the Azure AD Connect
server.
When upgrading Azure AD Connect in large-scale deployments, consider using swing migration method, to
make sure you have the least downtime and best reliability.
Use SSD for the SQL database for best writing performance.
Filter the Active Directory scope to only include objects that need to be provisioned in Azure AD, using domain,
OU, or attribute filtering.
If you require to change the default attribute flow rules, first copy the rule, then change the copy and disable the
original rule. Remember to rerun a full sync.
Plan adequate time for the initial full sync run profile.
Strive to complete the delta sync cycle in 30 minutes. If the delta sync profile doesn’t complete in 30 minutes,
modify the default sync frequency to include a complete delta sync cycle.
Monitor your Azure AD Connect sync health in Azure AD.
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Azure AD Connect user sign-in options
9/7/2020 • 12 minutes to read • Edit Online
Azure Active Directory (Azure AD) Connect allows your users to sign in to both cloud and on-premises resources
by using the same passwords. This article describes key concepts for each identity model to help you choose the
identity that you want to use for signing in to Azure AD.
If you’re already familiar with the Azure AD identity model and want to learn more about a specific method, see
the appropriate link:
Password hash synchronization with Seamless Single Sign-on (SSO)
Pass-through authentication with Seamless Single Sign-on (SSO)
Federated SSO (with Active Directory Federation Services (AD FS))
Federation with PingFederate
NOTE
It is important to remember that by configuring federation for Azure AD, you establish trust between your Azure AD tenant
and your federated domains. With this trust federated domain users will have access to Azure AD cloud resources within the
tenant.
Not verified Azure AD Connect found a matching Verify the custom domain in Azure AD.
custom domain in Azure AD, but it isn't
verified. The UPN suffix of the users of
this domain will be changed to the
default .onmicrosoft.com suffix after
synchronization if the domain isn't
verified.
Not added Azure AD Connect didn't find a custom Add and verify a custom domain that
domain that corresponded to the UPN corresponds to the UPN suffix.
suffix. The UPN suffix of the users of
this domain will be changed to the
default .onmicrosoft.com suffix if the
domain isn't added and verified in
Azure.
The Azure AD sign-in page lists the UPN suffixes that are defined for on-premises Active Directory and the
corresponding custom domain in Azure AD with the current verification status. In a custom installation, you can
now select the attribute for the user principal name on the Azure AD sign-in page.
You can click the refresh button to re-fetch the latest status of the custom domains from Azure AD.
Selecting the attribute for the user principal name in Azure AD
The attribute userPrincipalName is the attribute that users use when they sign in to Azure AD and Office 365. You
should verify the domains (also known as UPN suffixes) that are used in Azure AD before the users are
synchronized.
We strongly recommend that you keep the default attribute userPrincipalName. If this attribute is nonroutable
and can't be verified, then it's possible to select another attribute (email, for example) as the attribute that holds
the sign-in ID. This is known as the Alternate ID. The Alternate ID attribute value must follow the RFC 822
standard. You can use an Alternate ID with both password SSO and federation SSO as the sign-in solution.
NOTE
Using an Alternate ID isn't compatible with all Office 365 workloads. For more information, see Configuring Alternate Login
ID.
Different custom domain states and their effect on the Azure sign-in experience
It's very important to understand the relationship between the custom domain states in your Azure AD directory
and the UPN suffixes that are defined on-premises. Let's go through the different possible Azure sign-in
experiences when you're setting up synchronization by using Azure AD Connect.
For the following information, let's assume that we're concerned with the UPN suffix contoso.com, which is used
in the on-premises directory as part of UPN--for example user@contoso.com.
E x p re s s s e t t i n g s /P a s s w o rd h a s h s y n c h ro n i z a t i o n
Not added In this case, no custom domain for contoso.com has been
added in the Azure AD directory. Users who have UPN on-
premises with the suffix @contoso.com won't be able to use
their on-premises UPN to sign in to Azure. They'll instead
have to use a new UPN that's provided to them by Azure AD
by adding the suffix for the default Azure AD directory. For
example, if you're syncing users to the Azure AD directory
azurecontoso.onmicrosoft.com, then the on-premises user
user@contoso.com will be given a UPN of
user@azurecontoso.onmicrosoft.com.
You can't create a federation with the default .onmicrosoft.com domain in Azure AD or an unverified custom
domain in Azure AD. When you're running the Azure AD Connect wizard, if you select an unverified domain to
create a federation with, then Azure AD Connect prompts you with the necessary records to be created where
your DNS is hosted for the domain. For more information, see Verify the Azure AD domain selected for federation.
If you selected the user sign-in option Federation with AD FS , then you must have a custom domain to
continue creating a federation in Azure AD. For our discussion, this means that we should have a custom domain
contoso.com added in the Azure AD directory.
Not added In this case, Azure AD Connect didn't find a matching custom
domain for the UPN suffix contoso.com in the Azure AD
directory. You need to add a custom domain contoso.com if
you need users to sign in by using AD FS with their on-
premises UPN (like user@contoso.com).
Not verified In this case, Azure AD Connect prompts you with appropriate
details on how you can verify your domain at a later stage.
Verified In this case, you can go ahead with the configuration without
any further action.
Next steps
Learn more about integrating your on-premises identities with Azure Active Directory.
Learn more about Azure AD Connect design concepts.
Azure AD UserPrincipalName population
9/7/2020 • 5 minutes to read • Edit Online
This article describes how the UserPrincipalName attribute is populated in Azure Active Directory (Azure AD). The
UserPrincipalName attribute value is the Azure AD username for the user accounts.
UPN terminology
The following terminology is used in this article:
Microsoft Online Email Routing Address (MOERA) Azure AD calculates the MOERA from Azure AD
MailNickName attribute and Azure AD initial domain as
<MailNickName>@<initial domain>.
On-premises mailNickName attribute An attribute in Active Directory, the value of which represents
the alias of a user in an Exchange organization.
On-premises mail attribute An attribute in Active Directory, the value of which represents
the email address of a user
Primary SMTP Address The primary email address of an Exchange recipient object. For
example, SMTP:user@contoso.com.
What is UserPrincipalName?
UserPrincipalName is an attribute that is an Internet-style login name for a user based on the Internet standard RFC
822.
UPN format
A UPN consists of a UPN prefix (the user account name) and a UPN suffix (a DNS domain name). The prefix is
joined with the suffix using the "@" symbol. For example, "someone@example.com". A UPN must be unique
among all security principal objects within a directory forest.
UPN in Azure AD
The UPN is used by Azure AD to allow users to sign-in. The UPN that a user can use, depends on whether or not the
domain has been verified. If the domain has been verified, then a user with that suffix will be allowed to sign-in to
Azure AD.
The attribute is synchronized by Azure AD Connect. During installation, you can view the domains that have been
verified and the ones that have not.
Alternate login ID
In some environments, end users may only be aware of their email address and not their UPN. The use of email
address may be due to a corporate policy or an on-premises line-of-business application dependency.
Alternate login ID allows you to configure a sign-in experience where users can sign-in with an attribute other than
their UPN, such as mail.
To enable Alternate login ID with Azure AD, no additional configurations steps are needed when using Azure AD
Connect. Alternate ID can be configured directly from the wizard. See Azure AD sign-in configuration for your users
under the section Sync. Under the User Principal Name drop-down, select the attribute for Alternate login ID.
For more information, see Configure Alternate login ID and Azure AD sign-in configuration
UPN scenarios
The following are example scenarios of how the UPN is calculated based on the given scenario.
Scenario 1: Non-verified UPN suffix – initial synchronization
Next Steps
Integrate your on-premises directories with Azure Active Directory
Custom installation of Azure AD Connect
Azure AD Connect: Special considerations for
instances
5/28/2019 • 2 minutes to read • Edit Online
Azure AD Connect is most commonly used with the world-wide instance of Azure AD and Office 365. But there are
also other instances and these have different requirements for URLs and other special considerations.
URL S TO O P EN IN P RO XY SERVER
*.microsoftonline.de
*.windows.net
When you sign in to your Azure AD tenant, you must use an account in the onmicrosoft.de domain.
Features currently not present in the Microsoft Cloud Germany:
Password writeback is available for preview with Azure AD Connect version 1.1.570.0 and after.
Other Azure AD Premium services are not available.
URL S TO O P EN IN P RO XY SERVER
*.microsoftonline.com
*.microsoftonline.us
*.gov.us.microsoftonline.com
Manual Configuration
The following manual configuration steps are used to ensure Azure AD Connect uses Azure Government
synchronization endpoints.
1. Start the Azure AD Connect installation.
2. When you see the first page where you are supposed to accept the EULA, do not continue but leave the
installation wizard running.
3. Start regedit and change the registry key HKLM\SOFTWARE\Microsoft\Azure AD Connect\AzureInstance to the value
4 .
4. Go back to the Azure AD Connect installation wizard, accept the EULA, and continue. During installation, make
sure to use the custom configuration installation path (and not Express installation), then continue the
installation as usual.
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Migrate from federation to password hash
synchronization for Azure Active Directory
9/7/2020 • 23 minutes to read • Edit Online
This article describes how to move your organization domains from Active Directory Federation Services (AD FS)
to password hash synchronization.
NOTE
Changing your authentication method requires planning, testing, and potentially downtime. Staged rollout provides an
alternative way to test and gradually migrate from federation to cloud authentication using password hash synchronization.
If you plan on using staged rollout, you should remember to turn off the staged rollout features once you have finished
cutting over. For more information see Migrate to cloud authentication using staged rollout
IMPORTANT
You might read in outdated documentation, tools, and blogs that user conversion is required when you convert domains
from federated identity to managed identity. Converting users is no longer required. Microsoft is working to update
documentation and tools to reflect this change.
To update Azure AD Connect, complete the steps in Azure AD Connect: Upgrade to the latest version.
Password hash synchronization required permissions
You can configure Azure AD Connect by using express settings or a custom installation. If you used the custom
installation option, the required permissions for password hash synchronization might not be in place.
The Azure AD Connect Active Directory Domain Services (AD DS) service account requires the following
permissions to synchronize password hashes:
Replicate Directory Changes
Replicate Directory Changes All
Now is a good time to verify that these permissions are in place for all domains in the forest.
Plan the migration method
You can choose from two methods to migrate from federated identity management to password hash
synchronization and seamless single sign-on (SSO). The method you use depends on how your AD FS instance was
originally configured.
Azure AD Connect . If you originally configured AD FS by using Azure AD Connect, you must change to
password hash synchronization by using the Azure AD Connect wizard.
Azure AD Connect automatically runs the Set-MsolDomainAuthentication cmdlet when you change the
user sign-in method. Azure AD Connect automatically unfederates all the verified federated domains in your
Azure AD tenant.
NOTE
Currently, if you originally used Azure AD Connect to configure AD FS, you can't avoid unfederating all domains in
your tenant when you change the user sign-in to password hash synchronization.
Azure AD Connect with PowerShell . You can use this method only if you didn't originally configure AD
FS by using Azure AD Connect. For this option, you still must change the user sign-in method via the Azure
AD Connect wizard. The core difference with this option is that the wizard doesn't automatically run the Set-
MsolDomainAuthentication cmdlet. With this option, you have full control over which domains are
converted and in which order.
To understand which method you should use, complete the steps in the following sections.
Verify current user sign-in settings
To verify your current user sign-in settings:
1. Sign in to the Azure AD portal by using a Global Administrator account.
2. In the User sign-in section, verify the following settings:
Federation is set to Enabled .
Seamless single sign-on is set to Disabled .
Pass-through authentication is set to Disabled .
Example:
Verify any settings that might have been customized for your federation design and deployment documentation.
Specifically, look for customizations in PreferredAuthenticationProtocol , Suppor tsMfa , and
PromptLoginBehavior .
For more information, see these articles:
AD FS prompt=login parameter support
Set-MsolDomainAuthentication
NOTE
If Suppor tsMfa is set to True , you're using an on-premises multi-factor authentication solution to inject a second-factor
challenge into the user authentication flow. This setup no longer works for Azure AD authentication scenarios after
converting this domain from federated to managed authentication. After you disable federation, you sever the relationship
to your on-premises federation and this includes on-premises MFA adapters.
Instead, use the Azure Multi-Factor Authentication cloud-based service to perform the same function. Carefully evaluate
your multi-factor authentication requirements before you continue. Before you convert your domains, make sure that you
understand how to use Azure Multi-Factor Authentication, the licensing implications, and the user registration process.
IF T H EN
You plan to keep using AD FS with other applications (other After you convert your domains, you'll use both AD FS and
than Azure AD and Office 365). Azure AD. Consider the user experience. In some scenarios,
users might be required to authenticate twice: once to Azure
AD (where a user gets SSO access to other applications, like
Office 365), and again for any applications that are still bound
to AD FS as a relying party trust.
Your AD FS instance is heavily customized and relies on Before you continue, you must verify that Azure AD can meet
specific customization settings in the onload.js file (for your current customization requirements. For more
example, if you changed the sign-in experience so that users information and for guidance, see the sections on AD FS
use only a SamAccountName format for their username branding and AD FS customization.
instead of a User Principal Name (UPN), or your organization
has heavily branded the sign-in experience). The onload.js file
can't be duplicated in Azure AD.
IF T H EN
You use AD FS to block earlier versions of authentication Consider replacing AD FS controls that block earlier versions
clients. of authentication clients by using a combination of
Conditional Access controls and Exchange Online Client Access
Rules.
You require users to perform multi-factor authentication In a managed identity domain, you can't inject a multi-factor
against an on-premises multi-factor authentication server authentication challenge via the on-premises multi-factor
solution when users authenticate to AD FS. authentication solution into the authentication flow. However,
you can use the Azure Multi-Factor Authentication service for
multi-factor authentication after the domain is converted.
You currently use access control policies (AuthZ rules) in AD FS Consider replacing the policies with the equivalent Azure AD
to control access to Office 365. Conditional Access policies and Exchange Online Client Access
Rules.
Common AD FS customizations
This section describes common AD FS customizations.
InsideCorporateNetwork claim
AD FS issues the InsideCorporateNetwork claim if the user who is authenticating is inside the corporate
network. This claim can then be passed on to Azure AD. The claim is used to bypass multi-factor authentication
based on the user's network location. To learn how to determine whether this functionality currently is enabled in
AD FS, see Trusted IPs for federated users.
The InsideCorporateNetwork claim isn't available after your domains are converted to password hash
synchronization. You can use named locations in Azure AD to replace this functionality.
After you configure named locations, you must update all Conditional Access policies that were configured to
either include or exclude the network All trusted locations or MFA Trusted IPs values to reflect the new named
locations.
For more information about the Location condition in Conditional Access, see Active Directory Conditional Access
locations.
Hybrid Azure AD-joined devices
When you join a device to Azure AD, you can create Conditional Access rules that enforce that devices meet your
access standards for security and compliance. Also, users can sign in to a device by using an organizational work or
school account instead of a personal account. When you use hybrid Azure AD-joined devices, you can join your
Active Directory domain-joined devices to Azure AD. Your federated environment might have been set up to use
this feature.
To ensure that hybrid join continues to work for any devices that are joined to the domain after your domains are
converted to password hash synchronization, for Windows 10 clients, you must use Azure AD Connect device
options to sync Active Directory computer accounts to Azure AD.
For Windows 8 and Windows 7 computer accounts, hybrid join uses seamless SSO to register the computer in
Azure AD. You don't have to sync Windows 8 and Windows 7 computer accounts like you do for Windows 10
devices. However, you must deploy an updated workplacejoin.exe file (via an .msi file) to Windows 8 and Windows
7 clients so they can register themselves by using seamless SSO. Download the .msi file.
For more information, see Configure hybrid Azure AD-joined devices.
Branding
If your organization customized your AD FS sign-in pages to display information that's more pertinent to the
organization, consider making similar customizations to the Azure AD sign-in page.
Although similar customizations are available, some visual changes on sign-in pages should be expected after the
conversion. You might want to provide information about expected changes in your communications to users.
NOTE
Organization branding is available only if you purchase the Premium or Basic license for Azure Active Directory or if you have
an Office 365 license.
IMPORTANT
Don’t shut down your AD FS environment or remove the Office 365 relying party trust until you have verified that all users
can successfully authenticate by using cloud authentication.
IMPORTANT
Making this change doesn't modify the way your users sign in to Azure AD. However, it’s important that you apply this
configuration to all your devices before you proceed. Users who sign in on devices that haven't received this configuration
simply are required to enter a username and password to sign in to Azure AD.
Step 3: Change the sign-in method to password hash synchronization and enable seamless SSO
You have two options for changing the sign-in method to password hash synchronization and enabling seamless
SSO.
Option A: Switch from federation to password hash synchronization by using Azure AD Connect
Use this method if you initially configured your AD FS environment by using Azure AD Connect. You can't use this
method if you didn't originally configure your AD FS environment by using Azure AD Connect.
First, change the sign-in method:
1. On the Azure AD Connect server, open the Azure AD Connect wizard.
2. Select Change user sign-in , and then select Next .
3. On the Connect to Azure AD page, enter the username and password of a Global Administrator account.
4. On the User sign-in page, select the Password hash synchronization button . Make sure to select the
Do not conver t user accounts check box. The option is deprecated. Select Enable single sign-on , and
then select Next .
NOTE
Starting with Azure AD Connect version 1.1.880.0, the Seamless single sign-on check box is selected by default.
IMPORTANT
You can safely ignore the warnings that indicate that user conversion and full password hash synchronization are
required steps for converting from federation to cloud authentication. Note that these steps aren't required anymore.
If you still see these warnings, make sure that you're running the latest version of Azure AD Connect and that you're
using the latest version of this guide. For more information, see the section Update Azure AD Connect.
5. On the Enable single sign-on page, enter the credentials of Domain Administrator account, and then
select Next .
NOTE
Domain Administrator account credentials are required to enable seamless SSO. The process completes the following
actions, which require these elevated permissions. The Domain Administrator account credentials aren't stored in
Azure AD Connect or in Azure AD. The Domain Administrator account credentials are used only to turn on the
feature. The credentials are discarded when the process successfully finishes.
1. A computer account named AZUREADSSOACC (which represents Azure AD) is created in your on-premises Active
Directory instance.
2. The computer account's Kerberos decryption key is securely shared with Azure AD.
3. Two Kerberos service principal names (SPNs) are created to represent two URLs that are used during Azure AD
sign-in.
6. On the Ready to configure page, make sure that the Star t the synchronization process when
configuration completes check box is selected. Then, select Configure .
IMPORTANT
At this point, all your federated domains will change to managed authentication. Password hash synchronization is
the new method of authentication.
7. In the Azure AD portal, select Azure Active Director y > Azure AD Connect .
8. Verify these settings:
Federation is set to Disabled .
Seamless single sign-on is set to Enabled .
Password Sync is set to Enabled .
Skip to Testing and next steps.
IMPORTANT
Skip the section Option B: Switch from federation to password hash synchronization by using Azure AD
Connect and PowerShell. The steps in that section don't apply if you chose Option A to change the sign-in method to
password hash synchronization and enable seamless SSO.
Option B: Switch from federation to password hash synchronization using Azure AD Connect and PowerShell
Use this option if you didn't initially configure your federated domains by using Azure AD Connect. During this
process, you enable seamless SSO and switch your domains from federated to managed.
1. On the Azure AD Connect server, open the Azure AD Connect wizard.
2. Select Change user sign-in , and then select Next .
3. On the Connect to Azure AD page, enter the username and password for a Global Administrator account.
4. On the User sign-in page, select the Password hash synchronization button. Select Enable single
sign-on , and then select Next .
Before you enable password hash synchronization:
5. On the Enable single sign-on page, enter the credentials for a Domain Administrator account, and then
select Next .
NOTE
Domain Administrator account credentials are required to enable seamless SSO. The process completes the following
actions, which require these elevated permissions. The Domain Administrator account credentials aren't stored in
Azure AD Connect or in Azure AD. The Domain Administrator account credentials are used only to turn on the
feature. The credentials are discarded when the process successfully finishes.
1. A computer account named AZUREADSSOACC (which represents Azure AD) is created in your on-premises Active
Directory instance.
2. The computer account's Kerberos decryption key is securely shared with Azure AD.
3. Two Kerberos service principal names (SPNs) are created to represent two URLs that are used during Azure AD
sign-in.
6. On the Ready to configure page, make sure that the Star t the synchronization process when
configuration completes check box is selected. Then, select Configure .
When you select the Configure button, seamless SSO is configured as indicated in the preceding step.
Password hash synchronization configuration isn't modified because it was enabled earlier.
IMPORTANT
No changes are made to the way users sign in at this time.
IMPORTANT
You don't have to convert all domains at the same time. You might choose to start with a test domain on your production
tenant or start with your domain that has the lowest number of users.
3. In the Azure AD portal, select Azure Active Director y > Azure AD Connect .
4. Verify that the domain has been converted to managed by running the following command:
TIP
Consider deploying Azure AD hybrid join on Windows 10 for an improved SSO experience.
Next steps
Learn about Azure AD Connect design concepts.
Choose the right authentication.
Learn about supported topologies.
Migrate from federation to pass-through
authentication for Azure Active Directory
9/7/2020 • 22 minutes to read • Edit Online
This article describes how to move your organization domains from Active Directory Federation Services (AD FS)
to pass-through authentication.
NOTE
Changing your authentication method requires planning, testing, and potentially downtime. Staged rollout provides an
alternative way to test and gradually migrate from federation to cloud authentication using pass-through authentication.
If you plan on using staged rollout, you should remember to turn off the staged rollout features once you have finished
cutting over. For more information see Migrate to cloud authentication using staged rollout
IMPORTANT
You might read in outdated documentation, tools, and blogs that user conversion is required when you convert domains
from federated identity to managed identity. Converting users is no longer required. Microsoft is working to update
documentation and tools to reflect this change.
To update Azure AD Connect, complete the steps in Azure AD Connect: Upgrade to the latest version.
Plan authentication agent number and placement
Pass-through authentication requires deploying lightweight agents on the Azure AD Connect server and on your
on-premises computer that's running Windows Server. To reduce latency, install the agents as close as possible to
your Active Directory domain controllers.
For most customers, two or three authentication agents are sufficient to provide high availability and the required
capacity. A tenant can have a maximum of 12 agents registered. The first agent is always installed on the Azure AD
Connect server itself. To learn about agent limitations and agent deployment options, see Azure AD pass-through
authentication: Current limitations.
Plan the migration method
You can choose from two methods to migrate from federated identity management to pass-through authentication
and seamless single sign-on (SSO). The method you use depends on how your AD FS instance was originally
configured.
Azure AD Connect . If you originally configured AD FS by using Azure AD Connect, you must change to
pass-through authentication by using the Azure AD Connect wizard.
Azure AD Connect automatically runs the Set-MsolDomainAuthentication cmdlet when you change the
user sign-in method. Azure AD Connect automatically unfederates all the verified federated domains in your
Azure AD tenant.
NOTE
Currently, if you originally used Azure AD Connect to configure AD FS, you can't avoid unfederating all domains in
your tenant when you change the user sign-in to pass-through authentication.
Azure AD Connect with PowerShell . You can use this method only if you didn't originally configure AD
FS by using Azure AD Connect. For this option, you still must change the user sign-in method via the Azure
AD Connect wizard. The core difference with this option is that the wizard doesn't automatically run the Set-
MsolDomainAuthentication cmdlet. With this option, you have full control over which domains are
converted and in which order.
To understand which method you should use, complete the steps in the following sections.
Verify current user sign-in settings
1. Sign in to the Azure AD portal by using a Global Administrator account.
2. In the User sign-in section, verify the following settings:
Federation is set to Enabled .
Seamless single sign-on is set to Disabled .
Pass-through authentication is set to Disabled .
Example:
Verify any settings that might have been customized for your federation design and deployment documentation.
Specifically, look for customizations in PreferredAuthenticationProtocol , Suppor tsMfa , and
PromptLoginBehavior .
For more information, see these articles:
AD FS prompt=login parameter support
Set-MsolDomainAuthentication
NOTE
If Suppor tsMfa is set to True , you're using an on-premises multi-factor authentication solution to inject a second-factor
challenge into the user authentication flow. This setup no longer works for Azure AD authentication scenarios.
Instead, use the Azure Multi-Factor Authentication cloud-based service to perform the same function. Carefully evaluate your
multi-factor authentication requirements before you continue. Before you convert your domains, make sure that you
understand how to use Azure Multi-Factor Authentication, the licensing implications, and the user registration process.
IF T H EN
You plan to keep using AD FS with other applications (other After you convert your domains, you'll use both AD FS and
than Azure AD and Office 365). Azure AD. Consider the user experience. In some scenarios,
users might be required to authenticate twice: once to Azure
AD (where a user gets SSO access to other applications, like
Office 365), and again for any applications that are still bound
to AD FS as a relying party trust.
Your AD FS instance is heavily customized and relies on Before you continue, you must verify that Azure AD can meet
specific customization settings in the onload.js file (for your current customization requirements. For more
example, if you changed the sign-in experience so that users information and for guidance, see the sections on AD FS
use only a SamAccountName format for their username branding and AD FS customization.
instead of a User Principal Name (UPN), or your organization
has heavily branded the sign-in experience). The onload.js file
can't be duplicated in Azure AD.
You use AD FS to block earlier versions of authentication Consider replacing AD FS controls that block earlier versions of
clients. authentication clients by using a combination of Conditional
Access controls and Exchange Online Client Access Rules.
IF T H EN
You require users to perform multi-factor authentication In a managed identity domain, you can't inject a multi-factor
against an on-premises multi-factor authentication server authentication challenge via the on-premises multi-factor
solution when users authenticate to AD FS. authentication solution into the authentication flow. However,
you can use the Azure Multi-Factor Authentication service for
multi-factor authentication after the domain is converted.
You currently use access control policies (AuthZ rules) in AD FS Consider replacing the policies with the equivalent Azure AD
to control access to Office 365. Conditional Access policies and Exchange Online Client Access
Rules.
Common AD FS customizations
This section describes common AD FS customizations.
InsideCorporateNetwork claim
AD FS issues the InsideCorporateNetwork claim if the user who is authenticating is inside the corporate
network. This claim can then be passed on to Azure AD. The claim is used to bypass multi-factor authentication
based on the user's network location. To learn how to determine whether this functionality currently is available in
AD FS, see Trusted IPs for federated users.
The InsideCorporateNetwork claim isn't available after your domains are converted to pass-through
authentication. You can use named locations in Azure AD to replace this functionality.
After you configure named locations, you must update all Conditional Access policies that were configured to either
include or exclude the network All trusted locations or MFA Trusted IPs values to reflect the new named
locations.
For more information about the Location condition in Conditional Access, see Active Directory Conditional Access
locations.
Hybrid Azure AD-joined devices
When you join a device to Azure AD, you can create Conditional Access rules that enforce that devices meet your
access standards for security and compliance. Also, users can sign in to a device by using an organizational work or
school account instead of a personal account. When you use hybrid Azure AD-joined devices, you can join your
Active Directory domain-joined devices to Azure AD. Your federated environment might have been set up to use
this feature.
To ensure that hybrid join continues to work for any devices that are joined to the domain after your domains are
converted to pass-through authentication, for Windows 10 clients, you must use Azure AD Connect to sync Active
Directory computer accounts to Azure AD.
For Windows 8 and Windows 7 computer accounts, hybrid join uses seamless SSO to register the computer in
Azure AD. You don't have to sync Windows 8 and Windows 7 computer accounts like you do for Windows 10
devices. However, you must deploy an updated workplacejoin.exe file (via an .msi file) to Windows 8 and Windows
7 clients so they can register themselves by using seamless SSO. Download the .msi file.
For more information, see Configure hybrid Azure AD-joined devices.
Branding
If your organization customized your AD FS sign-in pages to display information that's more pertinent to the
organization, consider making similar customizations to the Azure AD sign-in page.
Although similar customizations are available, some visual changes on sign-in pages should be expected after the
conversion. You might want to provide information about expected changes in your communications to users.
NOTE
Organization branding is available only if you purchase the Premium or Basic license for Azure Active Directory or if you have
an Office 365 license.
IMPORTANT
Don’t shut down your AD FS environment or remove the Office 365 relying party trust until you have verified that all users
can successfully authenticate by using cloud authentication.
IMPORTANT
Making this change doesn't modify the way your users sign in to Azure AD. However, it’s important that you apply this
configuration to all your devices before you proceed. Users who sign in on devices that haven't received this configuration
simply are required to enter a username and password to sign in to Azure AD.
Step 2: Change the sign-in method to pass-through authentication and enable seamless SSO
You have two options for changing the sign-in method to pass-through authentication and enabling seamless SSO.
Option A: Configure pass-through authentication by using Azure AD Connect
Use this method if you initially configured your AD FS environment by using Azure AD Connect. You can't use this
method if you didn't originally configure your AD FS environment by using Azure AD Connect.
IMPORTANT
After you complete the following steps, all your domains are converted from federated identity to managed identity. For
more information, review Plan the migration method.
NOTE
Domain Administrator account credentials are required to enable seamless SSO. The process completes the following
actions, which require these elevated permissions. The Domain Administrator account credentials aren't stored in
Azure AD Connect or in Azure AD. The Domain Administrator account credentials are used only to turn on the
feature. The credentials are discarded when the process successfully finishes.
1. A computer account named AZUREADSSOACC (which represents Azure AD) is created in your on-premises Active
Directory instance.
2. The computer account's Kerberos decryption key is securely shared with Azure AD.
3. Two Kerberos service principal names (SPNs) are created to represent two URLs that are used during Azure AD
sign-in.
6. On the Ready to configure page, make sure that the Star t the synchronization process when
configuration completes check box is selected. Then, select Configure .
7. In the Azure AD portal, select Azure Active Director y , and then select Azure AD Connect .
8. Verify these settings:
Federation is set to Disabled .
Seamless single sign-on is set to Enabled .
Pass-through authentication is set to Enabled .
NOTE
The first agent is always installed on the Azure AD Connect server itself as part of the configuration changes made in
the User sign-in section of the Azure AD Connect tool. Install any additional authentication agents on a separate
server. We recommend that you have two or three additional authentication agents available.
4. Run the authentication agent installation. During installation, you must enter the credentials of a Global
Administrator account.
5. When the authentication agent is installed, you can return to the pass-through authentication agent health
page to check the status of the additional agents.
Skip to Testing and next steps.
IMPORTANT
Skip the section Option B: Switch from federation to pass-through authentication by using Azure AD Connect
and PowerShell. The steps in that section don't apply if you chose Option A to change the sign-in method to pass-through
authentication and enable seamless SSO.
Option B: Switch from federation to pass-through authentication by using Azure AD Connect and PowerShell
Use this option if you didn't initially configure your federated domains by using Azure AD Connect.
First, enable pass-through authentication:
1. On the Azure AD Connect Server, open the Azure AD Connect wizard.
2. Select Change user sign-in , and then select Next .
3. On the Connect to Azure AD page, enter the username and password of a Global Administrator account.
4. On the User sign-in page, select the Pass-through authentication button. Select Enable single sign-
on , and then select Next .
5. On the Enable single sign-on page, enter the credentials of a Domain Administrator account, and then
select Next .
NOTE
Domain Administrator account credentials are required to enable seamless SSO. The process completes the following
actions, which require these elevated permissions. The Domain Administrator account credentials aren't stored in
Azure AD Connect or in Azure AD. The Domain Administrator account credentials are used only to turn on the
feature. The credentials are discarded when the process successfully finishes.
1. A computer account named AZUREADSSOACC (which represents Azure AD) is created in your on-premises Active
Directory instance.
2. The computer account's Kerberos decryption key is securely shared with Azure AD.
3. Two Kerberos service principal names (SPNs) are created to represent two URLs that are used during Azure AD
sign-in.
6. On the Ready to configure page, make sure that the Star t the synchronization process when
configuration completes check box is selected. Then, select Configure .
NOTE
The first agent is always installed on the Azure AD Connect server itself as part of the configuration changes made in
the User sign-in section of the Azure AD Connect tool. Install any additional authentication agents on a separate
server. We recommend that you have two or three additional authentication agents available.
4. Run the authentication agent installation. During the installation, you must enter the credentials of a Global
Administrator account.
5. After the authentication agent is installed, you can return to the pass-through authentication agent health
page to check the status of the additional agents.
At this point, federated authentication is still active and operational for your domains. To continue with the
deployment, you must convert each domain from federated identity to managed identity so that pass-through
authentication starts serving authentication requests for the domain.
You don't have to convert all domains at the same time. You might choose to start with a test domain on your
production tenant or start with your domain that has the lowest number of users.
Complete the conversion by using the Azure AD PowerShell module:
1. In PowerShell, sign in to Azure AD by using a Global Administrator account.
2. To convert the first domain, run the following command:
3. In the Azure AD portal, select Azure Active Director y > Azure AD Connect .
4. After you convert all your federated domains, verify these settings:
Federation is set to Disabled .
Seamless single sign-on is set to Enabled .
Pass-through authentication is set to Enabled .
TIP
Consider deploying Azure AD hybrid join on Windows 10 for an improved SSO experience.
Next steps
Learn about Azure AD Connect design concepts.
Choose the right authentication.
Learn about supported topologies.
Migrate groups from one forest to another for Azure
AD Connect
9/7/2020 • 2 minutes to read • Edit Online
This article describes how to migrate groups from one forest to another so that the migrated group objects match
the existing objects in the cloud.
Prerequisites
Azure AD Connect version 1.5.18.0 or later
Source anchor attribute set to mS-DS-ConsistencyGuid
Migrate groups
Starting in version 1.5.18.0, Azure AD Connect supports the use of the mS-DS-ConsistencyGuid attribute for groups.
If you choose mS-DS-ConsistencyGuid as the source anchor attribute and the value is populated in Active Directory,
Azure AD Connect uses the value of mS-DS-ConsistencyGuid as the immutableId . Otherwise, it falls back to using
objectGUID . But note that Azure AD Connect doesn't write the value back to the mS-DS-ConsistencyGuid attribute in
Active Directory.
During a cross-forest move, when a group object is moving from one forest (say F1) to another forest (say F2), you
need to copy either the mS-DS-ConsistencyGuid value (if it's present) or the objectGUID value from the object in
forest F1 to the mS-DS-ConsistencyGuid attribute of the object in F2.
Use the following scripts as a guide to learn how to migrate a single group from one forest to another. You can also
use these scripts as a guide for the migration of multiple groups. The scripts use the forest name F1 for the source
forest and F2 for the destination forest.
First, we get the objectGUID and mS-DS-ConsistencyGuid of the group object in forest F1. These attributes are
exported to a CSV file.
<#
DESCRIPTION
============
This script will take DN of a group as input.
It then copies the objectGUID and mS-DS-ConsistencyGuid values along with other attributes of the given group
to a CSV file.
This CSV file can then be used as input to the Export-Group script.
#>
Param(
[ValidateNotNullOrEmpty()]
[string]
$dn,
[ValidateNotNullOrEmpty()]
[string]
$outputCsv
)
Next, we use the generated output CSV file to stamp the mS-DS-ConsistencyGuid attribute on the target object in
forest F2:
<#
DESCRIPTION
============
This script will take DN of a group as input and the CSV file that was generated by the Import-Group script.
It copies either the objectGUID or the mS-DS-ConsistencyGuid value from the CSV file to the given object.
#>
Param(
[ValidateNotNullOrEmpty()]
[string]
$dn,
[ValidateNotNullOrEmpty()]
[string]
$inputCsv
)
Next steps
Learn more about integrating your on-premises identities with Azure Active Directory.
Migrate to cloud authentication using staged rollout
(preview)
9/7/2020 • 9 minutes to read • Edit Online
Staged rollout allows you to selectively test groups of users with cloud authentication capabilities like Azure
Multi-Factor Authentication (MFA), Conditional Access, Identity Protection for leaked credentials, Identity
Governance, and others, before cutting over your domains. This article discusses how to make the switch. Before
you begin the staged rollout, however, you should consider the implications if one or more of the following
conditions is true:
You're currently using an on-premises Multi-Factor Authentication server.
You're using smart cards for authentication.
Your current server offers certain federation-only features.
Before you try this feature, we suggest that you review our guide on choosing the right authentication method.
For more information, see the "Comparing methods" table in Choose the right authentication method for your
Azure Active Directory hybrid identity solution.
For an overview of the feature, view this "Azure Active Directory: What is staged rollout?" video:
Prerequisites
You have an Azure Active Directory (Azure AD) tenant with federated domains.
You have decided to move to either of two options:
Option A - password hash synchronization (sync) + seamless single sign-on (SSO). For more
information, see What is password hash sync and What is seamless SSO
Option B - pass-through authentication + seamless SSO. For more information, see What is pass-
through authentication
Although seamless SSO is optional, we recommend enabling it to achieve a silent sign-in experience for
users who are running domain-joined machines from inside a corporate network.
You have configured all the appropriate tenant-branding and conditional access policies you need for
users who are being migrated to cloud authentication.
If you plan to use Azure Multi-Factor Authentication, we recommend that you use combined registration
for self-service password reset (SSPR) and Multi-Factor Authentication to have your users register their
authentication methods once.
To use the staged rollout feature, you need to be a global administrator on your tenant.
To enable seamless SSO on a specific Active Directory forest, you need to be a domain administrator.
If you are deploying Hybrid Azure AD or Azure AD join, you must upgrade to Windows 10 1903 update.
Supported scenarios
The following scenarios are supported for staged rollout. The feature works only for:
Users who are provisioned to Azure AD by using Azure AD Connect. It does not apply to cloud-only users.
User sign-in traffic on browsers and modern authentication clients. Applications or cloud services that use
legacy authentication will fall back to federated authentication flows. An example might be Exchange
online with modern authentication turned off, or Outlook 2010, which does not support modern
authentication.
Group size is currently limited to 50,000 users. If you have groups that are larger then 50,000 users, it is
recommended to split this group over multiple groups for staged rollout.
Unsupported scenarios
The following scenarios are not supported for staged rollout:
Certain applications send the "domain_hint" query parameter to Azure AD during authentication. These flows
will continue, and users who are enabled for staged rollout will continue to use federation for authentication.
Admins can roll out cloud authentication by using security groups. To avoid sync latency when you're
using on-premises Active Directory security groups, we recommend that you use cloud security groups.
The following conditions apply:
You can use a maximum of 10 groups per feature. That is, you can use 10 groups each for password
hash sync, pass-through authentication, and seamless SSO.
Nested groups are not supported. This scope applies to public preview as well.
Dynamic groups are not supported for staged rollout.
Contact objects inside the group will block the group from being added.
You still need to make the final cutover from federated to cloud authentication by using Azure AD Connect
or PowerShell. Staged rollout doesn't switch domains from federated to managed. For more information
about domain cutover, see Migrate from federation to password hash synchronization and Migrate from
federation to pass-through authentication
When you first add a security group for staged rollout, you're limited to 200 users to avoid a UX time-out.
After you've added the group, you can add more users directly to it, as required.
While users are in Staged Rollout, when EnforceCloudPasswordPolicyForPasswordSyncedUsers is enabled,
password expiration policy is set to 90 days with no option to customize it.
If you want to test pass-through authentication sign-in by using staged rollout, enable it by following the pre-
work instructions in the next section.
6. Call $creds = Get-Credential . At the prompt, enter the domain administrator credentials for the intended
Active Directory forest.
7. Call Enable-AzureADSSOForest -OnPremCredentials $creds . This command creates the AZUREADSSOACC
computer account from the on-premises domain controller for the Active Directory forest that's required
for seamless SSO.
8. Seamless SSO requires URLs to be in the intranet zone. To deploy those URLs by using group policies, see
Quickstart: Azure AD seamless single sign-on.
9. For a complete walkthrough, you can also download our deployment plans for seamless SSO.
Enable staged rollout
To roll out a specific feature (pass-through authentication, password hash sync, or seamless SSO) to a select set
of users in a group, follow the instructions in the next sections.
Enable a staged rollout of a specific feature on your tenant
You can roll out one of these options:
Option A - password hash sync + seamless SSO
Option B - pass-through authentication + seamless SSO
Not suppor ted - password hash sync + pass-through authentication + seamless SSO
Do the following:
1. To access the preview UX, sign in to the Azure AD portal.
2. Select the Enable staged rollout for managed user sign-in (Preview) link.
For example, if you want to enable Option A, slide the Password Hash Sync and Seamless single
sign-on controls to On , as shown in the following images.
3. Add the groups to the feature to enable pass-through authentication and seamless SSO. To avoid a UX
time-out, ensure that the security groups contain no more than 200 members initially.
NOTE
The members in a group are automatically enabled for staged rollout. Nested and dynamic groups are not
supported for staged rollout. When adding a new group, users in the group (up to 200 users for a new group) will
be updated to use managed auth immidiatly. Editing a group (adding or removing users), it can take up to 24
hours for changes to take effect.
Auditing
We've enabled audit events for the various actions we perform for staged rollout:
Audit event when you enable a staged rollout for password hash sync, pass-through authentication, or
seamless SSO.
NOTE
An audit event is logged when seamless SSO is turned on by using staged rollout.
Audit event when a group is added to password hash sync, pass-through authentication, or seamless SSO.
NOTE
An audit event is logged when a group is added to password hash sync for staged rollout.
Audit event when a user who was added to the group is enabled for staged rollout.
Validation
To test the sign-in with password hash sync or pass-through authentication (username and password sign-in), do
the following:
1. On the extranet, go to the Apps page in a private browser session, and then enter the UserPrincipalName
(UPN) of the user account that's selected for staged rollout.
Users who've been targeted for staged rollout are not redirected to your federated login page. Instead,
they're asked to sign in on the Azure AD tenant-branded sign-in page.
2. Ensure that the sign-in successfully appears in the Azure AD sign-in activity report by filtering with the
UserPrincipalName.
To test sign-in with seamless SSO:
1. On the intranet, go to the Apps page in a private browser session, and then enter the UserPrincipalName
(UPN) of the user account that's selected for staged rollout.
Users who've been targeted for staged rollout of seamless SSO are presented with a "Trying to sign you in
..." message before they're silently signed in.
2. Ensure that the sign-in successfully appears in the Azure AD sign-in activity report by filtering with the
UserPrincipalName.
To track user sign-ins that still occur on Active Directory Federation Services (AD FS) for selected staged
rollout users, follow the instructions at AD FS troubleshooting: Events and logging. Check vendor
documentation about how to check this on third-party federation providers.
Next steps
Azure AD 2.0 preview
Azure Active Directory Hybrid Identity Design
Considerations
2/12/2019 • 3 minutes to read • Edit Online
Consumer-based devices are proliferating the corporate world, and cloud-based software-as-a-service (SaaS)
applications are easy to adopt. As a result, maintaining control of users’ application access across internal
datacenters and cloud platforms is challenging.
Microsoft’s identity solutions span on-premises and cloud-based capabilities, creating a single user identity for
authentication and authorization to all resources, regardless of location. This concept is known as Hybrid Identity.
There are different design and configuration options for hybrid identity using Microsoft solutions, and in some
case it might be difficult to determine which combination will best meet the needs of your organization.
This Hybrid Identity Design Considerations Guide will help you to understand how to design a hybrid identity
solution that best fits the business and technology needs for your organization. This guide details a series of steps
and tasks that you can follow to help you design a hybrid identity solution that meets your organization’s unique
requirements. Throughout the steps and tasks, the guide will present the relevant technologies and feature
options available to organizations to meet functional and service quality (such as availability, scalability,
performance, manageability, and security) level requirements.
Specifically, the hybrid identity design considerations guide goals are to answer the following questions:
What questions do I need to ask and answer to drive a hybrid identity-specific design for a technology or
problem domain that best meets my requirements?
What sequence of activities should I complete to design a hybrid identity solution for the technology or
problem domain?
What hybrid identity technology and configuration options are available to help me meet my requirements?
What are the trade-offs between those options so that I can select the best option for my business?
Plan for enhancing data security through strong identity Determine data protection requirements
solution Determine content management requirements
Determine access control requirements
Determine incident response requirements
Define data protection strategy
Plan for hybrid identity lifecycle Determine hybrid identity management tasks
Synchronization Management
Determine hybrid identity management adoption strategy
Next Steps
Determine identity requirements
Determine identity requirements for your hybrid
identity solution
5/20/2019 • 5 minutes to read • Edit Online
The first step in designing a hybrid identity solution is to determine the requirements for the business organization
that will be leveraging this solution. Hybrid identity starts as a supporting role (it supports all other cloud solutions
by providing authentication) and goes on to provide new and interesting capabilities that unlock new workloads
for users. These workloads or services that you wish to adopt for your users will dictate the requirements for the
hybrid identity design. These services and workloads need to leverage hybrid identity both on-premises and in the
cloud.
You need to go over these key aspects of the business to understand what it is a requirement now and what the
company plans for the future. If you don’t have the visibility of the long term strategy for hybrid identity design,
chances are that your solution will not be scalable as the business needs grow and change. The diagram below
shows an example of a hybrid identity architecture and the workloads that are being unlocked for users. This is just
an example of all the new possibilities that can be unlocked and delivered with a solid hybrid identity strategy.
Some components that are part of the hybrid identity architecture
NOTE
Cloud Discovery analyzes your traffic logs against Microsoft Cloud App Security's cloud app catalog of over 16,000 cloud
apps that are ranked and scored based on more than 70 risk factors, to provide you with ongoing visibility into cloud use,
Shadow IT, and the risk Shadow IT poses into your organization.To get started see Set up Cloud Discovery.
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Determine incident response
requirements will go over the options available and pros/cons of each option. By having answered those questions you will
select which option best suits your business needs.
Next steps
Determine directory synchronization requirements
See also
Design considerations overview
Determine directory synchronization requirements
9/7/2020 • 3 minutes to read • Edit Online
Synchronization is all about providing users an identity in the cloud based on their on-premises identity. Whether
or not they will use synchronized account for authentication or federated authentication, the users will still need to
have an identity in the cloud. This identity will need to be maintained and updated periodically. The updates can
take many forms, from title changes to password changes.
Start by evaluating the organizations on-premises identity solution and user requirements. This evaluation is
important to define the technical requirements for how user identities will be created and maintained in the cloud.
For a majority of organizations, Active Directory is on-premises and will be the on-premises directory that users
will by synchronized from, however in some cases this will not be the case.
Make sure to answer the following questions:
Do you have one AD forest, multiple, or none?
How many Azure AD directories will you be synchronizing to?
1. Are you using filtering?
2. Do you have multiple Azure AD Connect servers planned?
Do you currently have a synchronization tool on-premises?
If yes, does your users if users have a virtual directory/integration of identities?
Do you have any other directory on-premises that you want to synchronize (e.g. LDAP Directory, HR
database, etc)?
Are you going to be doing any GALSync?
What is the current state of UPNs in your organization?
Do you have a different directory that users authenticate against?
Does your company use Microsoft Exchange?
Do they plan of having a hybrid exchange deployment?
Now that you have an idea about your synchronization requirements, you need to determine which tool is the
correct one to meet these requirements. Microsoft provides several tools to accomplish directory integration and
synchronization. See the Hybrid Identity directory integration tools comparison table for more information.
Now that you have your synchronization requirements and the tool that will accomplish this for your company,
you need to evaluate the applications that use these directory services. This evaluation is important to define the
technical requirements to integrate these applications to the cloud. Make sure to answer the following questions:
Will these applications be moved to the cloud and use the directory?
Are there special attributes that need to be synchronized to the cloud so these applications can use them
successfully?
Will these applications need to be re-written to take advantage of cloud auth?
Will these applications continue to live on-premises while users access them using the cloud identity?
You also need to determine the security requirements and constraints directory synchronization. This evaluation is
important to get a list of the requirements that will be needed in order to create and maintain user’s identities in
the cloud. Make sure to answer the following questions:
Where will the synchronization server be located?
Will it be domain joined?
Will the server be located on a restricted network behind a firewall, such as a DMZ?
Will you be able to open the required firewall ports to support synchronization?
Do you have a disaster recovery plan for the synchronization server?
Do you have an account with the correct permissions for all forests you want to synch with?
If your company doesn’t know the answer for this question, review the section “Permissions for
password synchronization” in the article Install the Azure Active Directory Sync Service and determine if
you already have an account with these permissions or if you need to create one.
If you have mutli-forest sync is the sync server able to get to each forest?
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Determine incident response
requirements will go over the options available. By having answered those questions you will select which option best suits
your business needs.
Next steps
Determine multi-factor authentication requirements
See also
Design considerations overview
Determine multi-factor authentication requirements
for your hybrid identity solution
6/13/2019 • 2 minutes to read • Edit Online
In this world of mobility, with users accessing data and applications in the cloud and from any device, securing this
information has become paramount. Every day there is a new headline about a security breach. Although, there is
no guarantee against such breaches, multi-factor authentication, provides an additional layer of security to help
prevent these breaches. Start by evaluating the organizations requirements for multi-factor authentication. That is,
what is the organization trying to secure. This evaluation is important to define the technical requirements for
setting up and enabling the organizations users for multi-factor authentication.
Make sure to answer the following:
Is your company trying to secure Microsoft apps?
How these apps are published?
Does your company provide remote access to allow employees to access on-premises apps?
If yes, what type of remote access?You also need to evaluate where the users who are accessing these applications
will be located. This evaluation is another important step to define the proper multi-factor authentication strategy.
Make sure to answer the following questions:
Where are the users going to be located?
Can they be located anywhere?
Does your company want to establish restrictions according to the user’s location?
Once you understand these requirements, it is important to also evaluate the user’s requirements for multi-factor
authentication. This evaluation is important because it will define the requirements for rolling out multi-factor
authentication. Make sure to answer the following questions:
Are the users familiar with multi-factor authentication?
Will some uses be required to provide additional authentication?
If yes, all the time, when coming from external networks, or accessing specific applications, or under
other conditions?
Will the users require training on how to setup and implement multi-factor authentication?
What are the key scenarios that your company wants to enable multi-factor authentication for their users?
After answering the previous questions, you will be able to understand if there are multi-factor authentication
already implemented on-premises. This evaluation is important to define the technical requirements for setting up
and enabling the organizations users for multi-factor authentication. Make sure to answer the following questions:
Does your company need to protect privileged accounts with MFA?
Does your company need to enable MFA for certain application for compliance reasons?
Does your company need to enable MFA for all eligible users of these application or only administrators?
Do you need have MFA always enabled or only when the users are logged outside of your corporate network?
Next steps
Define a hybrid identity adoption strategy
See also
Design considerations overview
Determine hybrid identity lifecycle adoption strategy
9/7/2020 • 9 minutes to read • Edit Online
In this task, you’ll define the identity management strategy for your hybrid identity solution to meet the business
requirements that you defined in Determine hybrid identity management tasks.
To define the hybrid identity management tasks according to the end-to-end identity lifecycle presented earlier in
this step, you will have to consider the options available for each lifecycle phase.
L IF EC Y C L E M A N A GEM EN T
P H A SE O N P REM ISES C LO UD H Y B RID
L IF EC Y C L E M A N A GEM EN T
P H A SE O N P REM ISES C LO UD H Y B RID
Account Management and By using the Active You have to create an Extend Active Directory
Provisioning Directory® Domain account for every user who identities into the cloud
Services (AD DS) server role, will access a Microsoft cloud through synchronization and
you can create a scalable, service. You can also change federation
secure, and manageable user accounts or delete
infrastructure for user and them when they’re no
resource management, and longer needed. By default,
provide support for users do not have
directory-enabled administrator permissions,
applications such as but you can optionally
Microsoft® Exchange assign them.
Server.
Within Azure Active
You can provision groups in Directory, one of the major
AD DS through an Identity features is the ability to
manager manage access to resources.
You can provision users in These resources can be part
AD DS of the directory, as in the
case of permissions to
Administrators can use manage objects through
access control to manage roles in the directory, or
user access to shared resources that are external
resources for security to the directory, such as
purposes. In Active SaaS applications, Azure
Directory, access control is services, and SharePoint
administered at the object sites or on-premises
level by setting different resources.
levels of access, or
permissions, to objects, such At the center of Azure Active
as Full Control, Write, Read, Directory’s access
or No Access. Access control management solution is the
in Active Directory defines security group. The resource
how different users can use owner (or the administrator
Active Directory objects. By of the directory) can assign a
default, permissions on group to provide a certain
objects in Active Directory access right to the resources
are set to the most secure they own. The members of
setting. the group will be provided
the access, and the resource
owner can delegate the right
to manage the members list
of a group to someone else
– such as a department
manager or a helpdesk
administrator
License management
Group-based license management in Azure AD lets administrators assign users to a security group and Azure AD
automatically assigns licenses to all the members of the group. If a user is subsequently added to, or removed from
the group, a license will be automatically assigned or removed as appropriate.
You can use groups you synchronize from on-premises AD or manage in Azure AD. Pairing this up with Azure AD
premium Self-Service Group Management you can easily delegate license assignment to the appropriate decision
makers. You can be assured that problems like license conflicts and missing location data are automatically sorted
out.
NOTE
For more information, see Setting up Azure AD for self service application access management
Federation-based (through AD FS) Enabled by Security Token Service (STS). Requires specialized personnel for
When you configure an STS to provide deployment and maintenance of
single sign-on access with a Microsoft dedicated on premises AD FS servers.
cloud service, you will be creating a There are restrictions on the use of
federated trust between your on- strong authentication if you plan to use
premises STS and the federated domain AD FS for your STS. For more
you’ve specified in your Azure AD information, see Configuring Advanced
tenant. Options for AD FS 2.0.
Allows end users to use the same set of
credentials to obtain access to multiple
resources
end users do not have to maintain
multiple sets of credentials. Yet, the
users have to provide their credentials
to each one of the participating
resources.,B2B and B2C scenarios
supported.
NOTE
For more information see, Integrating your on-premises identities with Azure Active Directory.
See Also
Design considerations overview
Define data protection strategy for your hybrid
identity solution
9/7/2020 • 13 minutes to read • Edit Online
In this task, you’ll define the data protection strategy for your hybrid identity solution to meet the business
requirements that you defined in:
Determine data protection requirements
Determine content management requirements
Determine access control requirements
Determine incident response requirements
DATA P ROT EC T IO N
O P T IO N S AT REST IN T H E C LO UD AT REST O N - P REM ISES IN T RA N SIT
VM-to-VM Encryption X
SSL/TLS X
VPN X
NOTE
Read Compliance by Feature at Microsoft Azure Trust Center to know more about the certifications that each Azure service
is compliant with. Since the options for data protection use a multilayer approach, comparison between those options are
not applicable for this task. Ensure that you are leveraging all options available for each state of the data.
Centralized on-premises (Active Full control over the server Higher maintenance (keep up with
Directory Rights Management Server) infrastructure responsible for classifying updates, configuration and potential
the data upgrades), since IT owns the Server
Built-in capability in Windows Server, no Require a server infrastructure on-
need for extra license or subscription premises
Can be integrated with Azure AD in a Doesn’t leverage Azure capabilities
hybrid scenario natively
Supports information rights
management (IRM) capabilities in
Microsoft Online services such as
Exchange Online and SharePoint Online,
as well as Office 365
Supports on-premises Microsoft server
products, such as Exchange Server,
SharePoint Server, and file servers that
run Windows Server and File
Classification Infrastructure (FCI).
Centralized in the cloud (Azure RMS) Easier to manage compared to the on- Your organization must have a cloud
premises solution subscription that supports RMS
Can be integrated with AD DS in a Your organization must have an Azure
hybrid scenario AD directory to support user
Fully integrated with Azure AD authentication for RMS
Doesn’t require a server on-premises in
order to deploy the service
Supports on-premises Microsoft server
products such as Exchange Server,
SharePoint, Server, and file servers that
run Windows Server and File
Classification, Infrastructure (FCI)
IT, can have complete control over their
tenant’s key with BYOK capability.
Hybrid (Azure RMS integrated with, This scenario accumulates the Your organization must have a cloud
On-Premises Active Directory Rights advantages of both, centralized on- subscription that supports RMS
Management Server) premises and in the cloud. Your organization must have an Azure
AD directory to support user
authentication for RMS,
Requires a connection between Azure
cloud service and on-premises
infrastructure
NOTE
read Azure Active Directory Authentication Protocols to know more details about each protocol and its capabilities in Azure.
Using the Azure AD support, mobile business applications can use the same easy Mobile Services authentication
experience to allow employees to sign into their mobile applications with their corporate Active Directory
credentials. With this feature, Azure AD is supported as an identity provider in Mobile Services alongside the other
identity providers already supported (which include Microsoft Accounts, Facebook ID, Google ID, and Twitter ID). If
the on-premises apps use the user’s credential located at the company’s AD DS, the access from partners and
users coming from the cloud should be transparent. You can manage user’s Conditional Access control to (cloud-
based) web applications, web API, Microsoft cloud services, third-party SaaS applications, and native (mobile)
client applications, and have the benefits of security, auditing, reporting all in one place. However, it is
recommended to validate the implementation in a non-production environment or with a limited number of users.
TIP
it is important to mention that Azure AD does not have Group Policy as AD DS has. In order to enforce policy for devices,
you need a mobile device management solution such as Microsoft Intune.
Once the user is authenticated using Azure AD, it is important to evaluate the level of access that the user has. The
level of access that the user has over a resource can vary. While Azure AD can add an additional security layer by
controlling access to some resources, keep in mind that the resource itself can also have its own access control list
separately, such as the access control for files located in a File Server. The following figure summarizes the levels of
access control that you can have in a hybrid scenario:
Each interaction in the diagram showed in Figure X represents one access control scenario that can be covered by
Azure AD. Below you have a description of each scenario:
1. Conditional Access to applications that are hosted on-premises: You can use registered devices with access
policies for applications that are configured to use AD FS with Windows Server 2012 R2.
2. Access Control to the Azure portal: Azure also lets you control access to the portal by using Azure role-
based access control (Azure RBAC)). This method enables the company to restrict the number of operations
that an individual can do in the Azure portal. By using Azure RBAC to control access to the portal, IT Admins
can delegate access by using the following access management approaches:
Group-based role assignment: You can assign access to Azure AD groups that can be synced from your
local Active Directory. This lets you leverage the existing investments that your organization has made in
tooling and processes for managing groups. You can also use the delegated group management feature
of Azure AD Premium.
Use built-in roles in Azure: You can use three roles — Owner, Contributor, and Reader, to ensure that
users and groups have permission to do only the tasks they need to do their jobs.
Granular access to resources: You can assign roles to users and groups for a particular subscription,
resource group, or an individual Azure resource such as a website or database. In this way, you can
ensure that users have access to all the resources they need and no access to resources that they do not
need to manage.
NOTE
If you are building applications and want to customize the access control for them, it is also possible to use Azure AD
Application Roles for authorization. Review this WebApp-RoleClaims-DotNet example on how to build your app to
use this capability.
3. Conditional Access for Office 365 applications with Microsoft Intune: IT admins can provision Conditional
Access device policies to secure corporate resources, while at the same time allowing information workers
on compliant devices to access the services.
4. Conditional Access for Saas apps: This feature allows you to configure per-application multi-factor
authentication access rules and the ability to block access for users not on a trusted network. You can apply
the multi-factor authentication rules to all users that are assigned to the application, or only for users within
specified security groups. Users may be excluded from the multi-factor authentication requirement if they
are accessing the application from an IP address that in inside the organization’s network.
Since the options for access control use a multilayer approach, comparison between those options are not
applicable for this task. Ensure that you are leveraging all options available for each scenario that requires you to
control access to your resources.
TIP
Another report that can also help the Incident Response team working on a case is the user with leaked credentials report.
This report surfaces any matches between the leaked credentials list and your tenant.
Other important built-in reports in Azure AD that can be used during an incident response investigation and are:
Password reset activity : provide the admin with insights into how actively password reset is being used in
the organization.
Password reset registration activity : provides insights into which users have registered their methods for
password reset, and which methods they have selected.
Group activity : provides a history of changes to the group (ex: users added or removed) that were initiated in
the Access Panel.
In addition to the core reporting capability of Azure AD Premium that you can use during an Incident Response
investigation process, IT can also take advantage of the Audit Report to obtain information such as:
Changes in role membership (for example, user added to Global Admin role)
Credential updates (for example, password changes)
Domain management (for example, verifying a custom domain, removing a domain)
Adding or removing applications
User management (for example, adding, removing, updating a user)
Adding or removing licenses
Since the options for incident response use a multilayer approach, comparison between those options is not
applicable for this task. Ensure that you are leveraging all options available for each scenario that requires you to
use Azure AD reporting capability as part of your company’s incident response process.
Next steps
Determine hybrid identity management tasks
See Also
Design considerations overview
Plan for enhancing data security through a strong
identity solution
4/29/2019 • 3 minutes to read • Edit Online
The first step in protecting data is to identify who can access that data. Also, you need to have an identity solution
that can integrate with your system to provide authentication and authorization capabilities. Authentication and
authorization are often confused with each other and their roles misunderstood. In reality, they are different, as
shown in the figure below:
NOTE
Once you finish planning for data security, review Determine multi-factor authentication requirements to ensure that your
selections regarding multi-factor authentication requirements were not affected by the decisions you made in this section.
Compliance
Regulations, laws, and regulatory compliance requirements will vary according to the industry that your company
belongs. Companies in high regulated industries must address identity-management concerns related to
compliance issues. Regulations such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability
Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI DSS)
are strict regarding identity and access. The hybrid identity solution that your company will adopt must have the
core capabilities that will fulfill the requirements of one or more of these regulations. For this area, ensure that the
following questions are asked:
Is the hybrid identity solution compliant with the regulatory requirements for your business?
Does the hybrid identity solution has built
in capabilities that will enable your company to be compliant regulatory requirements?
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Define Data Protection Strategy
will go over the options available and advantages/disadvantages of each option. By having answered those questions you
will select which option best suits your business needs.
Next steps
Determine content management requirements
See Also
Design considerations overview
Determine content management requirements for
your hybrid identity solution
4/29/2019 • 2 minutes to read • Edit Online
Understanding the content management requirements for your business may direct affect your decision on which
hybrid identity solution to use. With the proliferation of multiple devices and the capability of users to bring their
own devices (BYOD), the company must protect its own data but it also must keep user’s privacy intact. Usually
when a user has their own device, they might also have multiple credentials that will be alternating according to
the application that they use. It is important to differentiate what content was created using personal credentials
versus the ones created using corporate credentials. Your identity solution should be able to interact with cloud
services to provide a seamless experience to the end user while ensure their privacy and increase the protection
against data leakage.
Your identity solution will be leveraged by different technical controls in order to provide content management as
shown in the figure below:
NOTE
Read data classification for cloud readiness for more information about best practices and guidelines for data classification.
When planning your hybrid identity solution ensure that the following questions are answered according to your
organization’s requirements:
Does your company have security controls in place to enforce data privacy?
If yes, will the security controls be able to integrate with the hybrid identity solution that you are going
to adopt?
Does your company use data classification?
If yes, is the current solution able to integrate with the hybrid identity solution that you are going to
adopt?
Does your company currently have any solution for data leakage?
If yes, is the current solution able to integrate with the hybrid identity solution that you are going to
adopt?
Does your company need to audit access to resources?
If yes, what type of resources?
If yes, what level of information is necessary?
If yes, where the audit log must reside? On-premises or in the cloud?
Does your company need to encrypt any emails that contain sensitive data (SSNs, credit card numbers, etc.)?
Does your company need to encrypt all documents/contents shared with external business partners?
Does your company need to enforce corporate policies on certain kinds of emails (do no reply all, do not
forward)?
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Define Data Protection Strategy
will go over the options available and advantages/disadvantages of each option. By having answered those questions you
will select which option best suits your business needs.
Next steps
Determine access control requirements
See Also
Design considerations overview
Determine access control requirements for your
hybrid identity solution
2/12/2019 • 3 minutes to read • Edit Online
When an organization is designing their hybrid identity solution, they can also use this opportunity to review
access requirements for the resources that they are planning to make it available for users. The data access cross
all four pillars of identity, which are:
Administration
Authentication
Authorization
Auditing
The sections that follow will cover authentication and authorization in more details, administration, and auditing
are part of the hybrid identity lifecycle. Read Determine hybrid identity management tasks for more information
about these capabilities.
NOTE
Read The Four Pillars of Identity - Identity Management in the Age of Hybrid IT for more information about each one of
those pillars.
Access Control
While authentication and authorization are core elements to enable access to corporate data through user’s
validation, it is also important to control the level of access that these users will have and the level of access
administrators will have over the resources that they are managing. Your hybrid identity solution must be able to
provide granular access to resources, delegation, and role base access control. Ensure that the following question
is answered regarding access control:
Does your company have more than one user with elevated privilege to manage your identity system?
If yes, does each user need the same access level?
Would your company need to delegate access to users to manage specific resources?
If yes, how frequently this happens?
Would your company need to integrate access control capabilities between on-premises and cloud resources?
Would your company need to limit access to resources according to some conditions?
Would your company have any application that needs custom control access to some resources?
If yes, where are those apps located (on-premises or in the cloud)?
If yes, where are those target resources located (on-premises or in the cloud)?
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Define Data Protection Strategy
will go over the options available and advantages/disadvantages of each option. By answering those questions you will
select which option best suits your business needs.
Next steps
Determine incident response requirements
See Also
Design considerations overview
Determine incident response requirements for your
hybrid identity solution
9/7/2020 • 3 minutes to read • Edit Online
Large or medium organizations most likely will have a security incident response in place to help IT take actions
accordingly to the level of incident. The identity management system is an important component in the incident
response process because it can be used to help identifying who performed a specific action against the target.
The hybrid identity solution must be able to provide monitoring and reporting capabilities that can be leveraged
by IT to take actions to identify and mitigate a potential threat. In a typical incident response plan you will have the
following phases as part of the plan:
1. Initial assessment.
2. Incident communication.
3. Damage control and risk reduction.
4. Identification of what it was compromise and severity.
5. Evidence preservation.
6. Notification to appropriate parties.
7. System recovery.
8. Documentation.
9. Damage and cost assessment.
10. Process and plan revision.
During the identification of what it was compromise and severity- phase, it will be necessary to identify the
systems that have been compromised, files that have been accessed and determine the sensitivity of those files.
Your hybrid identity system should be able to fulfill these requirements to assist you identifying the user that
made those changes.
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Define data protection strategy
will go over the options available and advantages/disadvantages of each option. By having answered those questions you
will select which option best suits your business needs.
Next steps
Define data protection strategy
See Also
Design considerations overview
Plan for Hybrid Identity Lifecycle
6/13/2019 • 3 minutes to read • Edit Online
Identity is one of the foundations of your enterprise mobility and application access strategy. Whether you are
signing on to your mobile device or SaaS app, your identity is the key to gaining access to everything. At its
highest level, an identity management solution encompasses unifying and syncing between your identity
repositories, which includes automating and centralizing the process of provisioning resources. The identity
solution should be a centralized identity across on-premises and cloud and also use some form of identity
federation to maintain centralized authentication and securely share and collaborate with external users and
businesses. Resources range from operating systems and applications to people in, or affiliated with, an
organization. Organizational structure can be altered to accommodate the provisioning policies and procedures.
It is also important to have an identity solution geared to empower your users by providing them with self-service
experiences to keep them productive. Your identity solution is more robust if it enables single sign-on for users
across all the resources they need access. Administrators at all levels can use standardized procedures for
managing user credentials. Some levels of administration can be reduced or eliminated, depending on the breadth
of the provisioning management solution. Furthermore, you can securely distribute administration capabilities,
manually or automatically, among various organizations. For example, a domain administrator can serve only the
people and resources in that domain. This user can do administrative and provisioning tasks, but is not authorized
to do configuration tasks, such as creating workflows.
To define hybrid identity management tasks, you must understand some essential characteristics of the
organization that will be adopting hybrid identity. It is important to understand the current repositories being
used for identity sources. By knowing those core elements, you will have the foundational requirements and
based on that you will need to ask more granular questions that will lead you to a better design decision for your
Identity solution.
While defining those requirements, ensure that at least the following questions are answered
Provisioning options:
Does the hybrid identity solution support a robust account access management and provisioning
system?
How are users, groups, and passwords going to be managed?
Is the identity lifecycle management responsive?
How long does password updates account suspension take?
License management:
Does the hybrid identity solution handles license management?
If yes, what capabilities are available?
Does the solution handle group-based license management?
If yes, is it possible to assign a security group to it?
If yes, will the cloud directory automatically assign licenses to all the members of the group?
What happens if a user is subsequently added to, or removed from the group, will a license be
automatically assigned or removed as appropriate?
Integration with other third-party identity providers:
Can this hybrid solution be integrated with third-party identity providers to implement single sign-on?
Is it possible to unify all the different identity providers into a cohesive identity system?
If yes, how and which are they and what capabilities are available?
Synchronization Management
One of the goals of an identity manager, to be able to bring all the identity providers and keep them synchronized.
You keep the data synchronized based on an authoritative master identity provider. In a hybrid identity scenario,
with a synchronized management model, you manage all user and device identities in an on-premises server and
synchronize the accounts and, optionally, passwords to the cloud. The user enters the same password on-premises
as they do in the cloud, and at sign-in, the password is verified by the identity solution. This model uses a
directory synchronization tool.
Next steps
Determine hybrid identity management adoption strategy
See Also
Design considerations overview
Define a hybrid identity adoption strategy
9/7/2020 • 11 minutes to read • Edit Online
In this task, you define the hybrid identity adoption strategy for your hybrid identity solution to meet the business
requirements that were discussed in:
Determine business needs
Determine directory synchronization requirements
Determine multi-factor authentication requirements
The following table helps in determining the advantages and disadvantages of each of the following strategies:
Cloud identities Easier to manage for small organization. Users will need to sign in when
Nothing to install on-premises. No accessing workloads in the cloud
additional hardware needed Passwords may or may not be the same
Easily disabled if the user leaves the for cloud and on-premises identities
company
Federated Users can have single sign-on (SSO) More steps to set up and configure
If a user is terminated or leaves, the Higher maintenance
account can be immediately disabled May require additional hardware for the
and access revoked, STS infrastructure
Supports advanced scenarios that May require additional hardware to
cannot be accomplished with install the federation server. Additional
synchronized software is required if AD FS is used
Require extensive setup for SSO
Critical point of failure if the federation
server is down, users won’t be able to
authenticate
Client experience
The strategy that you use will dictate the user sign-in experience. The following tables provide you with
information on what the users should expect their sign-in experience to be. Not all federated identity providers
support SSO in all scenarios.
Doman-joined and private network applications :
Skype for Business (Lync) Prompt for credentials single sign-on for Lync, prompted
credentials for Exchange
Outlook, Skype for Business (Lync), Prompt for credentials Prompt for credentials
OneDrive for Business, Office
subscription
Exchange ActiveSync Prompt for credentials single sign-on for Lync, prompted
credentials for Exchange
If you have determined from task 1 that you have a third-party IdP or are going to use one to provide federation
with Azure AD, you need to be aware of the following supported capabilities:
Any SAML 2.0 provider that is compliant for the SP-Lite profile can support authentication to Azure AD and
associated applications
Supports passive authentication, which facilitates authentication to OWA, SPO, etc.
Exchange Online clients can be supported via the SAML 2.0 Enhanced Client Profile (ECP)
You must also be aware of what capabilities will not be available:
Without WS-Trust/Federation support, all other active clients break
That means no Lync client, OneDrive client, Office Subscription, Office Mobile prior to Office 2016
Transition of Office to passive authentication allows them to support pure SAML 2.0 IdPs, but support will still
be on a client-by-client basis
NOTE
For the most updated list read the article Azure AD federation compatibility list.
Supported topologies
When defining a synchronization strategy, the topology that is used must be determined. Depending on the
information that was determined in step 2 you can determine which topology is the proper one to use. The single
forest, single Azure AD topology is the most common and consists of a single Active Directory forest and a single
instance of Azure AD. This is going to be used in a majority of the scenarios and is the expected topology when
using Azure AD Connect Express installation as shown in the figure below.
Single
Forest Scenario It is common for large and even small organizations to have multiple forests, as shown in Figure 5.
NOTE
For more information about the different on-premises and Azure AD topologies with Azure AD Connect sync read the article
Topologies for Azure AD Connect.
Multi-Forest Scenario
If this is the case, then the multi-forest single Azure AD topology should be considered if the following items are
true:
Users have only 1 identity across all forests – the uniquely identifying users section below describes this in
more detail.
The user authenticates to the forest in which their identity is located
UPN and Source Anchor (immutable id) will come from this forest
All forests are accessible by Azure AD Connect – this means it does not need to be domain joined and can be
placed in a DMZ if this facilitates this.
Users have only one mailbox
The forest that hosts a user’s mailbox has the best data quality for attributes visible in the Exchange Global
Address List (GAL)
If there is no mailbox on the user, then any forest may be used to contribute these values
If you have a linked mailbox, then there is also another account in a different forest used to sign in.
NOTE
Objects that exist in both on-premises and in the cloud are “connected” via a unique identifier. In the context of Directory
Synchronization, this unique identifier is referred to as the SourceAnchor. In the context of Single Sign-On, this is referred to
as the ImmutableId. Design concepts for Azure AD Connect for more considerations regarding the use of SourceAnchor.
If the above are not true and you have more than one active account or more than one mailbox, Azure AD Connect
will pick one and ignore the other. If you have linked mailboxes but no other account, these accounts will not be
exported to Azure AD and that user will not be a member of any groups. This is different from how it was in the
past with DirSync and is intentional to better support these multi-forest scenarios. A multi-forest scenario is shown
in the figure below.
Even though you may have settled on a solution for your strategy, you still need to use the evaluation from above
on where your users are located. This may cause the solution to change. Use the table below to assist you
determining this:
NOTE
You should also ensure that the multi-factor authentication design option that you selected supports the features that are
required for your design. For more information read Choose the multi-factor security solution for you.
Multi-Factor Auth Provider
Multi-factor authentication is available by default for global administrators who have an Azure Active Directory
tenant. However, if you wish to extend multi-factor authentication to all of your users and/or want to your global
administrators to be able to take advantage features such as the management portal, custom greetings, and
reports, then you must purchase and configure Multi-Factor Authentication Provider.
NOTE
You should also ensure that the multi-factor authentication design option that you selected supports the features that are
required for your design.
Next steps
Determine data protection requirements
See also
Design considerations overview
Azure Active Directory hybrid identity design
considerations- next steps
9/7/2020 • 2 minutes to read • Edit Online
Now that you’ve completed defining your requirements and examining all the options for your mobile device
management solution, you’re ready to take the next steps for deploying the supporting infrastructure that’s right
for you and your organization.
See also
Design considerations overview
Hybrid Identity directory integration tools
comparison
9/7/2020 • 2 minutes to read • Edit Online
Over the years the directory integration tools have grown and evolved.
FIM and MIM are still supported and primarily enable synchronization between on-premises systems. The FIM
Windows Azure AD Connector is supported in both FIM and MIM, but not recommended for new deployments
- customers with on-premises sources such as Notes or SAP HCM should use MIM to populate Active Directory
Domain Services (AD DS) and then also use either Azure AD Connect sync or Azure AD Connect cloud
provisioning to synchronize from AD DS to Azure AD.
Azure AD Connect sync incorporates the components and functionality previously released in DirSync and
Azure AD Sync, for synchronizing between AD DS forests and Azure AD.
Azure AD Connect cloud provisioning is a new Microsoft agent for synching from AD DS to Azure AD, useful for
scenarios such as merger and acquisition where the acquired company's AD forests are isolated from the
parent company's AD forests.
To learn more about the differences between Azure AD Connect sync and Azure AD Connect cloud provisioning,
see the article What is Azure AD Connect cloud provisioning?
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Azure AD Connect: Enabling device writeback
9/7/2020 • 4 minutes to read • Edit Online
NOTE
A subscription to Azure AD Premium is required for device writeback.
The following documentation provides information on how to enable the device writeback feature in Azure AD
Connect. Device Writeback is used in the following scenarios:
Enable Windows Hello for Business using hybrid certificate trust deployment
Enable Conditional Access based on devices to ADFS (2012 R2 or higher) protected applications (relying party
trusts).
This provides additional security and assurance that access to applications is granted only to trusted devices. For
more information on Conditional Access, see Managing Risk with Conditional Access and Setting up On-
premises Conditional Access using Azure Active Directory Device Registration.
IMPORTANT
Devices must be located in the same forest as the users. Since devices must be written back to a single forest, this feature
does not currently support a deployment with multiple user forests.
Only one device registration configuration object can be added to the on-premises Active Directory forest. This feature is not
compatible with a topology where the on-premises Active Directory is synchronized to multiple Azure AD directories.
2. On the device options page, select Configure device writeback . Option to Disable device writeback
will not be available until device writeback is enabled. Click on Next to move to the next page in the
wizard.
3. On the writeback page, you will see the supplied domain as the default Device writeback forest.
4. Device container page provides option of preparing the active directory by using one of the two
available options:
a. Provide enterprise administrator credentials : If the enterprise administrator credentials are
provided for the forest where devices need to be written back, Azure AD Connect will prepare the forest
automatically during the configuration of device writeback.
b. Download PowerShell script : Azure AD Connect auto-generates a PowerShell script that can prepare
the active directory for device writeback. In case the enterprise administrator credentials cannot be
provided in Azure AD Connect, it is suggested to download the PowerShell script. Provide the downloaded
PowerShell script CreateDeviceContainer.ps1 to the enterprise administrator of the forest where
devices will be written back to.
The following operations are performed for preparing the active directory forest:
If they do not exist already, creates and configures new containers and objects under CN=Device
Registration Configuration,CN=Services,CN=Configuration,[forest-dn].
If they do not exist already, creates and configures new containers and objects under
CN=RegisteredDevices,[domain-dn]. Device objects will be created in this container.
Sets necessary permissions on the Azure AD Connector account, to manage devices on your Active
Directory.
Only needs to run on one forest, even if Azure AD Connect is being installed on multiple forests.
Troubleshooting
The writeback checkbox is still disabled
If the checkbox for device writeback is not enabled even though you have followed the steps above, the following
steps will guide you through what the installation wizard is verifying before the box is enabled.
First things first:
The forest where the devices are present must have the forest schema upgraded to Windows 2012 R2 level so
that the device object and associated attributes are present .
If the installation wizard is already running, then any changes will not be detected. In this case, complete the
installation wizard and run it again.
Make sure the account you provide in the initialization script is actually the correct user used by the Active
Directory Connector. To verify this, follow these steps:
From the start menu, open Synchronization Ser vice .
Open the Connectors tab.
Find the Connector with type Active Directory Domain Services and select it.
Under Actions , select Proper ties .
Go to Connect to Active Director y Forest . Verify that the domain and user name specified on this
screen match the account provided to the script.
Verify there is only one configuration object by searching the configuration namespace. If there is more than
one, delete the duplicate.
On the Device Registration Service object, make sure the attribute msDS-DeviceLocation is present and has a
value. Lookup this location and make sure it is present with the objectType msDS-DeviceContainer.
Verify the account used by the Active Directory Connector has required permissions on the Registered Devices
container found by the previous step. This is the expected permissions on this container:
Verify the Active Directory account has permissions on the CN=Device Registration
Configuration,CN=Services,CN=Configuration object.
Additional Information
Managing Risk With Conditional Access
Setting up On-premises Conditional Access using Azure Active Directory Device Registration
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Azure AD Connect group writeback
9/7/2020 • 2 minutes to read • Edit Online
Groups writeback enables customers to leverage cloud groups for their hybrid needs. If you use the Office 365
Groups feature, then you can have these groups represented in your on-premises Active Directory. This option is
only available if you have Exchange present in your on-premises Active Directory.
Pre-requisites
The following pre-requisites must be met in order to enable group writeback.
Azure Active Directory Premium licenses for your tenant.
A configured hybrid deployment between your Exchange on-premises organization and Office 365 and verified
it's functioning correctly.
Installed a supported version of Exchange on-premises
Configured single sign-on using Azure Active Directory Connect
For additional information on configuring the Office 365 groups see Configure Microsoft 365 Groups with on-
premises Exchange hybrid.
3. Click Next .
4. Click Configure .
NOTE
Disabling Group Writeback will set the Full Import and Full Synchronization flags to 'true' on the Azure Active Directory
Connector, causing the rule changes to propagate through on the next synchronization cycle, deleting the groups that were
previously written back to your Active Directory.
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Azure AD Connect: Device options
9/7/2020 • 2 minutes to read • Edit Online
The following documentation provides information about the various device options available in Azure AD Connect.
You can use Azure AD Connect to configure the following two operations:
Hybrid Azure AD join : If your environment has an on-premises AD footprint and you want the benefits of
Azure AD, you can implement hybrid Azure AD joined devices. These devices are joined both to your on-
premises Active Directory, and your Azure Active Directory.
Device writeback : Device writeback is used to enable Conditional Access based on devices to AD FS (2012 R2
or higher) protected devices
2. After providing the credentials for Azure AD, you can chose the operation to be performed on the Device
options page.
Next steps
Configure Hybrid Azure AD join
Configure / Disable device writeback
More details about features in preview
9/7/2020 • 2 minutes to read • Edit Online
User writeback
IMPORTANT
The user writeback preview feature was removed in the August 2015 update to Azure AD Connect. If you have enabled it,
then you should disable this feature.
Next steps
Continue your Custom installation of Azure AD Connect.
Learn more about Integrating your on-premises identities with Azure Active Directory.
Azure AD Connect sync: Prevent accidental deletes
9/7/2020 • 2 minutes to read • Edit Online
This topic describes the prevent accidental deletes (preventing accidental deletions) feature in Azure AD Connect.
When installing Azure AD Connect, prevent accidental deletes is enabled by default and configured to not allow
an export with more than 500 deletes. This feature is designed to protect you from accidental configuration
changes and changes to your on-premises directory that would affect many users and other objects.
Hello (technical contact). At (time) the Identity synchronization service detected that the number of deletions
exceeded the configured deletion threshold for (organization name). A total of (number) objects were sent
for deletion in this Identity synchronization run. This met or exceeded the configured deletion threshold
value of (number) objects. We need you to provide confirmation that these deletions should be processed
before we will proceed. Please see the preventing accidental deletions for more information about the error
listed in this email message.
You can also see the status stopped-deletion-threshold-exceeded when you look in the Synchronization
Ser vice Manager UI for the Export profile.
If this was unexpected, then investigate and take corrective actions. To see which objects are about to be deleted,
do the following:
1. Start Synchronization Ser vice from the Start Menu.
2. Go to Connectors .
3. Select the Connector with type Azure Active Director y .
4. Under Actions to the right, select Search Connector Space .
5. In the pop-up under Scope , select Disconnected Since and pick a time in the past. Click Search . This page
provides a view of all objects about to be deleted. By clicking each item, you can get additional information
about the object. You can also click Column Setting to add additional attributes to be visible in the grid.
[!NOTE] If you aren't sure all deletes are desired, and wish to go down a safer route. You can use the PowerShell
cmdlet : Enable-ADSyncExportDeletionThreshold to set a new threshold rather than disabling the threshold which
could allow undesired deletions.
3. With the Azure Active Directory Connector still selected, select the action Run and select Expor t .
4. To re-enable the protection, run the PowerShell cmdlet:
Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500 . Replace 500 with the value you noticed when
retrieving the current deletion threshold. Provide an Azure AD Global Administrator account and password.
Next steps
Over view topics
Azure AD Connect sync: Understand and customize synchronization
Integrating your on-premises identities with Azure Active Directory
Azure AD Connect sync: Enable AD recycle bin
9/7/2020 • 2 minutes to read • Edit Online
It is recommended that you enable the AD Recycle Bin feature for your on-premises Active Directories, which are
synchronized to Azure AD.
If you accidentally deleted an on-premises AD user object and restore it using the feature, Azure AD restores the
corresponding Azure AD user object. For information about the AD Recycle Bin feature, refer to article Scenario
Overview for Restoring Deleted Active Directory Objects.
NOTE
By default, Azure AD keeps deleted Azure AD user objects in soft-deleted state for 30 days before they are permanently
deleted. However, administrators can accelerate the deletion of such objects. Once the objects are permanently deleted, they
can no longer be recovered, even if on-premises AD Recycle Bin feature is enabled.
Next steps
Over view topics
Azure AD Connect sync: Understand and customize synchronization
Integrating your on-premises identities with Azure Active Directory
Azure AD Connect:Configure AD DS Connector
Account Permissions
9/7/2020 • 8 minutes to read • Edit Online
The PowerShell Module named ADSyncConfig.psm1 was introduced with build 1.1.880.0 (released in August 2018)
that includes a collection of cmdlets to help you configure the correct Active Directory permissions for your Azure
AD Connect deployment.
Overview
The following PowerShell cmdlets can be used to setup Active Directory permissions of the AD DS Connector
account, for each feature that you select to enable in Azure AD Connect. To prevent any issues, you should prepare
Active Directory permissions in advance whenever you want to install Azure AD Connect using a custom domain
account to connect to your forest. This ADSyncConfig module can also be used to configure permissions after
Azure AD Connect is deployed.
For Azure AD Connect Express installation, an automatically generated account (MSOL_nnnnnnnnnn) is created in
Active Directory with all the necessary permissions, so there’s no need to use this ADSyncConfig module unless
you have blocked permissions inheritance on organizational units or on specific Active Directory objects that you
want to synchronize to Azure AD.
Permissions summary
The following table provides a summary of the permissions required on AD objects:
Exchange hybrid deployment Read and Write permissions to the attributes documented in
Exchange hybrid writeback for users, groups, and contacts.
Exchange Mail Public Folder Read permissions to the attributes documented in Exchange
Mail Public Folder for public folders.
Device writeback Read and Write permissions to device objects and containers
documented in device writeback.
Group writeback Read, Create, Update, and Delete group objects for
synchronized Office 365 groups .
Install-WindowsFeature RSAT-AD-Tools
NOTE
You can also copy the file C:\Program Files\Microsoft Azure Active Director y
Connect\AdSyncConfig\ADSyncConfig.psm1 to a Domain Controller which already has RSAT for AD DS installed and
use this PowerShell module from there.
To start using the ADSyncConfig you need to load the module in a Windows PowerShell window:
Each cmdlet has the same parameters to input the AD DS Connector Account and an AdminSDHolder switch. To
specify your AD DS Connector Account, you can provide the account name and domain, or just the account
Distinguished Name (DN),
e.g.:
Or;
Make sure to replace <ADAccountName> , <ADDomainName> and <ADAccountDN> with the proper values for your
environment.
In case you don’t want to modify permissions on the AdminSDHolder container, use the switch
-SkipAdminSdHolders .
By default, all the set permissions cmdlets will try to set AD DS permissions on the root of each Domain in the
Forest, meaning that the user running the PowerShell session requires Domain Administrator rights on each
domain in the Forest. Because of this requirement, it is recommended to use an Enterprise Administrator from the
Forest root. If your Azure AD Connect deployment has multiple AD DS Connectors, it will be required to run the
same cmdlet on each forest that has an AD DS Connector.
You can also set permissions on a specific OU or AD DS object by using the parameter -ADobjectDN followed by
the DN of the target object where you want to set permissions. When using a target ADobjectDN, the cmdlet will
set permissions on this object only and not on the domain root or AdminSDHolder container. This parameter can
be useful when you have certain OUs or AD DS objects that have permission inheritance disabled (see Locate AD
DS objects with permission inheritance disabled)
Exceptions to these common parameters are the Set-ADSyncRestrictedPermissions cmdlet which is used to set the
permissions on the AD DS Connector Account itself, and the Set-ADSyncPasswordHashSyncPermissions cmdlet since
the permissions required for Password Hash Sync are only set at the domain root, hence this cmdlet does not
include the -ObjectDN or -SkipAdminSdHolders parameters.
Determine your AD DS Connector Account
In case Azure AD Connect is already installed and you want to check what is the AD DS Connector Account
currently in use by Azure AD Connect, you can execute the cmdlet:
Get-ADSyncADConnectorAccount
By default, this cmdlet will only look for OUs with disabled inheritance, but you can specify other AD DS object
classes in -ObjectClass parameter or use ‘*’ for all object classes, as follows:
or;
or;
or;
or;
Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>]
[<CommonParameters>]
or;
Allow AD DS Connector Account Create/Delete child object All attributes of object type
group and subobjects
Allow AD DS Connector Account Delete/Delete tree objects All attributes of object type
group and subobjects
or;
or;
For Example:
$credential = Get-Credential
Set-ADSyncRestrictedPermissions -ADConnectorAccountDN'CN=ADConnectorAccount,CN=Users,DC=Contoso,DC=com' -
Credential $credential
This cmdlet will set the following permissions:
Next Steps
Azure AD Connect: Accounts and permissions
Express Installation
Custom Installation
ADSyncConfig Reference
Changing the ADSync service account password
9/7/2020 • 4 minutes to read • Edit Online
If you change the ADSync service account password, the Synchronization Service will not be able start correctly
until you have abandoned the encryption key and reinitialized the ADSync service account password.
Azure AD Connect, as part of the Synchronization Services uses an encryption key to store the passwords of the AD
DS Connector account and ADSync service account. These accounts are encrypted before they are stored in the
database.
The encryption key used is secured using Windows Data Protection (DPAPI). DPAPI protects the encryption key
using the ADSync ser vice account .
If you need to change the service account password you can use the procedures in Abandoning the ADSync service
account encryption key to accomplish this. These procedures should also be used if you need to abandon the
encryption key for any reason.
The Azure AD Connector account is supposed to be service free. If you need to reset its credentials, then this topic
is for you. For example, if a Global Administrator has by mistake reset the password on the account using
PowerShell.
2. Run Add-ADSyncAADServiceAccount .
3. Provide Azure AD Global admin credentials.
This cmdlet resets the password for the service account and update it both in Azure AD and in the sync engine.
Event 6900 The server encountered an unexpected error while processing a password change notification:
AADSTS70002: Error validating credentials. AADSTS50054: Old password is used for authentication.
Next steps
Over view topics
Azure AD Connect sync: Understand and customize synchronization
Integrating your on-premises identities with Azure Active Directory
Changing the AD DS account password
9/7/2020 • 2 minutes to read • Edit Online
The AD DS account refers to the user account used by Azure AD Connect to communicate with on-premises Active
Directory. If you change the password of the AD DS account, you must update Azure AD Connect Synchronization
Service with the new password. Otherwise, the Synchronization can no longer synchronize correctly with the on-
premises Active Directory and you will encounter the following errors:
In the Synchronization Service Manager, any import or export operation with on-premises AD fails with no-
star t-credentials error.
Under Windows Event Viewer, the application event log contains an error with Event ID 6000 and message
'The management agent "contoso.com" failed to run because the credentials were invalid' .
Next steps
Over view topics
Azure AD Connect sync: Understand and customize synchronization
Integrating your on-premises identities with Azure Active Directory
Azure Active Directory Pass-through Authentication:
Quickstart
9/7/2020 • 9 minutes to read • Edit Online
IMPORTANT
If you are migrating from AD FS (or other federation technologies) to Pass-through Authentication, we highly recommend
that you follow our detailed deployment guide published here.
NOTE
If you deploying Pass Through Authentication with the Azure Government cloud, view Hybrid Identity Considerations for
Azure Government.
IMPORTANT
From a security standpoint, administrators should treat the server running the PTA agent as if it were a domain controller.
The PTA agent servers should be hardened along the same lines as outlined in Securing Domain Controllers Against Attack
3. Identify one or more additional servers (running Windows Server 2012 R2 or later, with TLS 1.2 enabled)
where you can run standalone Authentication Agents. These additional servers are needed to ensure the
high availability of requests to sign in. Add the servers to the same Active Directory forest as the users
whose passwords you need to validate.
IMPORTANT
In production environments, we recommend that you have a minimum of 3 Authentication Agents running on
your tenant. There is a system limit of 40 Authentication Agents per tenant. And as best practice, treat all servers
running Authentication Agents as Tier 0 systems (see reference).
4. If there is a firewall between your servers and Azure AD, configure the following items:
Ensure that Authentication Agents can make outbound requests to Azure AD over the following
ports:
P O RT N UM B ER H O W IT 'S USED
If your firewall enforces rules according to the originating users, open these ports for traffic from
Windows services that run as a network service.
If your firewall or proxy allows DNS whitelisting, add connections to *.msappproxy.net and
*.ser vicebus.windows.net . If not, allow access to the Azure datacenter IP ranges, which are
updated weekly.
Your Authentication Agents need access to login.windows.net and login.microsoftonline.com
for initial registration. Open your firewall for those URLs as well.
For certificate validation, unblock the following URLs: mscrl.microsoft.com:80 ,
crl.microsoft.com:80 , ocsp.msocsp.com:80 , and www.microsoft.com:80 . Since these URLs
are used for certificate validation with other Microsoft products you may already have these URLs
unblocked.
Azure Government cloud prerequisite
Prior to enabling Pass-through Authentication through Azure AD Connect with Step 2, download the latest
release of the PTA agent from the Azure portal. You need to ensure that your agent is versions 1.5.1742.0. or
later. To verify your agent see Upgrade authentication agents
After downloading the latest release of the agent, proceed with the below instructions to configure Pass-Through
Authentication through Azure AD Connect.
IMPORTANT
You can enable Pass-through Authentication on the Azure AD Connect primary or staging server. It is highly
recommended that you enable it from the primary server. If you are setting up an Azure AD Connect staging server in the
future, you must continue to choose Pass-through Authentication as the sign-in option; choosing another option will
disable Pass-through Authentication on the tenant and override the setting in the primary server.
If you're installing Azure AD Connect for the first time, choose the custom installation path. At the User sign-in
page, choose Pass-through Authentication as the Sign On method . On successful completion, a Pass-
through Authentication Agent is installed on the same server as Azure AD Connect. In addition, the Pass-through
Authentication feature is enabled on your tenant.
If you have already installed Azure AD Connect by using the express installation or the custom installation path,
select the Change user sign-in task on Azure AD Connect, and then select Next . Then select Pass-through
Authentication as the sign-in method. On successful completion, a Pass-through Authentication Agent is
installed on the same server as Azure AD Connect and the feature is enabled on your tenant.
IMPORTANT
Pass-through Authentication is a tenant-level feature. Turning it on affects the sign-in for users across all the managed
domains in your tenant. If you're switching from Active Directory Federation Services (AD FS) to Pass-through
Authentication, you should wait at least 12 hours before shutting down your AD FS infrastructure. This wait time is to
ensure that users can keep signing in to Exchange ActiveSync during the transition. For more help on migrating from AD
FS to Pass-through Authentication, check out our detailed deployment plan published here.
IMPORTANT
In production environments, we recommend that you have a minimum of 3 Authentication Agents running on your
tenant. There is a system limit of 40 Authentication Agents per tenant. And as best practice, treat all servers running
Authentication Agents as Tier 0 systems (see reference).
Installing multiple Pass-through Authentication Agents ensures high availability, but not deterministic load
balancing between the Authentication Agents. To determine how many Authentication Agents you need for your
tenant, consider the peak and average load of sign-in requests that you expect to see on your tenant. As a
benchmark, a single Authentication Agent can handle 300 to 400 authentications per second on a standard 4-
core CPU, 16-GB RAM server.
To estimate network traffic, use the following sizing guidance:
Each request has a payload size of (0.5K + 1K * num_of_agents) bytes, that is, data from Azure AD to the
Authentication Agent. Here, "num_of_agents" indicates the number of Authentication Agents registered on
your tenant.
Each response has a payload size of 1K bytes, that is, data from the Authentication Agent to Azure AD.
For most customers, three Authentication Agents in total are sufficient for high availability and capacity. You
should install Authentication Agents close to your domain controllers to improve sign-in latency.
To begin, follow these instructions to download the Authentication Agent software:
1. To download the latest version of the Authentication Agent (version 1.5.193.0 or later), sign in to the Azure
Active Directory admin center with your tenant's global administrator credentials.
2. Select Azure Active Director y in the left pane.
3. Select Azure AD Connect , select Pass-through authentication , and then select Download Agent .
4. Select the Accept terms & download button.
NOTE
You can also directly download the Authentication Agent software. Review and accept the Authentication Agent's Terms of
Service before installing it.
$User = "<username>"
$PlainPassword = '<password>'
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $SecurePassword
3. Go to C:\Program Files\Microsoft Azure AD Connect Authentication Agent and run the following
script using the $cred object that you created:
IMPORTANT
If an Authentication Agent is installed on a Virtual Machine, you can't clone the Virtual Machine to setup another
Authentication Agent. This method is unsuppor ted .
Next steps
Migrate from AD FS to Pass-through Authentication - A detailed guide to migrate from AD FS (or other
federation technologies) to Pass-through Authentication.
Smart Lockout: Learn how to configure the Smart Lockout capability on your tenant to protect user accounts.
Current limitations: Learn which scenarios are supported with the Pass-through Authentication and which
ones are not.
Technical deep dive: Understand how the Pass-through Authentication feature works.
Frequently asked questions: Find answers to frequently asked questions.
Troubleshoot: Learn how to resolve common problems with the Pass-through Authentication feature.
Security deep dive: Get technical information on the Pass-through Authentication feature.
Azure AD Seamless SSO: Learn more about this complementary feature.
UserVoice: Use the Azure Active Directory Forum to file new feature requests.
Azure Active Directory Pass-through Authentication:
Frequently asked questions
9/7/2020 • 8 minutes to read • Edit Online
This article addresses frequently asked questions about Azure Active Directory (Azure AD) Pass-through
Authentication. Keep checking back for updated content.
What happens if my user's password has expired and they try to sign
in by using Pass-through Authentication?
If you have configured password writeback for a specific user, and if the user signs in by using Pass-through
Authentication, they can change or reset their passwords. The passwords are written back to on-premises Active
Directory as expected.
If you have not configured password writeback for a specific user or if the user doesn't have a valid Azure AD
license assigned, the user can't update their password in the cloud. They can't update their password, even if their
password has expired. The user instead sees this message: "Your organization doesn't allow you to update your
password on this site. Update it according to the method recommended by your organization, or ask your admin
if you need help." The user or the administrator must reset their password in on-premises Active Directory.
NOTE
Recent updates reduced the number of ports that the feature requires. If you have older versions of Azure AD
Connect or the Authentication Agent, keep these ports open as well: 5671, 8080, 9090, 9091, 9350, 9352, and
10100-10120.
<system.net>
<defaultProxy enabled="true" useDefaultCredentials="true">
<proxy
usesystemdefault="true"
proxyaddress="http://contosoproxy.com:8080"
bypassonlocal="true"
/>
</defaultProxy>
</system.net>
NOTE
There is a system limit of 40 Authentication Agents per tenant.
Tenants created after June 15th 2015 have the default behavior of synchronizing UPN changes.
Next steps
Current limitations: Learn which scenarios are supported and which ones are not.
Quick start: Get up and running on Azure AD Pass-through Authentication.
Migrate from AD FS to Pass-through Authentication - A detailed guide to migrate from AD FS (or other
federation technologies) to Pass-through Authentication.
Smart Lockout: Learn how to configure the Smart Lockout capability on your tenant to protect user accounts.
Technical deep dive: Understand how the Pass-through Authentication feature works.
Troubleshoot: Learn how to resolve common problems with the Pass-through Authentication feature.
Security deep dive: Get deep technical information on the Pass-through Authentication feature.
Azure AD Seamless SSO: Learn more about this complementary feature.
UserVoice: Use the Azure Active Directory Forum to file new feature requests.
Disable PTA when using Azure AD Connect "Do not
configure"
9/7/2020 • 2 minutes to read • Edit Online
If you are using Pass-through Authentication with Azure AD Connect and you have it set to "Do not configure", you
can disable it. Disabling PTA can be done using the following cmdlets.
Prerequisites
The following prerequisites are required:
Any windows machine that has the PTA agent installed.
Agent must be at version 1.5.1742.0 or later.
An Azure global administrator account in order to run the PowerShell cmdlets to disable PTA.
NOTE
If your agent is older then it may not have the cmdlets required to complete this operation. You can get a new agent from
Azure Portal an install it on any windows machine and provide admin credentials. (Installing the agent does not affect the PTA
status in the cloud)
IMPORTANT
If you are using the Azure Government cloud then you will have to pass in the ENVIRONMENTNAME parameter with the
following value.
AzureUSGovernment US Gov
To disable PTA
From within a PowerShell session, use the following to disable PTA:
1. PS C:\Program Files\Microsoft Azure AD Connect Authentication Agent>
Import-Module .\Modules\PassthroughAuthPSModule
2. Get-PassthroughAuthenticationEnablementStatus -Feature PassthroughAuth or
Get-PassthroughAuthenticationEnablementStatus -Feature PassthroughAuth -EnvironmentName <identifier>
3. Disable-PassthroughAuthentication -Feature PassthroughAuth or
Disable-PassthroughAuthentication -Feature PassthroughAuth -EnvironmentName <identifier>
This article describes how to manage and customize Active Directory Federation Services (AD FS) by using Azure
Active Directory (Azure AD) Connect. It also includes other common AD FS tasks that you might need to do for a
complete configuration of an AD FS farm.
TO P IC W H AT IT C O VERS
Manage AD FS
Repair the trust How to repair the federation trust with Office 365.
Federate with Azure AD using alternate login ID Configure federation using alternate login ID
Add an AD FS Web Application Proxy server How to expand an AD FS farm with an additional Web
Application Proxy (WAP) server.
Update the TLS/SSL certificate How to update the TLS/SSL certificate for an AD FS farm.
Customize AD FS
Add a custom company logo or illustration How to customize an AD FS sign-in page with a company
logo and illustration.
Modify AD FS claim rules How to modify AD FS claims for various federation scenarios.
Manage AD FS
You can perform various AD FS-related tasks in Azure AD Connect with minimal user intervention by using the
Azure AD Connect wizard. After you've finished installing Azure AD Connect by running the wizard, you can run
the wizard again to perform additional tasks.
3. On the Remote access credentials page, enter the credentials for the domain administrator.
After you click Next , Azure AD Connect checks for certificate health and shows any issues.
The Ready to configure page shows the list of actions that will be performed to repair the trust.
4. Click Install to repair the trust.
NOTE
Azure AD Connect can only repair or act on certificates that are self-signed. Azure AD Connect can't repair third-party
certificates.
NOTE
For more information on alternateID and steps to manually configure, read Configuring Alternate Login ID
Add an AD FS server
NOTE
To add an AD FS server, Azure AD Connect requires the PFX certificate. Therefore, you can perform this operation only if you
configured the AD FS farm by using Azure AD Connect.
6. Click Next , and go through the final Configure page. After Azure AD Connect has finished adding the
servers to the AD FS farm, you will be given the option to verify the connectivity.
Add an AD FS WAP server
NOTE
To add a WAP server, Azure AD Connect requires the PFX certificate. Therefore, you can only perform this operation if you
configured the AD FS farm by using Azure AD Connect.
1. Select Deploy Web Application Proxy from the list of available tasks.
2. Provide the Azure global administrator credentials.
3. On the Specify SSL cer tificate page, provide the password for the PFX file that you provided when you
configured the AD FS farm with Azure AD Connect.
4. Add the server to be added as a WAP server. Because the WAP server might not be joined to the domain,
the wizard asks for administrative credentials to the server being added.
5. On the Proxy trust credentials page, provide administrative credentials to configure the proxy trust and
access the primary server in the AD FS farm.
6. On the Ready to configure page, the wizard shows the list of actions that will be performed.
7. Click Install to finish the configuration. After the configuration is complete, the wizard gives you the option
to verify the connectivity to the servers. Click Verify to check connectivity.
2. On the next page of the wizard, provide the global administrator credentials for Azure AD.
3. On the Remote access credentials page, provide the domain administrator credentials.
4. On the next page, the wizard provides a list of Azure AD domains that you can federate your on-premises
directory with. Choose the domain from the list.
After you choose the domain, the wizard provides you with appropriate information about further actions
that the wizard will take and the impact of the configuration. In some cases, if you select a domain that isn't
yet verified in Azure AD, the wizard provides you with information to help you verify the domain. See Add
your custom domain name to Azure Active Directory for more details.
5. Click Next . The Ready to configure page shows the list of actions that Azure AD Connect will perform.
Click Install to finish the configuration.
NOTE
Users from the added federated domain must be synchronized before they will be able to login to Azure AD.
AD FS customization
The following sections provide details about some of the common tasks that you might have to perform when
you customize your AD FS sign-in page.
NOTE
The recommended dimensions for the logo are 260 x 35 @ 96 dpi with a file size no greater than 10 KB.
NOTE
The TargetName parameter is required. The default theme that's released with AD FS is named Default.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> add(store = "Active Directory", types = ("http://contoso.com/ws/2016/02/identity/claims/objectguid",
"http://contoso.com/ws/2016/02/identity/claims/msdsconsistencyguid"), query = "; objectGuid,ms-ds-
consistencyguid;{0}", param = c.Value);
In this rule, you're querying the values of ms-ds-consistencyguid and objectGuid for the user from Active
Directory. Change the store name to an appropriate store name in your AD FS deployment. Also change the
claims type to a proper claims type for your federation, as defined for objectGuid and ms-ds-consistencyguid .
Also, by using add and not issue , you avoid adding an outgoing issue for the entity, and can use the values as
intermediate values. You will issue the claim in a later rule after you establish which value to use as the immutable
ID.
Rule 2: Check if ms-ds-consistencyguid exists for the user
This rule defines a temporary flag called idflag that is set to useguid if there's no ms-ds-consistencyguid
populated for the user. The logic behind this is the fact that AD FS doesn't allow empty claims. So when you add
claims http://contoso.com/ws/2016/02/identity/claims/objectguid and
http://contoso.com/ws/2016/02/identity/claims/msdsconsistencyguid in Rule 1, you end up with an
msdsconsistencyguid claim only if the value is populated for the user. If it isn't populated, AD FS sees that it will
have an empty value and drops it immediately. All objects will have objectGuid , so that claim will always be there
after Rule 1 is executed.
Rule 3: Issue ms-ds-consistencyguid as immutable ID if it's present
c:[Type == "http://contoso.com/ws/2016/02/identity/claims/msdsconsistencyguid"]
=> issue(Type = "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID", Value = c.Value);
This is an implicit Exist check. If the value for the claim exists, then issue that as the immutable ID. The previous
example uses the nameidentifier claim. You'll have to change this to the appropriate claim type for the
immutable ID in your environment.
Rule 4: Issue objectGuid as immutable ID if ms-ds-consistencyGuid is not present
In this rule, you're simply checking the temporary flag idflag . You decide whether to issue the claim based on its
value.
NOTE
The sequence of these rules is important.
Next steps
Learn more about user sign-in options.
Multiple Domain Support for Federating with Azure
AD
9/7/2020 • 6 minutes to read • Edit Online
The following documentation provides guidance on how to use multiple top-level domains and subdomains when
federating with Office 365 or Azure AD domains.
NOTE
The federation service identifier is a URI that uniquely identifies a federation service. The federation service is an instance of
AD FS that functions as the security token service.
A problem arises when you add more than one top-level domain. For example, let's say you have set up federation
between Azure AD and your on-premises environment. For this document, the domain, bmcontoso.com is being
used. Now a second, top-level domain, bmfabrikam.com has been added.
When you attempt to convert the bmfabrikam.com domain to be federated, an error occurs. The reason is, Azure
AD has a constraint that does not allow the IssuerUri property to have the same value for more than one domain.
SupportMultipleDomain Parameter
To work around this constraint, you need to add a different IssuerUri, which can be done by using the
-SupportMultipleDomain parameter. This parameter is used with the following cmdlets:
New-MsolFederatedDomain
Convert-MsolDomaintoFederated
Update-MsolFederatedDomain
This parameter makes Azure AD configure the IssuerUri so that it is based on the name of the domain. The
IssuerUri will be unique across directories in Azure AD. Using the parameter allows the PowerShell command to
complete successfully.
Looking at the settings for the bmfabrikam.com domain you can see the following:
-SupportMultipleDomain does not change the other endpoints, which are still configured to point to the federation
service on adfs.bmcontoso.com.
Another thing that -SupportMultipleDomain does is that it ensures that the AD FS system includes the proper
Issuer value in tokens issued for Azure AD. This value is set by taking the domain portion of the users UPN and
setting it as the domain in the IssuerUri, i.e. https://{upn suffix}/adfs/services/trust.
Thus during authentication to Azure AD or Office 365, the IssuerUri element in the user’s token is used to locate
the domain in Azure AD. If, a match cannot be found, the authentication will fail.
For example, if a user’s UPN is bsimon@bmcontoso.com, the IssuerUri element in the token, AD FS issues, will be
set to http://bmcontoso.com/adfs/services/trust . This element will match the Azure AD configuration, and
authentication will succeed.
The following is the customized claim rule that implements this logic:
IMPORTANT
In order to use the -SupportMultipleDomain switch when attempting to add new or convert already existing domains, your
federated trust needs to have already been set up to support them.
If you have successfully added a new domain in the Azure AD portal and then attempt to convert it using
Convert-MsolDomaintoFederated -DomainName <your domain> , you will get the following error.
If you try to add the -SupportMultipleDomain switch, you will receive the following error:
Simply trying to run Update-MsolFederatedDomain -DomainName <your domain> -SupportMultipleDomain on the original
domain will also result in an error.
Use the steps below to add an additional top-level domain. If you have already added a domain, and did not use
the -SupportMultipleDomain parameter, start with the steps for removing and updating your original domain. If
you have not added a top-level domain yet, you can start with the steps for adding a domain using PowerShell of
Azure AD Connect.
Use the following steps to remove the Microsoft Online trust and update your original domain.
1. On your AD FS federation server open AD FS Management.
2. On the left, expand Trust Relationships and Relying Par ty Trusts
3. On the right, delete the Microsoft Office 365 Identity Platform entry.
4. On a machine that has Azure Active Directory Module for Windows PowerShell installed on it run the
following: $cred=Get-Credential .
5. Enter the username and password of a global administrator for the Azure AD domain you are federating with.
6. In PowerShell, enter Connect-MsolService -Credential $cred
7. In PowerShell, enter Update-MSOLFederatedDomain -DomainName <Federated Domain Name> -SupportMultipleDomain .
This update is for the original domain. So using the above domains it would be:
Update-MsolFederatedDomain -DomainName bmcontoso.com -SupportMultipleDomain
Use the following steps to add the new top-level domain using PowerShell
1. On a machine that has Azure Active Directory Module for Windows PowerShell installed on it run the
following: $cred=Get-Credential .
2. Enter the username and password of a global administrator for the Azure AD domain you are federating with
3. In PowerShell, enter Connect-MsolService -Credential $cred
4. In PowerShell, enter New-MsolFederatedDomain –SupportMultipleDomain –DomainName
Use the following steps to add the new top-level domain using Azure AD Connect.
1. Launch Azure AD Connect from the desktop or start menu
2. Choose “Add an additional Azure AD Domain”
3. Enter your Azure AD and Active Directory credentials
4. Select the second domain you wish to configure for federation.
5. Click Install
Verify the new top-level domain
By using the PowerShell command Get-MsolDomainFederationSettings -DomainName <your domain> you can view the
updated IssuerUri. The screenshot below shows the federation settings were updated on the original domain
http://bmcontoso.com/adfs/services/trust
And the IssuerUri on the new domain has been set to https://bmfabrikam.com/adfs/services/trust
[!NOTE] The last number in the regular expression set is how many parent domains there are in your root domain.
Here bmcontoso.com is used, so two parent domains are necessary. If three parent domains were to be kept (i.e.:
corp.bmcontoso.com), then the number would have been three. Eventually a range can be indicated, the match will
always be made to match the maximum of domains. "{2,3}" will match two to three domains (i.e.: bmfabrikam.com
and corp.bmcontoso.com).
Use the following steps to add a custom claim to support subdomains.
1. Open AD FS Management
2. Right-click the Microsoft Online RP trust and choose Edit Claim rules
3. Select the third claim rule, and replace
with
Next steps
Now that you have Azure AD Connect installed you can verify the installation and assign licenses.
Learn more about these features, which were enabled with the installation: Automatic upgrade, Prevent accidental
deletes, and Azure AD Connect Health.
Learn more about these common topics: scheduler and how to trigger sync.
Learn more about Integrating your on-premises identities with Azure Active Directory.
Federate multiple instances of Azure AD with single
instance of AD FS
9/7/2020 • 2 minutes to read • Edit Online
A single high available AD FS farm can federate multiple forests if they have 2-way trust between them. These
multiple forests may or may not correspond to the same Azure Active Directory. This article provides instructions
on how to configure federation between a single AD FS deployment and more than one forests that sync to
different Azure AD.
NOTE
Device writeback and automatic device join are not supported in this scenario.
NOTE
Azure AD Connect cannot be used to configure federation in this scenario as Azure AD Connect can configure federation for
domains in a single Azure AD.
Connect-MsolService
The above operation will federate the domain fabrikam.com with the same AD FS. You can verify the domain
settings by using Get-MsolDomainFederationSettings for both domains.
Next steps
Connect Active Directory with Azure Active Directory
Renew federation certificates for Office 365 and
Azure Active Directory
9/7/2020 • 8 minutes to read • Edit Online
Overview
For successful federation between Azure Active Directory (Azure AD) and Active Directory Federation Services (AD
FS), the certificates used by AD FS to sign security tokens to Azure AD should match what is configured in Azure
AD. Any mismatch can lead to broken trust. Azure AD ensures that this information is kept in sync when you
deploy AD FS and Web Application Proxy (for extranet access).
This article provides you additional information to manage your token signing certificates and keep them in sync
with Azure AD, in the following cases:
You are not deploying the Web Application Proxy, and therefore the federation metadata is not available in the
extranet.
You are not using the default configuration of AD FS for token signing certificates.
You are using a third-party identity provider.
NOTE
If you received an email or a portal notification asking you to renew your certificate for Office, see Managing changes to
token signing certificates to check if you need to take any action. Microsoft is aware of a possible issue that can lead to
notifications for certificate renewal being sent, even when no action is required.
Azure AD attempts to monitor the federation metadata, and update the token signing certificates as indicated by
this metadata. 30 days before the expiration of the token signing certificates, Azure AD checks if new certificates
are available by polling the federation metadata.
If it can successfully poll the federation metadata and retrieve the new certificates, no email notification or
warning in the Microsoft 365 admin center is issued to the user.
If it cannot retrieve the new token signing certificates, either because the federation metadata is not reachable
or automatic certificate rollover is not enabled, Azure AD issues an email notification and a warning in the
Microsoft 365 admin center.
IMPORTANT
If you are using AD FS, to ensure business continuity, please verify that your servers have the following updates so that
authentication failures for known issues do not occur. This mitigates known AD FS proxy server issues for this renewal and
future renewal periods:
Server 2012 R2 - Windows Server May 2014 rollup
Server 2008 R2 and 2012 - Authentication through proxy fails in Windows Server 2012 or Windows 2008 R2 SP1
Get-Adfsproperties
NOTE
If you are using AD FS 2.0, first run Add-Pssnapin Microsoft.Adfs.Powershell.
NOTE
MSOL-Cmdlets are part of the MSOnline PowerShell module. You can download the MSOnline PowerShell Module directly
from the PowerShell Gallery.
Install-Module MSOnline
Import-Module MSOnline
Connect-MsolService
Check the certificates configured in AD FS and Azure AD trust properties for the specified domain.
F EDERAT IO N
C ERT IF IC AT ES IN M ETA DATA IS
A UTO C ERT IF IC AT ERO SY N C W IT H A Z URE P UB L IC LY
L LO VER AD A C C ESSIB L E VA L IDIT Y A C T IO N
NOTE
If you are using AD FS 2.0, you should run Add-Pssnapin Microsoft.Adfs.Powershell first.
3. Look at the command output at any certificates listed. If AD FS has generated a new certificate, you should
see two certificates in the output: one for which the IsPrimar y value is True and the NotAfter date is
within 5 days, and one for which IsPrimar y is False and NotAfter is about a year in the future.
4. If you only see one certificate, and the NotAfter date is within 5 days, you need to generate a new
certificate.
5. To generate a new certificate, execute the following command at a PowerShell command prompt:
PS C:\>Update-ADFSCertificate –CertificateType token-signing .
6. Verify the update by running the following command again: PS C:>Get-ADFSCertificate –CertificateType
token-signing
Two certificates should be listed now, one of which has a NotAfter date of approximately one year in the future,
and for which the IsPrimar y value is False .
Step 2: Update the new token signing certificates for the Office 365 trust
Update Office 365 with the new token signing certificates to be used for the trust, as follows.
1. Open the Microsoft Azure Active Directory Module for Windows PowerShell.
2. Run $cred=Get-Credential. When this cmdlet prompts you for credentials, type your cloud service
administrator account credentials.
3. Run Connect-MsolService –Credential $cred. This cmdlet connects you to the cloud service. Creating a context
that connects you to the cloud service is required before running any of the additional cmdlets installed by the
tool.
4. If you are running these commands on a computer that is not the AD FS primary federation server, run Set-
MSOLAdfscontext -Computer <AD FS primary server>, where <AD FS primary server> is the internal FQDN
name of the primary AD FS server. This cmdlet creates a context that connects you to AD FS.
5. Run Update-MSOLFederatedDomain –DomainName <domain>. This cmdlet updates the settings from AD FS
into the cloud service, and configures the trust relationship between the two.
NOTE
If you need to support multiple top-level domains, such as contoso.com and fabrikam.com, you must use the
Suppor tMultipleDomain switch with any cmdlets. For more information, see Support for Multiple Top Level Domains.
Overview
This article describes how you can use Azure AD Connect to update the TLS/SSL certificate for an Active Directory
Federation Services (AD FS) farm. You can use the Azure AD Connect tool to easily update the TLS/SSL certificate
for the AD FS farm even if the user sign-in method selected is not AD FS.
You can perform the whole operation of updating TLS/SSL certificate for the AD FS farm across all federation and
Web Application Proxy (WAP) servers in three simple steps:
NOTE
To learn more about certificates that are used by AD FS, see Understanding certificates used by AD FS.
Prerequisites
AD FS Farm : Make sure that your AD FS farm is Windows Server 2012 R2-based or later.
Azure AD Connect : Ensure that the version of Azure AD Connect is 1.1.553.0 or higher. You'll use the task
Update AD FS SSL cer tificate .
Step 1: Provide AD FS farm information
Azure AD Connect attempts to obtain information about the AD FS farm automatically by:
1. Querying the farm information from AD FS (Windows Server 2016 or later).
2. Referencing the information from previous runs, which are stored locally with Azure AD Connect.
You can modify the list of servers that are displayed by adding or removing the servers to reflect the current
configuration of the AD FS farm. As soon as the server information is provided, Azure AD Connect displays the
connectivity and current TLS/SSL certificate status.
If the list contains a server that's no longer part of the AD FS farm, click Remove to delete the server from the list
of servers in your AD FS farm.
NOTE
Removing a server from the list of servers for an AD FS farm in Azure AD Connect is a local operation and updates the
information for the AD FS farm that Azure AD Connect maintains locally. Azure AD Connect doesn't modify the configuration
on AD FS to reflect the change.
After you provide the certificate, Azure AD Connect goes through a series of prerequisites. Verify the certificate to
ensure that the certificate is correct for the AD FS farm:
The subject name/alternate subject name for the certificate is either the same as the federation service name,
or it's a wildcard certificate.
The certificate is valid for more than 30 days.
The certificate trust chain is valid.
The certificate is password protected.
FAQs
What should be the subject name of the cer tificate for the new AD FS TLS/SSL cer tificate?
Azure AD Connect checks if the subject name/alternate subject name of the certificate contains the
federation service name. For example, if your federation service name is fs.contoso.com, the subject
name/alternate subject name must be fs.contoso.com. Wildcard certificates are also accepted.
Why am I asked for credentials again on the WAP ser ver page?
If the credentials you provide for connecting to AD FS servers don't also have the privilege to manage the
WAP servers, then Azure AD Connect asks for credentials that have administrative privilege on the WAP
servers.
The ser ver is shown as offline. What should I do?
Azure AD Connect can't perform any operation if the server is offline. If the server is part of the AD FS farm,
then check the connectivity to the server. After you've resolved the issue, press the refresh icon to update
the status in the wizard. If the server was part of the farm earlier but now no longer exists, click Remove to
delete it from the list of servers that Azure AD Connect maintains. Removing the server from the list in
Azure AD Connect doesn't alter the AD FS configuration itself. If you're using AD FS in Windows Server
2016 or later, the server remains in the configuration settings and will be shown again the next time the
task is run.
Can I update a subset of my farm ser vers with the new TLS/SSL cer tificate?
Yes. You can always run the task Update SSL Cer tificate again to update the remaining servers. On the
Select ser vers for SSL cer tificate update page, you can sort the list of servers on SSL Expir y date to
easily access the servers that aren't updated yet.
I removed the ser ver in the previous run, but it's still being shown as offline and listed on the
AD FS Ser vers page. Why is the offline ser ver still there even after I removed it?
Removing the server from the list in Azure AD Connect doesn't remove it in the AD FS configuration. Azure
AD Connect references AD FS (Windows Server 2016 or higher) for any information about the farm. If the
server is still present in the AD FS configuration, it will be listed back in the list.
Next steps
Azure AD Connect and federation
Active Directory Federation Services management and customization with Azure AD Connect
Manage AD FS trust with Azure AD using Azure AD
Connect
9/7/2020 • 6 minutes to read • Edit Online
Overview
Azure AD Connect can manage federation between on-premises Active Directory Federation Service (AD FS) and
Azure AD. This article provides an overview of:
The various settings configured on the trust by Azure AD Connect
The issuance transform rules (claim rules) set by Azure AD Connect
How to back-up and restore your claim rules between upgrades and configuration updates.
Token signing certificate Azure AD Connect can be used to reset and recreate the trust
with Azure AD. Azure AD Connect does a one-time immediate
rollover of token signing certificates for AD FS and updates
the Azure AD domain federation settings.
Token signing algorithm Microsoft recommends using SHA-256 as the token signing
algorithm. Azure AD Connect can detect if the token signing
algorithm is set to a value less secure than SHA-256. It will
update the setting to SHA-256 in the next possible
configuration operation. Other relying party trust must be
updated to use the new token signing certificate.
Azure AD trust identifier Azure AD Connect sets the correct identifier value for the
Azure AD trust. AD FS uniquely identifies the Azure AD trust
using the identifier value.
Azure AD endpoints Azure AD Connect makes sure that the endpoints configured
for the Azure AD trust are always as per the latest
recommended values for resiliency and performance.
Issuance transform rules There are numbers of claim rules which are needed for optimal
performance of features of Azure AD in a federated setting.
Azure AD Connect makes sure that the Azure AD trust is
always configured with the right set of recommended claim
rules.
Automatic metadata update Trust with Azure AD is configured for automatic metadata
update. AD FS periodically checks the metadata of Azure AD
trust and keeps it up-to-date in case it changes on the Azure
AD side.
Integrated Windows Authentication (IWA) During Hybrid Azure AD join operation, IWA is enabled for
device registration to facilitate Hybrid Azure AD join for
downlevel devices
EXEC UT IO N F LO W SET T IN GS IM PA C T ED
First pass installation (new AD FS farm) A new AD FS farm is created and a trust with Azure AD is
created from scratch.
First pass installation (existing AD FS farm, existing Azure AD Azure AD trust identifier, Issuance transform rules, Azure AD
trust) endpoints, Alternate-id (if necessary), automatic metadata
update
Reset Azure AD trust Token signing certificate, Token signing algorithm, Azure AD
trust identifier, Issuance transform rules, Azure AD endpoints,
Alternate-id (if necessary), automatic metadata update
Add federated domain If the domain is being added for the first time, that is, the
setup is changing from single domain federation to multi-
domain federation – Azure AD Connect will recreate the trust
from scratch. If the trust with Azure AD is already configured
for multiple domains, only Issuance transform rules are
modified
During all operations, in which, any setting is modified, Azure AD Connect makes a backup of the current trust
settings at %ProgramData%\AADConnect\ADFS
NOTE
Prior to version 1.1.873.0, the backup consisted of only issuance transform rules and they were backed up in the wizard trace
log file.
Issue UPN This rule queries the value of userprincipalname as from the
attribute configured in sync settings for userprincipalname.
Query objectguid and msdsconsistencyguid for custom This rule adds a temporary value in the pipeline for objectguid
ImmutableId claim and msdsconsistencyguid value if it exists
Check for the existence of msdsconsistencyguid Based on whether the value for msdsconsistencyguid exists or
not, we set a temporary flag to direct what to use as
ImmutableId
Issue msdsconsistencyguid as Immutable ID if it exists Issue msdsconsistencyguid as ImmutableId if the value exists
Issue objectGuidRule if msdsConsistencyGuid rule does not If the value for msdsconsistencyguid does not exist, the value
exist of objectguid will be issued as ImmutableId
Issue nameidentifier This rule issues value for the nameidentifier claim.
RUL E N A M E DESC RIP T IO N
Issue accounttype for domain-joined computers If the entity being authenticated is a domain joined device, this
rule issues the account type as DJ signifying a domain joined
device
Issue AccountType with the value USER when it is not a If the entity being authenticated is a user, this rule issues the
computer account account type as User
Issue issuerid when it is not a computer account This rule issues the issuerId value when the authenticating
entity is not a device. The value is created via a regex, which is
configured by Azure AD Connect. The regex is created after
taking into consideration all the domains federated using
Azure AD Connect.
Issue issuerid for DJ computer auth This rule issues the issuerId value when the authenticating
entity is a device
Issue onpremobjectguid for domain-joined computers If the entity being authenticated is a domain joined device, this
rule issues the on-premises objectguid for the device
Pass through primary SID This rule issues the primary SID of the authenticating entity
Pass through claim - insideCorporateNetwork This rule issues a claim that helps Azure AD know if the
authentication is coming from inside corporate network or
externally
Issue Password Expiry Claims This rule issues three claims for password expiration time,
number of days for the password to expire of the entity being
authenticated and URL where to route for changing the
password.
Pass through claim – authnmethodsreferences The value in the claim issued under this rule indicates what
type of authentication was performed for the entity
Pass through claim - multifactorauthenticationinstant The value of this claim specifies the time, in UTC, when the
user last performed multiple factor authentication.
Pass through claim - AlternateLoginID This rule issues the AlternateLoginID claim if the
authentication was performed using alternate login ID.
NOTE
The claim rules for Issue UPN and ImmutableId will differ if you use non-default choice during Azure AD Connect
configuration
NOTE
Make sure that your additional rules do not conflict with the rules configured by Azure AD Connect.
Next steps
Manage and customize Active Directory Federation Services using Azure AD Connect
Configure group claims for applications with Azure
Active Directory
9/7/2020 • 9 minutes to read • Edit Online
Azure Active Directory can provide a users group membership information in tokens for use within applications.
Two main patterns are supported:
Groups identified by their Azure Active Directory object identifier (OID) attribute
Groups identified by sAMAccountName or GroupSID attributes for Active Directory (AD) synchronized groups
and users
IMPORTANT
There are a number of caveats to note for this functionality:
Support for use of sAMAccountName and security identifier (SID) attributes synced from on-premises is designed to
enable moving existing applications from AD FS and other identity providers. Groups managed in Azure AD do not
contain the attributes necessary to emit these claims.
In larger organizations the number of groups a user is a member of may exceed the limit that Azure Active Directory will
add to a token. 150 groups for a SAML token, and 200 for a JWT. This can lead to unpredictable results. If your users have
large numbers of group memberships, we recommend using the option to restrict the groups emitted in claims to the
relevant groups for the application.
For new application development, or in cases where the application can be configured for it, and where nested group
support isn't required, we recommend that in-app authorization is based on application roles rather than groups. This
limits the amount of information that needs to go into the token, is more secure, and separates user assignment from app
configuration.
Use the radio buttons to select which groups should be included in the token
All groups Emits security groups and distribution lists and roles.
Security groups Emits security groups the user is a member of in the groups
claim
SEL EC T IO N DESC RIP T IO N
Director y roles If the user is assigned directory roles, they are emitted as a
'wids' claim (groups claim won't be emitted)
Groups assigned to the application Emits only the groups that are explicitly assigned to the
application and the user is a member of
For example, to emit all the Security Groups the user is a member of, select Security Groups
To emit groups using Active Directory attributes synced from Active Directory instead of Azure AD objectIDs select
the required format from the drop-down. Only groups synchronized from Active Directory will be included in the
claims.
To emit only groups assigned to the application, select Groups Assigned to the application
Groups assigned to the application will be included in the token. Other groups the user is a member of will be
omitted. With this option nested groups are not included and the user must be a direct member of the group
assigned to the application.
To change the groups assigned to the application, select the application from the Enterprise Applications list and
then click Users and Groups from the application’s left-hand navigation menu.
See the document Assign a user or group to an enterprise app for details of managing group assignment to
applications.
Advanced options
The way group claims are emitted can be modified by the settings under Advanced options
Customize the name of the group claim: If selected, a different claim type can be specified for group claims. Enter
the claim type in the Name field and the optional namespace for the claim in the namespace field.
Some applications require the group membership information to appear in the 'role' claim. You can optionally emit
the user's groups as roles by checking the 'Emit groups a role claims' box.
NOTE
If the option to emit group data as roles is used, only groups will appear in the role claim. Any Application Roles the user is
assigned will not appear in the role claim.
"Director yRole If the user is assigned directory roles, they are emitted as a
'wids' claim (groups claim won't be emitted)
"ApplicationGroup Emits only the groups that are explicitly assigned to the
application and the user is a member of
For example:
"groupMembershipClaims": "SecurityGroup"
By default Group ObjectIDs will be emitted in the group claim value. To modify the claim value to contain on
premises group attributes, or to change the claim type to role, use OptionalClaims configuration as follows:
3. Set group name configuration optional claims.
If you want the groups in the token to contain the on premises AD group attributes, specify which token type
optional claim should be applied to in the optional claims section. Multiple token types can be listed:
idToken for the OIDC ID token
accessToken for the OAuth/OIDC access token
Saml2Token for SAML tokens.
NOTE
The Saml2Token type applies to both SAML1.1 and SAML2.0 format tokens
For each relevant token type, modify the groups claim to use the OptionalClaims section in the manifest. The
OptionalClaims schema is as follows:
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
}
O P T IO N A L C L A IM S SC H EM A VA L UE
NOTE
If "emit_as_roles" is used any Application Roles configured that the user is assigned will not appear in the role claim
Examples
Emit groups as group names in OAuth access tokens in dnsDomainName\SAMAccountName format
"optionalClaims": {
"accessToken": [{
"name": "groups",
"additionalProperties": ["dns_domain_and_sam_account_name"]
}]
}
To emit group names to be returned in netbiosDomain\samAccountName format as the roles claim in SAML and
OIDC ID Tokens:
"optionalClaims": {
"saml2Token": [{
"name": "groups",
"additionalProperties": ["netbios_name_and_sam_account_name", "emit_as_roles"]
}],
"idToken": [{
"name": "groups",
"additionalProperties": ["netbios_name_and_sam_account_name", "emit_as_roles"]
}]
}
Next steps
Add authorization using groups & groups claims to an ASP.NET Core web app (Code sample)
Assign a user or group to an enterprise app
Configure role claims
Change signature hash algorithm for Office 365
relying party trust
9/7/2020 • 2 minutes to read • Edit Online
Overview
Active Directory Federation Services (AD FS) signs its tokens to Microsoft Azure Active Directory to ensure that
they cannot be tampered with. This signature can be based on SHA1 or SHA256. Azure Active Directory now
supports tokens signed with an SHA256 algorithm, and we recommend setting the token-signing algorithm to
SHA256 for the highest level of security. This article describes the steps needed to set the token-signing algorithm
to the more secure SHA256 level.
NOTE
Microsoft recommends usage of SHA256 as the algorithm for signing tokens as it is more secure than SHA1 but SHA1 still
remains a supported option.
AD FS PowerShell cmdlets
1. On any AD FS server, open PowerShell under administrator privileges.
2. Set the secure hash algorithm by using the Set-AdfsRelyingPar tyTrust cmdlet.
Set-AdfsRelyingPartyTrust -TargetName 'Microsoft Office 365 Identity Platform' -SignatureAlgorithm
'https://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
Also read
Repair Office 365 trust with Azure AD Connect
Use a SAML 2.0 Identity Provider (IdP) for Single Sign
On
9/7/2020 • 13 minutes to read • Edit Online
This document contains information on using a SAML 2.0 compliant SP-Lite profile-based Identity Provider as the
preferred Security Token Service (STS) / identity provider. This scenario is useful when you already have a user
directory and password store on-premises that can be accessed using SAML 2.0. This existing user directory can be
used for sign-on to Office 365 and other Azure AD-secured resources. The SAML 2.0 SP-Lite profile is based on the
widely used Security Assertion Markup Language (SAML) federated identity standard to provide a sign-on and
attribute exchange framework.
NOTE
For a list of 3rd party Idps that have been tested for use with Azure AD see the Azure AD federation compatibility list
Microsoft supports this sign-on experience as the integration of a Microsoft cloud service, such as Office 365, with
your properly configured SAML 2.0 profile-based IdP. SAML 2.0 identity providers are third-party products and
therefore Microsoft does not provide support for the deployment, configuration, troubleshooting best practices
regarding them. Once properly configured, the integration with the SAML 2.0 identity provider can be tested for
proper configuration by using the Microsoft Connectivity Analyzer Tool, which is described in more detail below.
For more information about your SAML 2.0 SP-Lite profile-based identity provider, ask the organization that
supplied it.
IMPORTANT
Only a limited set of clients are available in this sign-on scenario with SAML 2.0 identity providers, this includes:
Web-based clients such as Outlook Web Access and SharePoint Online
Email-rich clients that use basic authentication and a supported Exchange access method such as IMAP, POP, Active Sync,
MAPI, etc. (the Enhanced Client Protocol end point is required to be deployed), including:
Microsoft Outlook 2010/Outlook 2013/Outlook 2016, Apple iPhone (various iOS versions)
Various Google Android Devices
Windows Phone 7, Windows Phone 7.8, and Windows Phone 8.0
Windows 8 Mail Client and Windows 8.1 Mail Client
Windows 10 Mail Client
All other clients are not available in this sign-on scenario with your SAML 2.0 Identity Provider. For example, the
Lync 2010 desktop client is not able to sign in to the service with your SAML 2.0 Identity Provider configured for
single sign-on.
Supported bindings
Bindings are the transport-related communications parameters that are required. The following requirements apply
to the bindings
1. HTTPS is the required transport.
2. Azure AD will require HTTP POST for token submission during sign-in.
3. Azure AD will use HTTP POST for the authentication request to the identity provider and REDIRECT for the sign
out message to the identity provider.
Required attributes
This table shows requirements for specific attributes in the SAML 2.0 message.
NameID The value of this assertion must be the same as the Azure AD
user’s ImmutableID. It can be up to 64 alpha numeric
characters. Any non-html safe characters must be encoded, for
example a “+” character is shown as “.2B”.
AT T RIB UT E DESC RIP T IO N
IDPEmail The User Principal Name (UPN) is listed in the SAML response
as an element with the name IDPEmail The user’s
UserPrincipalName (UPN) in Azure AD/Office 365. The UPN is
in email address format. UPN value in Windows Office 365
(Azure Active Directory).
IMPORTANT
Azure AD currently supports the following NameID Format URI for SAML 2.0:urn:oasis:names:tc:SAML:2.0:nameid-
format:persistent.
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_7171b0b2-19f2-4ba2-8f94-24b5e56b7f1e"
IssueInstant="2014-01-30T16:18:35Z"
Version="2.0"
AssertionConsumerServiceIndex="0" >
<saml:Issuer>urn:federation:MicrosoftOnline</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
</samlp:AuthnRequest>
The following is a sample response message that is sent from the sample SAML 2.0 compliant identity provider to
Azure AD / Office 365.
<ds:SignatureValue>TciWMyHW2ZODrh/2xrvp5ggmcHBFEd9vrp6DYXp+hZWJzmXMmzwmwS8KNRJKy8H7XqBsdELA1Msqi8I3TmWdnoIRfM/Z
AyUppo8suMu6Zw+boE32hoQRnX9EWN/f0vH6zA/YKTzrjca6JQ8gAV1ErwvRWDpyMcwdYCiWALv9ScbkAcebOE1s1JctZ5RBXggdZWrYi72X+I4
i6WgyZcIGai/rZ4v2otoWAEHS0y1yh1qT7NDPpl/McDaTGkNU6C+8VfjD78DrUXEcAfKvPgKlKrOMZnD1lCGsViimGY+LSuIdY45MLmyaa5UT4K
Wph6dA==</ds:SignatureValue>
<KeyInfo xmlns="https://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC7jCCAdagAwIBAgIQRrjsbFPaXIlOG3GTv50fkjANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhBREZTIFNpZ25
pbmcgLSBXUzIwMTJSMi0wLnN3aW5mb3JtZXIuY29tMB4XDTE0MDEyMDE1MTY0MFoXDTE1MDEyMDE1MTY0MFowMzExMC8GA1UEAxMoQURGUyBTaW
duaW5nIC0gV1MyMDEyUjItMC5zd2luZm9ybWVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKe+rLVmXy1QwCwZwqgbbp1/+
3ZWxd9T/jV0hpLIIWr+LCOHqq8n8beJvlivgLmDJo8f+EITnAxWcsJUvVai/35AhHCUq9tc9sqMp5PWtabAEMb2AU72/QlX/72D2/NbGQq1BWYb
qUpgpCZ2nSgvlWDHlCiUo//UGsvfox01kjTFlmqQInsJVfRxF5AcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAi8c6C4zaTEc7aQiUgvnGQgCbMZ
bhUXXLGRpjvFLKaQzkwa9eq7WLJibcSNyGXBa/SfT5wJgsm3TPKgSehGAOTirhcqHheZyvBObAScY7GOT+u9pVYp6raFrc7ez3c+CGHeV/tNvy1
hJNs12FYH4X+ZCNFIT9tprieR25NCdi5SWUbPZL0tVzJsHc1y92b2M2FxqRDohxQgJvyJOpcg2mSBzZZIkvDg7gfPSUXHVS1MQs0RHSbwq/XdQo
cUUhl9/e/YWCbNNxlM84BxFsBUok1dH/gzBySx+Fc8zYi7cOq9yaBT3RLT6cGmFGVYZJW4FyhPZOCLVNsLlnPQcX3dDg9A==
</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">ABCDEG1234567890</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_049917a6-1183-42fd-a190-1d2cbaf9b144" NotOnOrAfter="2014-01-
31T15:41:31.357Z" Recipient="https://login.microsoftonline.com/login.srf" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2014-01-31T15:36:31.263Z" NotOnOrAfter="2014-01-31T16:36:31.263Z">
<AudienceRestriction>
<Audience>urn:federation:MicrosoftOnline</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="IDPEmail">
<AttributeValue>administrator@contoso.com</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2014-01-31T15:36:30.200Z" SessionIndex="_7e3c1bcd-f180-4f78-83e1-
7680920793aa">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
NOTE
Azure AD does not read metadata from the identity provider.
NOTE
Verify the clock on your SAML 2.0 identity provider server is synchronized to an accurate time source. An inaccurate clock
time can cause federated logins to fail.
Install Windows PowerShell for sign-on with SAML 2.0 identity provider
After you have configured your SAML 2.0 identity provider for use with Azure AD sign-on, the next step is to
download and install the Azure Active Directory Module for Windows PowerShell. Once installed, you will use these
cmdlets to configure your Azure AD domains as federated domains.
The Azure Active Directory Module for Windows PowerShell is a download for managing your organizations data
in Azure AD. This module installs a set of cmdlets to Windows PowerShell; you run those cmdlets to set up single
sign-on access to Azure AD and in turn to all of the cloud services you are subscribed to. For instructions about
how to download and install the cmdlets, see /previous-versions/azure/jj151815(v=azure.100)
NOTE
Your domain may experience an outage that impacts users up to 2 hours after you take this step.
Connect-MsolService
2. Configure your desired Office 365 domain to use federation with SAML 2.0:
$dom = "contoso.com"
$BrandName - "Sample SAML 2.0 IDP"
$LogOnUrl = "https://WS2012R2-0.contoso.com/passiveLogon"
$LogOffUrl = "https://WS2012R2-0.contoso.com/passiveLogOff"
$ecpUrl = "https://WS2012R2-0.contoso.com/PAOS"
$MyURI = "urn:uri:MySamlp2IDP"
$MySigningCert = "MIIC7jCCAdagAwIBAgIQRrjsbFPaXIlOG3GTv50fkjANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyh
BREZTIFNpZ25pbmcgLSBXUzIwMTJSMi0wLnN3aW5mb3JtZXIuY29tMB4XDTE0MDEyMDE1MTY0MFoXDT
E1MDEyMDE1MTY0MFowMzExMC8GA1UEAxMoQURGUyBTaWduaW5nIC0gV1MyMDEyUjItMC5zd2luZm9yb
WVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKe+rLVmXy1QwCwZwqgbbp1/kupQ
VcjKuKLitVDbssFyqbDTjP7WRjlVMWAHBI3kgNT7oE362Gf2WMJFf1b0HcrsgLin7daRXpq4Qi6OA57
sW1YFMj3sqyuTP0eZV3S4+ZbDVob6amsZIdIwxaLP9Zfywg2bLsGnVldB0+XKedZwDbCLCVg+3ZWxd9
T/jV0hpLIIWr+LCOHqq8n8beJvlivgLmDJo8f+EITnAxWcsJUvVai/35AhHCUq9tc9sqMp5PWtabAEM
b2AU72/QlX/72D2/NbGQq1BWYbqUpgpCZ2nSgvlWDHlCiUo//UGsvfox01kjTFlmqQInsJVfRxF5AcC
AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAi8c6C4zaTEc7aQiUgvnGQgCbMZbhUXXLGRpjvFLKaQzkwa9
eq7WLJibcSNyGXBa/SfT5wJgsm3TPKgSehGAOTirhcqHheZyvBObAScY7GOT+u9pVYp6raFrc7ez3c+
CGHeV/tNvy1hJNs12FYH4X+ZCNFIT9tprieR25NCdi5SWUbPZL0tVzJsHc1y92b2M2FxqRDohxQgJvy
JOpcg2mSBzZZIkvDg7gfPSUXHVS1MQs0RHSbwq/XdQocUUhl9/e/YWCbNNxlM84BxFsBUok1dH/gzBy
Sx+Fc8zYi7cOq9yaBT3RLT6cGmFGVYZJW4FyhPZOCLVNsLlnPQcX3dDg9A=="
$uri = "http://WS2012R2-0.contoso.com/adfs/services/trust"
$Protocol = "SAMLP"
Set-MsolDomainAuthentication `
-DomainName $dom `
-FederationBrandName $BrandName `
-Authentication Federated `
-PassiveLogOnUri $LogOnUrl `
-ActiveLogOnUri $ecpUrl `
-SigningCertificate $MySigningCert `
-IssuerUri $MyURI `
-LogOffUri $LogOffUrl `
-PreferredAuthenticationProtocol $Protocol
3. You can obtain the signing certificate base64 encoded string from your IDP metadata file. An example of this
location has been provided but may differ slightly based on your implementation.
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="https://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
MIIC5jCCAc6gAwIBAgIQLnaxUPzay6ZJsC8HVv/QfTANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBmcy50
ZWNobGFiY2VudHJhbC5vcmcwHhcNMTMxMTA0MTgxMzMyWhcNMTQxMTA0MTgxMzMyWjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBm
cy50ZWNobGFiY2VudHJhbC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwMdVLTr5YTSRp+ccbSpuuFeXMfABD9mVC
i2wtkRwC30TIyPdORz642MkurdxdPCWjwgJ0HW6TvXwcO9afH3OC5V//wEGDoNcI8PV4enCzTYFe/h//w51uqyv48Fbb3lEXs+aVl815
5OAj2sO9IX64OJWKey82GQWK3g7LfhWWpp17j5bKpSd9DBH5pvrV+Q1ESU3mx71TEOvikHGCZYitEPywNeVMLRKrevdWI3FAhFjcCSO6
nWDiMqCqiTDYOURXIcHVYTSof1YotkJ4tG6mP5Kpjzd4VQvnR7Pjb47nhIYG6iZ3mR1F85Ns9+hBWukQWNN2hcD/uGdPXhpdMVpBAgMB
AAEwDQYJKoZIhvcNAQELBQADggEBAK7h7jF7wPzhZ1dPl4e+XMAr8I7TNbhgEU3+oxKyW/IioQbvZVw1mYVCbGq9Rsw4KE06eSMybqHl
n3w5EeBbLS0MEkApqHY+p68iRpguqa+W7UHKXXQVgPMCpqxMFKonX6VlSQOR64FgpBme2uG+LJ8reTgypEKspQIN0WvtPWmiq4zAwBp0
8hAacgv868c0MM4WbOYU0rzMIR6Q+ceGVRImlCwZ5b7XKp4mJZ9hlaRjeuyVrDuzBkzROSurX1OXoci08yJvhbtiBJLf3uPOJHrhjKRw
It2TnzS9ElgFZlJiDIA26Athe73n43CT0af2IG6yC7e6sK4L3NEXJrwwUZk=</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
</IDPSSODescriptor>
Once federation has been configured you can switch back to “non-federated” (or “managed”), however this change
takes up to two hours to complete and it requires assigning new random passwords for cloud-based sign-in to
each user. Switching back to “managed” may be required in some scenarios to reset an error in your settings. For
more information on Domain conversion see: /previous-versions/azure/dn194122(v=azure.100).
New-MsolUser `
-UserPrincipalName elwoodf1@contoso.com `
-ImmutableId ABCDEFG1234567890 `
-DisplayName "Elwood Folk" `
-FirstName Elwood `
-LastName Folk `
-AlternateEmailAddresses "Elwood.Folk@contoso.com" `
-LicenseAssignment "samlp2test:ENTERPRISEPACK" `
-UsageLocation "US"
NOTE
The “UserPrinciplName” value must match the value that you will send for “IDPEmail” in your SAML 2.0 claim and the
“ImmutableID” value must match the value sent in your “NameID” assertion.
NOTE
If you converted a domain, rather than adding one, it may take up to 24 hours to set up single sign-on. Before you verify
single sign-on, you should finish setting up Active Directory synchronization, synchronize your directories, and activate your
synced users.
Use the tool to verify that single sign-on has been set up correctly
To verify that single sign-on has been set up correctly, you can perform the following procedure to confirm that you
are able to sign-in to the cloud service with your corporate credentials.
Microsoft has provided a tool that you can use to test your SAML 2.0 based identity provider. Before running the
test tool, you must have configured an Azure AD tenant to federate with your identity provider.
NOTE
The Connectivity Analyzer requires Internet Explorer 10 or later.
NOTE
The Connectivity analyzer also tests Active Federation using the WS*-based and ECP/PAOS protocols. If you are not using
these you can disregard the following error: Testing the Active sign-in flow using your identity provider’s Active federation
endpoint.
Next Steps
Active Directory Federation Services management and customization with Azure AD Connect
Azure AD federation compatibility list
Azure AD Connect Custom Installation
Post configuration tasks for Hybrid Azure AD join
9/7/2020 • 3 minutes to read • Edit Online
After you have run Azure AD Connect to configure your organization for Hybrid Azure AD join, there are a few
additional steps that you must complete to finalize that setup. Carry out only the steps that apply for your devices.
NOTE
For 2012R2 the policy settings are at Computer Configuration > Policies > Administrative Templates > Windows
Components > Workplace Join > Automatically workplace join client computers
4. Configure the SCP in any forests that were not configured by Azure
AD Connect
The service connection point (SCP) contains your Azure AD tenant information that will be used by your devices for
auto-registration. Run the PowerShell script, ConfigureSCP.ps1, that you downloaded from Azure AD Connect.
NOTE
If you have Windows down-level devices, the service must support issuing the authenticationmethod and wiaormultiauthn
claims when receiving requests to the Azure AD trust. In AD FS, you should add an issuance transform rule that passes-
through the authentication method.
Next steps
Configure device writeback
Azure Active Directory Seamless Single Sign-On:
Quickstart
9/7/2020 • 9 minutes to read • Edit Online
NOTE
Azure AD Connect versions 1.1.557.0, 1.1.558.0, 1.1.561.0, and 1.1.614.0 have a problem related to
password hash synchronization. If you don't intend to use password hash synchronization in conjunction
with Pass-through Authentication, read the Azure AD Connect release notes to learn more.
Use a suppor ted Azure AD Connect topology : Ensure that you are using one of Azure AD Connect's
supported topologies described here.
NOTE
Seamless SSO supports multiple AD forests, whether there are AD trusts between them or not.
Set up domain administrator credentials : You need to have domain administrator credentials for each
Active Directory forest that:
You synchronize to Azure AD through Azure AD Connect.
Contains users you want to enable for Seamless SSO.
Enable modern authentication : You need to enable modern authentication on your tenant for this
feature to work.
Use the latest versions of Office 365 clients : To get a silent sign-on experience with Office 365 clients
(Outlook, Word, Excel, and others), your users need to use versions 16.0.8730.xxxx or above.
NOTE
You can also enable Seamless SSO using PowerShell if Azure AD Connect doesn't meet your requirements. Use this option if
you have more than one domain per Active Directory forest, and you want to be more targeted about the domain you
want to enable Seamless SSO for.
If you're doing a fresh installation of Azure AD Connect, choose the custom installation path. At the User sign-in
page, select the Enable single sign on option.
NOTE
The option will be available for selection only if the Sign On method is Password Hash Synchronization or Pass-
through Authentication .
If you already have an installation of Azure AD Connect, select the Change user sign-in page in Azure AD
Connect, and then select Next . If you are using Azure AD Connect versions 1.1.880.0 or above, the Enable single
sign on option will be selected by default. If you are using older versions of Azure AD Connect, select the Enable
single sign on option.
Continue through the wizard until you get to the Enable single sign on page. Provide domain administrator
credentials for each Active Directory forest that:
You synchronize to Azure AD through Azure AD Connect.
Contains users you want to enable for Seamless SSO.
After completion of the wizard, Seamless SSO is enabled on your tenant.
NOTE
The domain administrator credentials are not stored in Azure AD Connect or in Azure AD. They're used only to enable the
feature.
Follow these instructions to verify that you have enabled Seamless SSO correctly:
1. Sign in to the Azure Active Directory administrative center with the global administrator credentials for your
tenant.
2. Select Azure Active Director y in the left pane.
3. Select Azure AD Connect .
4. Verify that the Seamless single sign-on feature appears as Enabled .
IMPORTANT
Seamless SSO creates a computer account named AZUREADSSOACC in your on-premises Active Directory (AD) in each AD
forest. The AZUREADSSOACC computer account needs to be strongly protected for security reasons. Only Domain Admins
should be able to manage the computer account. Ensure that Kerberos delegation on the computer account is disabled,
and that no other account in Active Directory has delegation permissions on the AZUREADSSOACC computer account. Store
the computer account in an Organization Unit (OU) where they are safe from accidental deletions and where only Domain
Admins have access.
NOTE
If you are using Pass-the-Hash and Credential Theft Mitigation architectures in your on-premises environment, make
appropriate changes to ensure that the AZUREADSSOACC computer account doesn't end up in the Quarantine container.
In addition, you need to enable an Intranet zone policy setting called Allow updates to status bar via script
through Group Policy.
NOTE
The following instructions work only for Internet Explorer and Google Chrome on Windows (if it shares a set of trusted site
URLs with Internet Explorer). Read the next section for instructions on how to set up Mozilla Firefox and Google Chrome on
macOS.
Group policy Admin locks down editing of Intranet Users cannot modify their own settings
zone settings
Group policy preference Admin allows editing on Intranet zone Users can modify their own settings
settings
4. Enable the policy, and then enter the following values in the dialog box:
Value name : The Azure AD URL where the Kerberos tickets are forwarded.
Value (Data): 1 indicates the Intranet zone.
The result looks like this:
Value name: https://autologon.microsoftazuread-sso.com
Value (Data): 1
NOTE
If you want to disallow some users from using Seamless SSO (for instance, if these users sign in on shared kiosks),
set the preceding values to 4 . This action adds the Azure AD URL to the Restricted zone, and fails Seamless SSO all
the time.
6. Browse to User Configuration > Policy > Administrative Templates > Windows Components >
Internet Explorer > Internet Control Panel > Security Page > Intranet Zone . Then select Allow
updates to status bar via script .
7. Enable the policy setting, and then select OK .
To test the scenario where the user doesn't have to enter the username or the password, use one of these steps:
Sign in to https://myapps.microsoft.com/contoso.onmicrosoft.com in a new private browser session. Replace
contoso with your tenant's name.
Sign in to https://myapps.microsoft.com/contoso.com in a new private browser session. Replace contoso.com
with a verified domain (not a federated domain) on your tenant.
IMPORTANT
The Kerberos decryption key on a computer account, if leaked, can be used to generate Kerberos tickets for any user in its
AD forest. Malicious actors can then impersonate Azure AD sign-ins for compromised users. We highly recommend that
you periodically roll over these Kerberos decryption keys - at least once every 30 days.
For instructions on how to roll over keys, see Azure Active Directory Seamless Single Sign-On: Frequently asked
questions. We are working on a capability to introduce automated roll over of keys.
IMPORTANT
You don't need to do this step immediately after you have enabled the feature. Roll over the Kerberos decryption keys at
least once every 30 days.
Next steps
Technical deep dive: Understand how the Seamless Single Sign-On feature works.
Frequently asked questions: Get answers to frequently asked questions about Seamless Single Sign-On.
Troubleshoot: Learn how to resolve common problems with the Seamless Single Sign-On feature.
UserVoice: Use the Azure Active Directory Forum to file new feature requests.
Azure Active Directory Seamless Single Sign-On:
Frequently asked questions
9/7/2020 • 6 minutes to read • Edit Online
In this article, we address frequently asked questions about Azure Active Directory Seamless Single Sign-On
(Seamless SSO). Keep checking back for new content.
Q: What sign-in methods do Seamless SSO work with
Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication
sign-in methods. However this feature cannot be used with Active Directory Federation Services (ADFS).
Q: Is Seamless SSO a free feature?
Seamless SSO is a free feature and you don't need any paid editions of Azure AD to use it.
Q: Is Seamless SSO available in the Microsoft Azure Germany cloud and the Microsoft Azure
Government cloud ?
Seamless SSO is available for the Azure Government cloud. For details, view Hybrid Identity Considerations for
Azure Government.
Q: What applications take advantage of domain_hint or login_hint parameter capability of Seamless
SSO?
Listed below is a non-exhaustive list of applications that can send these parameters to Azure AD, and therefore
provides users a silent sign-on experience using Seamless SSO (i.e., no need for your users to input their
usernames or passwords):
A P P L IC AT IO N N A M E A P P L IC AT IO N URL TO B E USED
In addition, users get a silent sign-on experience if an application sends sign-in requests to Azure AD's endpoints
set up as tenants - that is, https://login.microsoftonline.com/contoso.com/<..> or
https://login.microsoftonline.com/<tenant_ID>/<..> - instead of Azure AD's common endpoint - that is,
https://login.microsoftonline.com/common/<...>. Listed below is a non-exhaustive list of applications that make
these types of sign-in requests.
A P P L IC AT IO N N A M E A P P L IC AT IO N URL TO B E USED
In the above tables, replace "contoso.com" with your domain name to get to the right application URLs for your
tenant.
If you want other applications using our silent sign-on experience, let us know in the feedback section.
Q: Does Seamless SSO suppor t Alternate ID as the username, instead of userPrincipalName ?
Yes. Seamless SSO supports Alternate ID as the username when configured in Azure AD Connect as shown
here. Not all Office 365 applications support Alternate ID . Refer to the specific application's documentation for
the support statement.
Q: What is the difference between the single sign-on experience provided by Azure AD Join and
Seamless SSO?
Azure AD Join provides SSO to users if their devices are registered with Azure AD. These devices don't
necessarily have to be domain-joined. SSO is provided using primary refresh tokens or PRTs, and not Kerberos.
The user experience is most optimal on Windows 10 devices. SSO happens automatically on the Microsoft Edge
browser. It also works on Chrome with the use of a browser extension.
You can use both Azure AD Join and Seamless SSO on your tenant. These two features are complementary. If
both features are turned on, then SSO from Azure AD Join takes precedence over Seamless SSO.
Q: I want to register non-Windows 10 devices with Azure AD, without using AD FS. Can I use
Seamless SSO instead?
Yes, this scenario needs version 2.1 or later of the workplace-join client.
Q: How can I roll over the Kerberos decr yption key of the AZUREADSSO computer account?
It is important to frequently roll over the Kerberos decryption key of the AZUREADSSO computer account (which
represents Azure AD) created in your on-premises AD forest.
IMPORTANT
We highly recommend that you roll over the Kerberos decryption key at least every 30 days.
Follow these steps on the on-premises server where you are running Azure AD Connect:
Step 1. Get list of AD forests where Seamless SSO has been enabled
1. First, download, and install Azure AD PowerShell.
2. Navigate to the %programfiles%\Microsoft Azure Active Directory Connect folder.
3. Import the Seamless SSO PowerShell module using this command: Import-Module .\AzureADSSO.psd1 .
4. Run PowerShell as an Administrator. In PowerShell, call New-AzureADSSOAuthenticationContext . This command
should give you a popup to enter your tenant's Global Administrator credentials.
5. Call Get-AzureADSSOStatus | ConvertFrom-Json . This command provides you the list of AD forests (look at the
"Domains" list) on which this feature has been enabled.
Step 2. Update the Kerberos decr yption key on each AD forest that it was set it up on
1. Call $creds = Get-Credential . When prompted, enter the Domain Administrator credentials for the intended
AD forest.
NOTE
The domain administrator credentials username must be entered in the SAM account name format (contoso\johndoe or
contoso.com\johndoe). We use the domain portion of the username to locate the Domain Controller of the Domain
Administrator using DNS.
NOTE
The domain administrator account used must not be a member of the Protected Users group. If so, the operation will fail.
2. Call Update-AzureADSSOForest -OnPremCredentials $creds . This command updates the Kerberos decryption key
for the AZUREADSSO computer account in this specific AD forest and updates it in Azure AD.
NOTE
If you are not a domain admin and you were assigned permissions by the domain admin, you should call
Update-AzureADSSOForest -OnPremCredentials $creds -PreserveCustomPermissionsOnDesktopSsoAccount
3. Repeat the preceding steps for each AD forest that you’ve set up the feature on.
IMPORTANT
Ensure that you don't run the Update-AzureADSSOForest command more than once. Otherwise, the feature stops
working until the time your users' Kerberos tickets expire and are reissued by your on-premises Active Directory.
At this point Seamless SSO is disabled but the domains will remain configured in case you would like to enable
Seamless SSO back. If you would like to remove the domains from Seamless SSO configuration completely, call
the following cmdlet after you completed step 5 above: Disable-AzureADSSOForest -DomainFqdn <fqdn> .
IMPORTANT
Disabling Seamless SSO using PowerShell will not change the state in Azure AD Connect. Seamless SSO will show as
enabled in the Change user sign-in page.
Step 2. Get list of AD forests where Seamless SSO has been enabled
Follow tasks 1 through 4 below if you have disabled Seamless SSO using Azure AD Connect. If you have disabled
Seamless SSO using PowerShell instead, jump ahead to task 5 below.
1. First, download, and install Azure AD PowerShell.
2. Navigate to the %programfiles%\Microsoft Azure Active Directory Connect folder.
3. Import the Seamless SSO PowerShell module using this command: Import-Module .\AzureADSSO.psd1 .
4. Run PowerShell as an Administrator. In PowerShell, call New-AzureADSSOAuthenticationContext . This command
should give you a popup to enter your tenant's Global Administrator credentials.
5. Call Get-AzureADSSOStatus | ConvertFrom-Json . This command provides you the list of AD forests (look at the
"Domains" list) on which this feature has been enabled.
Step 3. Manually delete the AZUREADSSO computer account from each AD forest that you see listed.
Next steps
Quickstar t - Get up and running Azure AD Seamless SSO.
Technical Deep Dive - Understand how this feature works.
Troubleshoot - Learn how to resolve common issues with the feature.
UserVoice - For filing new feature requests.
Azure Active Directory Connect Health operations
9/7/2020 • 7 minutes to read • Edit Online
This topic describes the various operations you can perform by using Azure Active Directory (Azure AD) Connect
Health.
NOTE
Email notifications are enabled by default.
In some instances, you might want to remove a server from being monitored. Here's what you need to know to
remove a server from the Azure AD Connect Health service.
When you're deleting a server, be aware of the following:
This action stops collecting any further data from that server. This server is removed from the monitoring
service. After this action, you are not able to view new alerts, monitoring, or usage analytics data for this server.
This action does not uninstall the Health Agent from your server. If you have not uninstalled the Health Agent
before performing this step, you might see errors related to the Health Agent on the server.
This action does not delete the data already collected from this server. That data is deleted in accordance with
the Azure data retention policy.
After performing this action, if you want to start monitoring the same server again, you must uninstall and
reinstall the Health Agent on this server.
Delete a server from the Azure AD Connect Health service
NOTE
Azure AD premium license is required for the deletion steps.
Azure AD Connect Health for Active Directory Federation Services (AD FS) and Azure AD Connect (Sync):
1. Open the Ser ver blade from the Ser ver List blade by selecting the server name to be removed.
2. On the Ser ver blade, from the action bar, click Delete .
3. Confirm by typing the server name in the confirmation box.
4. Click Delete .
Azure AD Connect Health for Azure Active Directory Domain Services:
1. Open the Domain Controllers dashboard.
2. Select the domain controller to be removed.
3. From the action bar, click Delete Selected .
4. Confirm the action to delete the server.
5. Click Delete .
Delete a service instance from Azure AD Connect Health service
In some instances, you might want to remove a service instance. Here's what you need to know to remove a
service instance from the Azure AD Connect Health service.
When you're deleting a service instance, be aware of the following:
This action removes the current service instance from the monitoring service.
This action does not uninstall or remove the Health Agent from any of the servers that were monitored as part
of this service instance. If you have not uninstalled the Health Agent before performing this step, you might see
errors related to the Health Agent on the servers.
All data from this service instance is deleted in accordance with the Azure data retention policy.
After performing this action, if you want to start monitoring the service, uninstall and reinstall the Health Agent
on all the servers. After performing this action, if you want to start monitoring the same server again, uninstall,
reinstall, and register the Health Agent on that server.
To delete a service instance from the Azure AD Connect Health service
1. Open the Ser vice blade from the Ser vice List blade by selecting the service identifier (farm name) that you
want to remove.
2. On the Ser vice blade, from the action bar, click Delete .
3. Confirm by typing the service name in the confirmation box (for example: sts.contoso.com).
4. Click Delete .
RO L E P ERM ISSIO N S
RO L E P ERM ISSIO N S
Reader Readers can view all information (for example, view alerts)
from the portal within Azure AD Connect Health.
All other roles (such as User Access Administrators or DevTest Labs Users) have no impact to access within Azure
AD Connect Health, even if the roles are available in the portal experience.
Access scope
Azure AD Connect Health supports managing access at two levels:
All ser vice instances : This is the recommended path in most cases. It controls access for all service instances
(for example, an AD FS farm) across all role types that are being monitored by Azure AD Connect Health.
Ser vice instance : In some cases, you might need to segregate access based on role types or by a service
instance. In this case, you can manage access at the service instance level.
Permission is granted if an end user has access either at the directory or service instance level.
Allow users or groups access to Azure AD Connect Health
The following steps show how to allow access.
Step 1: Select the appropriate access scope
To allow a user access at the all service instances level within Azure AD Connect Health, open the main blade in
Azure AD Connect Health.
Step 2: Add users and groups, and assign roles
1. From the Configure section, click Users .
2. Select Add .
3. In the Select a role pane, select a role (for example, Owner ).
4. Type the name or identifier of the targeted user or group. You can select one or more users or groups at the
same time. Click Select .
5. Select OK .
6. After the role assignment is complete, the users and groups appear in the list.
Now the listed users and groups have access, according to their assigned roles.
NOTE
Global administrators always have full access to all the operations, but global administrator accounts are not present in
the preceding list.
The Invite Users feature is not supported within Azure AD Connect Health.
Next steps
Azure AD Connect Health
Azure AD Connect Health Agent installation
Using Azure AD Connect Health with AD FS
Using Azure AD Connect Health for sync
Using Azure AD Connect Health with AD DS
Azure AD Connect Health FAQ
Azure AD Connect Health version history
Monitor AD FS using Azure AD Connect Health
9/7/2020 • 7 minutes to read • Edit Online
The following documentation is specific to monitoring your AD FS infrastructure with Azure AD Connect Health.
For information on monitoring Azure AD Connect (Sync) with Azure AD Connect Health, see Using Azure AD
Connect Health for Sync. Additionally, for information on monitoring Active Directory Domain Services with
Azure AD Connect Health, see Using Azure AD Connect Health with AD DS.
Alerts for AD FS
The Azure AD Connect Health Alerts section provides you the list of active alerts. Each alert includes relevant
information, resolution steps, and links to related documentation.
You can double-click an active or resolved alert, to open a new blade with additional information, steps you can
take to resolve the alert, and links to relevant documentation. You can also view historical data on alerts that
were resolved in the past.
NOTE
To use Usage Analytics with AD FS, you must ensure that AD FS auditing is enabled. For more information, see Enable
Auditing for AD FS.
To select additional metrics, specify a time range, or to change the grouping, right-click on the usage analytics
chart and select Edit Chart. Then you can specify the time range, select a different metric, and change the
grouping. You can view the distribution of the authentication traffic based on different "metrics" and group each
metric using relevant "group by" parameters described in the following section:
Metric : Total Requests - Total number of requests processed by AD FS servers.
Workplace Join Groups the total requests based on whether they are coming
from devices that are workplace joined (known). This
grouping is useful to understand if your resources are
accessed using devices that are unknown to the identity
infrastructure.
GRO UP B Y W H AT T H E GRO UP IN G M EA N S A N D W H Y IT 'S USEF UL?
Network Location Groups the total requests based on the network location of
the user. It can be either intranet or extranet. This grouping is
useful to know what percentage of the traffic is coming from
the intranet versus extranet.
Metric: Total Failed Request - The total number failed requests processed by the federation service. (This
metric is only available on AD FS for Windows Server 2012 R2)
Error Type Shows the number of errors based on predefined error types.
This grouping is useful to understand the common types of
errors.
Incorrect Username or Password: Errors due to
incorrect username or password.
"Extranet Lockout": Failures due to the requests
received from a user that was locked out from
extranet
"Expired Password": Failures due to users logging in
with an expired password.
"Disabled Account": Failures due to users logging with
a disabled account.
"Device Authentication": Failures due to users failing
to authenticate using Device Authentication.
"User Certificate Authentication": Failures due to users
failing to authenticate because of an invalid certificate.
"MFA": Failures due to user failing to authenticate
using Multi-Factor Authentication.
"Other Credential": "Issuance Authorization": Failures
due to authorization failures.
"Issuance Delegation": Failures due to issuance
delegation errors.
"Token Acceptance": Failures due to ADFS rejecting the
token from a third-party Identity Provider.
"Protocol": Failure due to protocol errors.
"Unknown": Catch all. Any other failures that do not
fit into the defined categories.
GRO UP B Y W H AT T H E GRO UP IN G M EA N S A N D W H Y IT 'S USEF UL?
Network Location Groups the errors based on the network location of the
requests (intranet vs extranet). This grouping is useful to
understand the type of requests that are failing.
Metric : User Count - Average number of unique users actively authenticating using AD FS
Within this report you have easy access to the following pieces of information:
Total # of failed requests with wrong username/password in the last 30 days
Average # of users that failed with a bad username/password login per day.
Clicking this part takes you to the main report blade that provides additional details. This blade includes a graph
with trending information to help establish a baseline about requests with wrong username or password.
Additionally, it provides the list of top 50 users with the number of failed attempts during the past week. Notice
top 50 users from the past week could help identify bad password spikes.
The graph provides the following information:
The total # of failed logins due to a bad username/password on a per-day basis.
The total # of unique users that failed logins on a per-day basis.
Client IP address of for last request
User ID Shows the user ID that was used. This value is what the user
typed, which in some cases is the wrong user ID being used.
Failed Attempts Shows the total # of failed attempts for that specific user ID.
The table is sorted with the most number of failed attempts
in descending order.
REP O RT IT EM DESC RIP T IO N
Last Failure Shows the time stamp when the last failure occurred.
Last Failure IP Shows the Client IP address from the latest bad request. If
you see more than one IP addresses in this value, it may
include forward client IP together with user's last attempt
request IP.
NOTE
This report is automatically updated after every 12 hours with the new information collected within that time. As a result,
login attempts within the last 12 hours may not be included in the report.
Related links
Azure AD Connect Health
Azure AD Connect Health Agent Installation
Risky IP report
Risky IP report (public preview)
9/7/2020 • 7 minutes to read • Edit Online
AD FS customers may expose password authentication endpoints to the internet to provide authentication services
for end users to access SaaS applications such as Office 365. In this case, it is possible for a bad actor to attempt
logins against your AD FS system to guess an end user’s password and get access to application resources. AD FS
provides the extranet account lockout functionality to prevent these types of attacks since AD FS in Windows
Server 2012 R2. If you are on a lower version, we strongly recommend that you upgrade your AD FS system to
Windows Server 2016.
Additionally, it is possible for a single IP address to attempt multiple logins against multiple users. In these cases,
the number of attempts per user may be under the threshold for account lockout protection in AD FS. Azure AD
Connect Health now provides the “Risky IP report” that detects this condition and notifies administrators when this
occurs. The following are the key benefits for this report:
Detection of IP addresses that exceed a threshold of failed password-based logins
Supports failed logins due to bad password or due to extranet lockout state
Email notification to alert administrators as soon as this occurs with customizable email settings
Customizable threshold settings that match with the security policy of an organization
Downloadable reports for offline analysis and integration with other systems via automation
NOTE
To use this report, you must ensure that AD FS auditing is enabled. For more information, see Enable Auditing for AD FS.
To access preview, Global Admin or Security Reader permission is required.
Time Stamp Shows the time stamp based on Azure portal local time when
the detection time window starts.
All daily events are generated at mid-night UTC time.
Hourly events have the timestamp rounded to the beginning
of the hour. You can find first activity start time from
“firstAuditTimestamp” in the exported file.
REP O RT IT EM DESC RIP T IO N
Trigger Type Shows the type of detection time window. The aggregation
trigger types are per hour or per day. This is helpful to detect
versus a high frequency brute force attack versus a slow
attack where the number of attempts is distributed
throughout the day.
IP Address The single risky IP address that had either bad password or
extranet lockout sign-in activities. This could be an IPv4 or an
IPv6 address.
Bad Password Error Count The count of Bad Password error occurred from the IP address
during the detection time window. The Bad Password errors
can happen multiple times to certain users. Notice this does
not include failed attempts due to expired passwords.
Extranet Lock Out Error Count The count of Extranet Lockout error occurred from the IP
address during the detection time window. The Extranet
Lockout errors can happen multiple times to certain users.
This will only be seen if Extranet Lockout is configured in AD
FS (versions 2012R2 or higher). Note We strongly
recommend turning this feature on if you allow extranet
logins using passwords.
Unique Users Attempted The count of unique user accounts attempted from the IP
address during the detection time window. This provides a
mechanism to differentiate a single user attack pattern versus
multi-user attack pattern.
For example, the below report item indicates from the 6pm to 7pm hour window on 02/28/2018, IP address
104.2XX.2XX.9 had no bad password errors and 284 extranet lockout errors. 14 unique users were impacted within
the criteria. The activity event exceeded the designated report hourly threshold.
NOTE
Only activities exceeding designated threshold will be showing in the report list.
This report can be trace back at most 30 days.
This alert report does not show Exchange IP addresses or private IP addresses. They are still included in the export list.
firstAuditTimestamp Shows the first timestamp when the failed activities started
during the detection time window.
lastAuditTimestamp Shows the last timestamp when the failed activities ended
during the detection time window.
attemptCountThresholdIsExceeded The flag if the current activities are exceeding the alerting
threshold.
(Bad U/P + Extranet Lockout) / Day Threshold setting to report the activity and trigger alert
notification when the count of Bad Password plus the count of
Extranet Lockout exceeds it per day .
(Bad U/P + Extranet Lockout) / Hour Threshold setting to report the activity and trigger alert
notification when the count of Bad Password plus the count of
Extranet Lockout exceeds it per hour .
Extranet Lockout / Day Threshold setting to report the activity and trigger alert
notification when the count of Extranet Lockout exceeds it per
day .
Extranet Lockout / Hour Threshold setting to report the activity and trigger alert
notification when the count of Extranet Lockout exceeds it per
hour .
NOTE
The change of report threshold will be applied after an hour of the setting change.
Existing reported items will not be affected by the threshold change.
We recommend that you analyze the number of events seen within your environment and adjust the threshold
appropriately.
FAQ
Why am I seeing private IP address ranges in the repor t?
Private IP addresses (10.x.x.x, 172.x.x.x & 192.168.x.x) and Exchange IP addresses are filtered and marked as True in
the IP approved list. If you are seeing private IP address ranges, it is highly likely that your external load balancer is
not sending the client IP address when it passes the request to the Web Application Proxy server.
Why am I seeing load balancer IP addresses in the repor t?
If you are seeing load balancer IP addresses, it is highly likely that your external load balancer is not sending the
client IP address when it passes the request to the Web Application Proxy server. Please configure your load
balancer correctly to pass forward client IP address.
What do I do to block the IP address?
You should add identified malicious IP address to the firewall or block in Exchange.
Why am I not seeing any items in this repor t?
Failed sign-in activities are not exceeding the threshold settings.
Ensure no “Health service is not up to date” alert active in your AD FS server list. Read more about how to
troubleshoot this alert.
Audits is not enabled in AD FS farms.
Why am I seeing no access to the repor t?
Global Admin or Security Reader permission is required. Please contact your global admin to get access.
Next steps
Azure AD Connect Health
Azure AD Connect Health Agent Installation
Monitor Azure AD Connect sync with Azure AD
Connect Health
9/7/2020 • 4 minutes to read • Edit Online
The following documentation is specific to monitoring Azure AD Connect (Sync) with Azure AD Connect Health.
For information on monitoring AD FS with Azure AD Connect Health see Using Azure AD Connect Health with
AD FS. Additionally, for information on monitoring Active Directory Domain Services with Azure AD Connect
Health see Using Azure AD Connect Health with AD DS.
You can change this by clicking "Settings" and allowing Azure AD Connect Health agent to upload all error logs.
Sync Insight
Admins Frequently want to know about the time it takes to sync changes to Azure AD and the amount of
changes taking place. This feature provides an easy way to visualize this using the below graphs:
Latency of sync operations
Object Change trend
Sync Latency
This feature provides a graphical trend of latency of the sync operations (import, export, etc.) for connectors.
This provides a quick and easy way to understand not only the latency of your operations (larger if you have a
large set of changes occurring) but also a way to detect anomalies in the latency that may require further
investigation.
By default, only the latency of the 'Export' operation for the Azure AD connector is shown. To see more
operations on the connector or to view operations from other connectors, right-click on the chart, select Edit
Chart or click on the "Edit Latency Chart" button and choose the specific operation and connectors.
Sync Object Changes
This feature provides a graphical trend of the number of changes that are being evaluated and exported to
Azure AD. Today, trying to gather this information from the sync logs is difficult. The chart gives you, not only a
simpler way of monitoring the number of changes that are occurring in your environment, but also a visual
view of the failures that are occurring.
Object Level Synchronization Error Report
This feature provides a report about synchronization errors that can occur when identity data is synchronized
between Windows Server AD and Azure AD using Azure AD Connect.
The report covers errors recorded by the sync client (Azure AD Connect version 1.1.281.0 or higher)
It includes the errors that occurred in the last synchronization operation on the sync engine. ("Export" on
the Azure AD Connector.)
Azure AD Connect Health agent for sync must have outbound connectivity to the required end points for
the report to include the latest data.
The report is updated after ever y 30 minutes using the data uploaded by Azure AD Connect Health
agent for sync. It provides the following key capabilities
Categorization of errors
List of objects with error per category
All the data about the errors at one place
Side by side comparison of Objects with error due to a conflict
Download the error report as a CVS
Categorization of Errors
The report categorizes the existing synchronization errors in the following categories:
Data Mismatch Errors when the soft-match fails to match objects that result
in synchronization errors.
Data Validation Failure Errors due to invalid data, such as unsupported characters in
critical attributes such as UserPrincipalName, format errors
that fail validation before being written in Azure AD.
Federated Domain Change Errors when accounts use a different federated domain.
Large Attribute Errors when one or more attributes are larger than the
allowed size, length or count.
Other All other errors that don't fit in the above categories. Based
on feedback, this category will be split in sub categories.
List of objects with error per category
Drilling into each category will provide the list of objects having the error in that category.
Error Details
Following data is available in the detailed view for each error
Highlighted conflicting attribute
Identifiers for the AD Object involved
Identifiers for the Azure AD Object involved (as applicable)
Error description and how to fix
Download the error report as CSV
By selecting the "Export" button you can download a CSV file with all the details about all the errors.
Diagnose and remediate sync errors
For specific duplicated attribute sync error scenario involving user Source Anchor update, you can fix them
directly from the portal. Read more about Diagnose and remediate duplicated attribute sync errors
Related links
Troubleshooting Errors during synchronization
Duplicate Attribute Resiliency
Azure AD Connect Health
Azure AD Connect Health Agent Installation
Azure AD Connect Health Operations
Using Azure AD Connect Health with AD FS
Using Azure AD Connect Health with AD DS
Azure AD Connect Health FAQ
Azure AD Connect Health Version History
Using Azure AD Connect Health with AD DS
9/7/2020 • 2 minutes to read • Edit Online
The following documentation is specific to monitoring Active Directory Domain Services with Azure AD Connect
Health. The supported versions of AD DS are: Windows Server 2008 R2, Windows Server 2012, Windows Server
2012 R2, and Windows Server 2016.
For more information on monitoring AD FS with Azure AD Connect Health, see Using Azure AD Connect Health
with AD FS. Additionally, for information on monitoring Azure AD Connect (Sync) with Azure AD Connect Health
see Using Azure AD Connect Health for Sync.
Domain controllers can be grouped by their respective domain or site, which is helpful for understanding the
environment topology. Lastly, if you double-click the blade header, the dashboard maximizes to utilize the
available screen real-estate. This larger view is helpful when multiple columns are displayed.
Replication Status Dashboard
This dashboard provides a view of the replication status and replication topology of your monitored domain
controllers. The status of the most recent replication attempt is listed, along with helpful documentation for any
error that is found. You can double-click a domain controller with an error, to open a new blade with information
such as: details about the error, recommended resolution steps, and links to troubleshooting documentation.
Monitoring
This feature provides graphical trends of different performance counters, which are continuously collected from
each of the monitored domain controllers. Performance of a domain controller can easily be compared across all
other monitored domain controllers in your forest. Additionally, you can see various performance counters side
by side, which is helpful when troubleshooting issues in your environment.
By default, we have preselected four performance counters; however, you can include others by clicking the filter
command and selecting or deselecting any desired performance counters. Additionally, you can double-click a
performance counter graph to open a new blade, which includes data points for each of the monitored domain
controllers.
Related links
Azure AD Connect Health
Azure AD Connect Health Agent Installation
Azure AD Connect Health Operations
Using Azure AD Connect Health with AD FS
Using Azure AD Connect Health for sync
Azure AD Connect Health FAQ
Azure AD Connect Health Version History
Health service data is not up to date alert
9/7/2020 • 3 minutes to read • Edit Online
Overview
The agents on the on-premises machines that Azure AD Connect Health monitors periodically upload data to the
Azure AD Connect Health Service. If the service does not receive data from an agent, the information the portal
presents will be stale. To highlight the issue, the service will raise the Health ser vice data is not up to date
alert. This alert is generated when the service has not received complete data in the past two hours.
The Warning status alert fires if the Health Service has received only par tial data types sent from the server in
the past two hours. The warning status alert does not trigger email notifications to configured recipients.
The Error status alert fires if the Health Service has not received any data types from the server in the past two
hours. The error status alert triggers email notifications to configured recipients.
The service gets the data from agents that are running on the on-premises machines, depending on the service
type. The following table lists the agents that run on the machine, what they do, and the data types that the service
generates. In some cases, there are multiple services involved in the process, so any of them could be the culprit.
The following table maps service types to corresponding required data types:
A GEN T ( W IN DO W S SERVIC E
SERVIC E T Y P E N A M E) P URP O SE DATA T Y P E GEN ERAT ED
Azure AD Connect (Sync) Azure AD Connect Health Collect AAD Connect-specific - AadSyncService-
Sync Insights Service information (connectors, SynchronizationRules
synchronization rules, etc.) - AadSyncService-
Connectors
- AadSyncService-
GlobalConfigurations
- AadSyncService-
RunProfileResults
- AadSyncService-
ServiceConfigurations
- AadSyncService-
ServiceStatus
AD FS Azure AD Connect Health Perform synthetic tests TestResult (creates the test
AD FS Diagnostics Service results)
Azure AD Connect Health Collect ADFS-specific perf TestResult (uploads the test
AD FS Monitoring Service counters, ETW traces, files results)
Troubleshooting steps
The steps required to diagnose the issue is given below. The first is a set of basic checks that are common to all
Service Types.
IMPORTANT
This alert follows Connect Health data retention policy
Make sure the latest versions of the agents are installed. View release history.
Make sure that Azure AD Connect Health Agents services are running on the machine. For example,
Connect Health for AD FS should have three services.
Make sure to go over and meet the requirements section.
Use test connectivity tool to discover connectivity issues.
If you have an HTTP Proxy, follow these configuration steps.
Next steps
If any of the above steps identified an issue, fix it and wait for the alert to resolve. The alert background process
runs every 2 hours, so it will take up to 2 hours to resolve the alert.
Azure AD Connect Health data retention policy
Azure AD Connect Health FAQ
Diagnose and remediate duplicated attribute sync
errors
9/7/2020 • 7 minutes to read • Edit Online
Overview
Taking one step farther to highlight sync errors, Azure Active Directory (Azure AD) Connect Health introduces self-
service remediation. It troubleshoots duplicated attribute sync errors and fixes objects that are orphaned from
Azure AD. The diagnosis feature has these benefits:
It provides a diagnostic procedure that narrows down duplicated attribute sync errors. And it gives specific fixes.
It applies a fix for dedicated scenarios from Azure AD to resolve the error in a single step.
No upgrade or configuration is required to enable this feature. For more information about Azure AD, see
Identity synchronization and duplicate attribute resiliency.
Problems
A common scenario
When QuarantinedAttributeValueMustBeUnique and AttributeValueMustBeUnique sync errors happen, it's
common to see a UserPrincipalName or Proxy Addresses conflict in Azure AD. You might solve the sync errors
by updating the conflicting source object from the on-premises side. The sync error will be resolved after the next
sync. For example, this image indicates that two users have a conflict of their UserPrincipalName . Both are
Joe.J@contoso.com . The conflicting objects are quarantined in Azure AD.
AT T RIB UT E N A M E SY N C H RO N IZ AT IO N ERRO R T Y P ES
UserPrincipalName QuarantinedAttributeValueMustBeUnique or
AttributeValueMustBeUnique
ProxyAddresses QuarantinedAttributeValueMustBeUnique or
AttributeValueMustBeUnique
SipProxyAddress AttributeValueMustBeUnique
OnPremiseSecurityIdentifier AttributeValueMustBeUnique
IMPORTANT
To access this feature, Global Admin permission, or Contributor permission from Azure RBAC, is required.
Follow the steps from the Azure portal to narrow down the sync error details and provide more specific solutions:
From the Azure portal, take a few steps to identify specific fixable scenarios:
1. Check the Diagnose status column. The status shows if there's a possible way to fix a sync error directly from
Azure Active Directory. In other words, a troubleshooting flow exists that can narrow down the error case and
potentially fix it.
STAT US W H AT DO ES IT M EA N ?
Not Started You haven't visited this diagnosis process. Depending on the
diagnostic result, there's a potential way to fix the sync error
directly from the portal.
Manual Fix Required The error doesn't fit the criteria of available fixes from the
portal. Either conflicting object types aren't users, or you
already went through the diagnostic steps, and no fix
resolution was available from the portal. In the latter case, a fix
from the on-premises side is still one of the solutions. Read
more about on-premises fixes.
Pending Sync A fix was applied. The portal is waiting for the next sync cycle
to clear the error.
IMPORTANT
The diagnostic status column will reset after each sync cycle.
1. Select the Diagnose button under the error details. You'll answer a few questions and identify the sync error
details. Answers to the questions help identify an orphaned object case.
2. If a Close button appears at the end of the diagnostics, there's no quick fix available from the portal based
on your answers. Refer to the solution shown in the last step. Fixes from on-premises are still the solutions.
Select the Close button. The status of the current sync error switches to Manual fix required . The status
stays during the current sync cycle.
3. After an orphaned object case is identified, you can fix the duplicated attributes sync errors directly from the
portal. To trigger the process, select the Apply Fix button. The status of the current sync error updates to
Pending sync .
4. After the next sync cycle, the error should be removed from the list.
For the orphaned object scenario , only the single user Joe Johnson is present in on-premises Active Directory:
Do both of these accounts belong to the same user?
This question checks an incoming conflicting user and the existing user object in Azure AD to see if they belong to
the same user.
1. The conflicting object is newly synced to Azure Active Directory. Compare the objects' attributes:
Display Name
User Principal Name
Object ID
2. If Azure AD fails to compare them, check whether Active Directory has objects with the provided
UserPrincipalNames . Answer No if you find both.
In the following example, the two objects belong to the same user Joe Johnson .
What happens after the fix is applied in the orphaned object scenario
Based on the answers to the preceding questions, you'll see the Apply Fix button when there's a fix available from
Azure AD. In this case, the on-premises object is syncing with an unexpected Azure AD object. The two objects are
mapped by using the Source Anchor . The Apply Fix change takes these or similar steps:
1. Updates the Source Anchor to the correct object in Azure AD.
2. Deletes the conflicting object in Azure AD if it's present.
IMPORTANT
The Apply Fix change applies only to orphaned object cases.
After the preceding steps, the user can access the original resource, which is a link to an existing object. The
Diagnose status value in the list view updates to Pending Sync . The sync error will be resolved after the next
sync. Connect Health will no longer show the resolved sync error in the list view.
FAQ
Q. What happens if execution of the Apply Fix fails?
A. If execution fails, it's possible that Azure AD Connect is running an export error. Refresh the portal page and
retry after the next sync. The default sync cycle is 30 minutes.
Q. What if the existing object should be the object to be deleted?
A. If the existing object should be deleted, the process doesn't involve a change of Source Anchor . Usually, you
can fix it from on-premises Active Directory.
Q. What permission does a user need to apply the fix?
A. Global Admin , or Contributor from Azure RBAC, has permission to access the diagnostic and troubleshooting
process.
Q. Do I have to configure Azure AD Connect or update the Azure AD Connect Health agent for this feature?
A. No, the diagnosis process is a complete cloud-based feature.
Q. If the existing object is soft deleted, will the diagnosis process make the object active again?
A. No, the fix won't update object attributes other than Source Anchor .
Azure Active Directory Connect Health Alert Catalog
9/7/2020 • 34 minutes to read • Edit Online
Azure AD Connect Health service send alerts indicate that your identity infrastructure is not healthy. This article includes alerts
titles, descriptions, and remediation steps for each alert.
Error, Warning, and Prewarning are three stages of alerts that are generated from Connect Health service. We highly recommend
you take immediate actions on triggered alerts.
Azure AD Connect Health alerts get resolved on a success condition. Azure AD Connect Health Agents detect and report the
success conditions to the service periodically. For a few alerts, the suppression is time-based. In other words, if the same error
condition is not observed within 72 hours from alert generation, the alert is automatically resolved.
General Alerts
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
Health service data is not up to date The Health Agent(s) running on one or more Ensure that the health agents have outbound
servers is not connected to the Health connectivity to the required service end
Service and the Health Service is not points. Read More
receiving the latest data from this server. The
last data processed by the Health Service is
older than 2 Hours.
Azure AD Connect Sync Service is not Microsoft Azure AD Sync Windows service is Start Microsoft Azure Active Directory Sync
running not running or could not start. As a result, Services
objects will not synchronize with Azure Active 1. Click Star t , click Run , type
Directory. Ser vices.msc, and then click OK .
2. Locate the Microsoft Azure AD
Sync ser vice , and then check
whether the service is started. If the
service isn't started, right-click it, and
then click Star t .
Import from Azure Active Directory failed The import operation from Azure Active Investigate the event log errors of import
Directory Connector has failed. operation for further details.
Connection to Azure Active Directory failed Connection to Azure Active Directory failed Investigate the event log errors for further
due to authentication failure due to authentication failure. As a result details.
objects will not be synchronized with Azure
Active Directory.
Export to Active Directory failed The export operation to Active Directory Investigate the event log errors of export
Connector has failed. operation for further details.
Import from Active Directory failed Import from Active Directory failed. As a Verify DC connectivity
result, objects from some domains from this Rerun import manually
forest may not be imported. Investigate event log errors of the import
operation for further details.
Export to Azure Active Directory failed The export operation to Azure Active Investigate the event log errors of export
Directory Connector has failed. As a result, operation for further details.
some objects may not be exported
successfully to Azure Active Directory.
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
Password Hash Synchronization heartbeat Password Hash Synchronization has not Restart Microsoft Azure Active Directory Sync
was skipped in last 120 minutes connected with Azure Active Directory in the Services:
last 120 minutes. As a result, passwords will Any synchronization operations that are
not be synchronized with Azure Active currently running will be interrupted. You can
Directory. choose to perform below steps when no
synchronization operation is in progress.
1. Click Star t , click Run , type Ser vices.msc,
and then click OK .
2. Locate Microsoft Azure AD Sync, right-
click it, and then click Restar t .
High CPU Usage detected The percentage of CPU consumption crossed This could be a temporary spike in CPU
the recommended threshold on this server. consumption. Check the CPU usage trend
from the Monitoring section.
Inspect the top processes consuming the
highest CPU usage on the server.
1. You may use the Task Manager or
execute the following PowerShell
Command:
get-process | Sort-Object -
Descending CPU | Select-Object -First
10
2. If there are unexpected processes
consuming high CPU usage, stop the
processes using the following
PowerShell command:
stop-process -ProcessName [name of
the process]
If the processes seen in the above list are
the intended processes running on the server
and the CPU consumption is continuously
near the threshold please consider re-
evaluating the deployment requirements of
this server.
As a fail-safe option you may consider
restarting the server.
High Memory Consumption Detected The percentage of memory consumption of Inspect the top processes consuming the
the server is beyond the recommended highest memory on the server. You may use
threshold on this server. the Task Manager or execute the following
PowerShell Command:
get-process | Sort-Object -Descending WS |
Select-Object -First 10
If there are unexpected processes consuming
high memory, stop the processes using the
following PowerShell command:
stop-process -ProcessName [name of the
process]
If the processes seen in the above list are
the intended processes running on the
server, please consider re-evaluating the
deployment requirements of this server.
As a failsafe option, you may consider
restarting the server.
Password Hash Synchronization has stopped Password Hash Synchronization has stopped. Restart Microsoft Azure Active Directory Sync
working As a result passwords will not be Services:
synchronized with Azure Active Directory. Any synchronization operations that are
currently running will be interrupted. You can
choose to perform below steps when no
synchronization operation is in progress.
1. Click Star t , click Run , type
Ser vices.msc, and then click OK .
2. Locate the Microsoft Azure AD
Sync, right-click it, and then click
Restar t .
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
Export to Azure Active Directory was The export operation to Azure Active The number of objects are marked for
Stopped. Accidental delete threshold was Directory has failed. There were more objects deletion are greater than the set threshold.
reached to be deleted than the configured threshold. Ensure this outcome is desired.
As a result, no objects were exported. To allow the export to continue, perform
the following steps:
1. Disable Threshold by running Disable-
ADSyncExportDeletionThreshold
2. Start Synchronization Service
Manager
3. Run Export on Connector with type =
Azure Active Directory
4. After successfully exporting the
objects, enable Threshold by running:
Enable-
ADSyncExportDeletionThreshold
Test Authentication Request (Synthetic The test authentication requests (Synthetic Ensure that the following steps are taken to
Transaction) failed to obtain a token Transactions) initiated from this server has validate the health of the server.
failed to obtain a token after 5 retries. This 1. Validate that there are no additional
may be caused due to transient network unresolved alerts for this or other AD
issues, AD DS Domain Controller availability FS servers in your farm.
or a mis-configured AD FS server. As a result, 2. Validate that this condition is not a
authentication requests processed by the transient failure by logging on with a
federation service may fail. The agent uses test user from the AD FS login page
the Local Computer Account context to available at
obtain a token from the Federation Service. https://{your_adfs_server_name}/adfs/l
s/idpinitiatedsignon.aspx
3. Go to
https://testconnectivity.microsoft.com
and choose the ‘Office 365’ tab.
Perform the ‘Office 365 Single Sign-
On Test’.
4. Verify if your AD FS service name can
be resolved from this server by
executing the following command
from a command prompt on this
server. nslookup
your_adfs_server_name
If the service name cannot be resolved,
refer to the FAQ section for instructions
of adding a HOST file entry of your AD
FS service with the IP address of this
server. This will allow the synthetic
transaction module running on this
server to request a token
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
The proxy server cannot reach the federation This AD FS proxy server is unable to contact Perform the following steps to validate the
server the AD FS service. As a result, authentication connectivity between this server and the AD
requests processed by this server will fail. FS service.
1. Ensure that the firewall between this
server and the AD FS service is
configured accurately.
2. Ensure that DNS resolution for the AD
FS service name appropriately points
to the AD FS service that resides
within the corporate network. This
can be achieved through a DNS
server that serves this server in the
perimeter network or through entries
in the HOSTS files for the AD FS
service name.
3. Validate the network connectivity by
opening up the browser on this
server and accessing the federation
metadata endpoint, which is at
https://<your-adfs-service-
name>/federationmetadata/2007-
06/federationmetadata.xml
The SSL Certificate is about to expire The TLS/SSL certificate used by the Update the TLS/SSL certificate on each AD FS
Federation servers is about to expire within server.
90 days. Once expired, any requests that 1. Obtain the TLS/SSL certificate with the
require a valid TLS connection will fail. For following requirements.
example, for Office 365 customers, mail a. Enhanced Key Usage is at least
clients will not be able to authenticate. Server Authentication.
b. Certificate Subject or Subject
Alternative Name (SAN)
contains the DNS name of the
Federation Service or
appropriate wild card. For
example: sso.contoso.com or
*.contoso.com
2. Install the new TLS/SSL certificate on
each server in the local machine
certificate store.
3. Ensure that the AD FS Service
Account has read access to the
certificate's Private Key
For AD FS 2.0 in Windows Ser ver
2008R2:
Bind the new TLS/SSL certificate to
the web site in IIS, which hosts the
Federation Service. Note that you
must perform this step on each
Federation Server and Federation
Server proxy.
For AD FS in Windows Ser ver 2012
R2 and later versions:
Refer to Managing SSL Certificates in AD
FS and WAP
AD FS service is not running on the server Active Directory Federation Service (Windows To start the Active Directory Federation
Service) is not running on this server. Any Service (Windows Service):
requests targeted to this server will fail. 1. Log on to the server as an
administrator.
2. Open services.msc
3. Find "Active Directory Federation
Services".
4. Right-click and select "Start".
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
DNS for the Federation Service may be The DNS server could be configured to use a Ensure that the DNS record type of the AD
misconfigured CNAME record for the AD FS farm name. It is FS farm <Farm Name> is not CNAME.
recommended to use A or AAAA record for Configure it to be an A or AAAA record.
AD FS in order for the Windows Integrated
Authentication to work seamlessly within
your corporate network.
AD FS Auditing is disabled AD FS Auditing is disabled for the server. AD If AD FS Audits are not enabled follow these
FS Usage section on the portal will not instructions:
include data from this server. 1. Grant the AD FS service account the
"Generate security audits" right on
the AD FS server.
2. Open the local security policy on the
server gpedit.msc.
3. Navigate to "Computer
Configuration\Windows Settings\Local
Policies\User Rights Assignment"
4. Add the AD FS Service Account to
have the "Generate security audits"
right.
5. Run the following command from the
command prompt:
auditpol.exe /set
/subcategory:"Application Generated"
/failure:enable /success:enable
6. Update Federation Service Properties
to include Success and Failure Audits.
7. In the AD FS console, choose "Edit
Federation Service Properties".
8. From "Federation Service Properties"
dialogue box choose the Events tab
and select "Success Audits" and
"Failure Audits".
After following these steps, AD FS Audit
Events should be visible from the Event
Viewer. To verify:
1. Go to Event Viewer/ Windows Logs
/Security.
2. Select Filter Current Logs and select
AD FS Auditing from the Event
sources drop down. For an active AD
FS server with AD FS auditing
enabled, events should be visible for
the above filtering.
If you have followed these instructions
before, but still seeing this alert, it is
possible that a Group Policy Object is
disabling AD FS auditing. The root cause
can be one of the following:
1. AD FS service account is being
removed from having the right to
Generate Security Audits.
2. A custom script in Group Policy
Object is disabling success and failure
audits based on "Application
Generated".
3. AD FS configuration is not enabled to
generate Success/Failure audits.
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
AD FS SSL certificate is self-signed You are currently using a self-signed Update the TLS/SSL certificate on each
certificate as the TLS/SSL certificate in your AD FS server.
AD FS farm. As a result, mail client
authentication for Office 365 will fail 1. Obtain a publicly trusted TLS/SSL
certificate with the following
requirements.
2. Certificate installation file contains its
private key.
3. Enhanced Key Usage is at least Server
Authentication.
4. Certificate Subject or Subject
Alternative Name (SAN) contains the
DNS name of the Federation Service
or appropriate wild card. For example:
sso.contoso.com or *.contoso.com
Install the new TLS/SSL certificate on
each server in the local machine
certificate store.
Ensure that the AD FS Service Account
has read access to the certificate's Private
Key.
For AD FS 2.0 in Windows Ser ver
2008R2:
1. Bind the new TLS/SSL certificate to
the web site in IIS, which hosts the
Federation Service. Note that you
must perform this step on each
Federation Server and Federation
Server proxy.
The trust between the proxy server and The trust between the federation server Update the Proxy Trust Certificate on the
federation server is not valid proxy and the Federation Service could not proxy server. Re-Run the Proxy Configuration
be established or renewed. Wizard.
Extranet Lockout Protection Disabled for AD The Extranet Lockout Protection feature is Run the following command to enable AD FS
FS DISABLED on your AD FS farm. This feature Extranet Lockout Protection with default
protects your users from brute force values.
password attacks from the internet and Set-AdfsProperties -EnableExtranetLockout
prevents denial of service attacks against $true
your users when AD DS account lockout
policies are in effect. With this feature If you have AD lockout policies configured for
enabled, if the number of failed extranet login your users, ensure that the
attempts for a user (login attempts made via 'ExtranetLockoutThreshold' property is set to
WAP server and AD FS) exceed the a value below your AD DS lockout threshold.
'ExtranetLockoutThreshold' then AD FS This ensures that requests that have
servers will stop processing further login exceeded the threshold for AD FS are
attempts for ‘ExtranetObservationWindow' dropped and never validated against your AD
We highly recommend you enable this DS servers.
feature on your AD FS servers.
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
Invalid Service Principal Name (SPN) for the The Service Principal Name of the Federation Use [SETSPN -L Ser viceAccountName ] to
AD FS service account Service account is not registered or is not list the Service Principals.
unique. As a result, Windows Integrated Use [SETSPN -X ] to check for duplicate
Authentication from domain-joined clients Service Principal Names.
may not be seamless.
If SPN is duplicated for the AD FS service
account, remove the SPN from the
duplicated account using [SETSPN -d
ser vice/namehostname ]
If SPN is not set, use [SETSPN -s
{Desired-SPN} {domain_name}
{ser vice_account} ] to set the desired
SPN for the Federation Service Account.
The Primary AD FS Token Decrypting The Primary AD FS Token Decrypting If Auto-certificate roll-over is enabled, AD FS
certificate is about to expire certificate is about to expire in less than 90 manages the Token Decrypting Certificate.
days. AD FS cannot decrypt tokens from
trusted claims providers. AD FS cannot If you manage your certificate manually,
decrypt encrypted SSO cookies. The end please follow the below instructions.
users will not be able to authenticate to Obtain a new Token Decr ypting
access resources. Cer tificate.
1. Ensure that the Enhanced Key Usage
(EKU) includes "Key Encipherment".
2. Subject or Subject Alternative Name
(SAN) do not have any restrictions.
3. Note that your Federation Servers
and Claims Provider partners need to
be able to chain to a trusted root
certification authority when validating
your Token-Decrypting certificate.
Decide how your Claims Provider
par tners will trust the new Token-
Decr ypting cer tificate
1. Ask partners to pull the Federation
Metadata after updating the
certificate.
2. Share the public key of the new
certificate. (.cer file) with the partners.
On the Claims Provider partner's AD
FS server, launch AD FS Management
from the Administrative Tools menu.
Under Trust Relationships/Relying
Party Trusts, select the trust that was
created for you. Under
Properties/Encryption click "Browse"
to select the new Token-Decrypting
certificate and click OK.
Install the cer tificate in the local
cer tificate store on each of your
Federation Ser ver.
Ensure that the certificate installation
file has the Private Key of the
certificate on each server.
Ensure that the federation ser vice
account has access to the new
cer tificate's private key. Add the new
cer tificate to AD FS.
1. Launch AD FS Management from the
Administrative Tools menu
2. Expand Service and select Certificates
3. In the Actions pane, click Add Token-
Decrypting Certificate
4. You will be presented with a list of
certificates that are valid for Token-
Decrypting. If you find that your new
certificate is not being presented in
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
the list, you need to go back and
make sure that the certificate is in the
local computer personal store with a
private key associated and the
certificate has the Key Encipherment
as Extended Key Usage.
5. Select your new Token-Decrypting
certificate and click OK.
Set the new Token-Decr ypting
Cer tificate as Primar y.
1. With the Certificates node in AD FS
Management selected, you should
now see two certificates listed under
Token-Decrypting: existing and the
new certificate.
2. Select your new Token-Decrypting
certificate, right-click, and select Set as
primary.
3. Leave the old certificate as secondary
for roll-over purposes. You should
plan to remove the old certificate
once you are confident it is no longer
needed for roll-over, or when the
certificate has expired.
The Primary AD FS Token Signing certificate The AD FS token signing certificate is about Obtain a new Token Signing Cer tificate.
is about to expire to expire within 90 days. AD FS cannot issue 1. Ensure that the Enhanced Key Usage
signed tokens when this certificate is not (EKU) includes "Digital Signature".
valid. 2. Subject or Subject Alternative Name
(SAN) does not have any restrictions.
3. Note that your Federation Servers,
your Resource Partner Federation
Servers and Relying Party Application
servers need to be able to chain to a
trusted root certificate authority when
validating your Token-Signing
certificate.
Install the cer tificate in the local
cer tificate store on each Federation
Ser ver.
Ensure that the certificate installation
file has the Private Key of the
certificate on each server.
Ensure that the Federation Ser vice
Account has access to the new
cer tificate's private key. Add the new
cer tificate to AD FS.
1. Launch AD FS Management from the
Administrative Tools menu.
2. Expand Service and select Certificates
3. In the Actions pane, click Add Token-
Signing Certificate...
4. You will be presented with a list of
certificates that are valid for Token-
Signing. If you find that your new
certificate is not being presented in
the list, you need to go back and
make sure that the certificate is in the
local computer Personal store with
private key associated and the
certificate has the Digital Signature
KU.
5. Select your new Token-Signing
certificate and click OK
Inform all the Relying Par ties about the
change in Token Signing Cer tificate.
1. Relying Parties that consume AD FS
federation metadata, must pull the
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
new Federation Metadata to start
using the new certificate.
2. Relying Parties that do NOT consume
AD FS federation metadata must
manually update the public key of the
new Token Signing Certificate. Share
the .cer file with the Relying Parties.
Set the new Token-Signing
Cer tificate as Primar y.
1. With the Certificates node in AD
FS Management selected, you
should now see two certificates
listed under Token-Signing:
existing and the new certificate.
2. Select your new Token-Signing
certificate, right-click, and select
Set as primar y
3. Leave the old certificate as
secondary for rollover purposes.
You should plan to remove the
old certificate once you are
confident it is no longer needed
for rollover, or when the
certificate has expired. Note that
current users' SSO sessions are
signed. Current AD FS Proxy Trust
relationships utilize tokens that
are signed and encrypted using
the old certificate.
AD FS SSL certificate is not found in the local The certificate with the thumbprint that is Install the certificate with the configured
certificate store configured as the TLS/SSL certificate in the thumbprint in the local certificate store.
AD FS database was not found in the local
certificate store. As a result, any
authentication request over the TLS will fail.
For example mail client authentication for
Office 365 will fail.
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
The SSL Certificate expired The TLS/SSL certificate for the AD FS service Update the TLS/SSL certificate on each AD FS
has expired. As a result, any authentication server.
requests that require a valid TLS connection 1. Obtain the TLS/SSL certificate with the
will fail. For example: mail client following requirements.
authentication will not be able to 2. Enhanced Key Usage is at least Server
authenticate for Office 365. Authentication.
3. Certificate Subject or Subject
Alternative Name (SAN) contains the
DNS name of the Federation Service
or appropriate wild card. For example:
sso.contoso.com or *.contoso.com
4. Install the new TLS/SSL certificate on
each server in the local machine
certificate store.
5. Ensure that the AD FS Service
Account has read access to the
certificate's Private Key
For AD FS 2.0 in Windows Ser ver
2008R2:
Bind the new TLS/SSL certificate to
the web site in IIS, which hosts the
Federation Service. Note that you
must perform this step on each
Federation Server and Federation
Server proxy.
For AD FS in Windows Ser ver 2012
R2 or later versions: Refer to:
Managing SSL Certificates in AD FS and
WAP
The Required end points for Azure Active The following set of end points required by Enable the required end points for the
Directory (for Office 365) are not enabled the Exchange Online Services, Azure AD, and Microsoft Cloud Services on your federation
Office 365 are not enabled for the federation service.
service: For AD FS in Windows Server 2012R2 or later
/adfs/services/trust/2005/usernamemixed versions
/adfs/ls/ Refer to: Managing SSL Certificates in AD
FS and WAP
The Federation server was unable to connect The AD FS service account is experiencing Ensure that the AD FS service account has
to the AD FS Configuration Database issues while connecting to the AD FS access to the configuration database.
configuration database. As a result, the AD FS Ensure that the AD FS Configuration
service on this computer may not function as Database service is available and reachable.
expected.
Required SSL bindings are missing or not The TLS bindings required for this federation For Windows Server 2012 R2
configured server to successfully perform authentication Open an elevated admin command prompt
are misconfigured. As a result, AD FS cannot and execute the following commands:
process any incoming requests. 1. To view the current TLS binding:
Get-AdfsSslCertificate
2. To add new bindings:
netsh http add sslcert hostnameport=<federation service
name>:443
certhash=0102030405060708090A0B0C0D0E0F10111213
appid={00112233-4455-6677-8899-AABBCCDDEEFF}
certstorename=MY
The Primary AD FS Token Signing certificate The AD FS Token Signing certificate has If Auto-certificate rollover is enabled, AD FS
has expired expired. AD FS cannot issue signed tokens will manage updating the Token Signing
when this certificate is not valid. Certificate.
If you manage your certificate manually,
follow the below instructions.
1. Obtain a new Token Signing
Cer tificate.
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
a. Ensure that the Enhanced Key
Usage (EKU) includes "Digital
Signature".
b. Subject or Subject Alternative
Name (SAN) does not have
any restrictions.
c. Remember that your
Federation Servers, your
Resource Partner Federation
Servers and Relying Party
Application servers need to be
able to chain to a trusted root
certificate authority when
validating your Token-Signing
certificate.
2. Install the cer tificate in the local
cer tificate store on each
Federation Ser ver.
Ensure that the certificate
installation file has the Private
Key of the certificate on each
server.
3. Ensure that the Federation
Ser vice Account has access to
the new cer tificate's private key.
4. Add the new cer tificate to AD
FS.
a. Launch AD FS Management
from the Administrative Tools
menu.
b. Expand Service and select
Certificates
c. In the Actions pane, click Add
Token-Signing Certificate...
d. You will be presented with a
list of certificates that are valid
for Token-Signing. If you find
that your new certificate is not
being presented in the list, you
need to go back and make
sure that the certificate is in
the local computer Personal
store with private key
associated and the certificate
has the Digital Signature KU.
e. Select your new Token-Signing
certificate and click OK
5. Inform all the Relying Par ties
about the change in Token
Signing Cer tificate.
a. Relying Parties that consume
AD FS federation metadata,
must pull the new Federation
Metadata to start using the
new certificate.
b. Relying Parties that do NOT
consume AD FS federation
metadata must manually
update the public key of the
new Token Signing Certificate.
Share the .cer file with the
Relying Parties.
6. Set the new Token-Signing
Cer tificate as Primar y.
a. With the Certificates node in
AD FS Management selected,
you should now see two
certificates listed under Token-
Signing: existing and the new
certificate.
b. Select your new Token-Signing
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
certificate, right-click, and
select Set as primar y
c. Leave the old certificate as
secondary for rollover
purposes. You should plan to
remove the old certificate once
you are confident it is no
longer needed for rollover, or
when the certificate has
expired. Remember that
current users' SSO sessions are
signed. Current AD FS Proxy
Trust relationships utilize
tokens that are signed and
encrypted using the old
certificate.
Proxy server is dropping requests for This proxy server is currently dropping Verify if the network latency between the
congestion control requests from the extranet due to a higher Federation Proxy Server and the Federation
than normal latency between this proxy Servers falls within the acceptable range.
server and the federation server. As a result, Refer to the Monitoring Section for trending
certain portion of the authentication values of the "Token Request Latency". A
requests processed by the AD FS Proxy latency greater than [1500 ms] should be
server can fail. considered as high latency. If high latency is
observed, ensure the network between AD
FS and AD FS Proxy servers does not have
any connectivity issues.
Ensure Federation Servers are not
overloaded with authentication requests.
Monitoring Section provides trending views
for Token Requests per second, CPU
utilization and Memory consumption.
If the above items have been verified and
this issue is still seen, adjust the congestion
avoidance setting on each of the Federation
Proxy Servers as per the guidance from the
related links.
The AD FS service account is denied access to The AD FS service account does not have Ensure that the AD FS service account is
one of the certificate's private key. access to the private key of one of the AD FS provided access to the TLS, token signing,
certificates on this computer. and token decryption certificates stored in
the local computer certificate store.
1. From Command Line type MMC.
2. Go to File->Add/Remove Snap-In
3. Select Certificates and click Add. ->
Select Computer Account and click
Next. -> Select Local Computer and
click Finish. Click OK.
Open Certificates(Local
Computer)/Personal/Certificates.For all the
certificates that are used by AD FS:
1. Right-click the certificate.
2. Select All Tasks -> Manage Private
Keys.
3. On the Security Tab under Group or
user names ensure that the AD FS
service account is present. If not
select Add and add the AD FS service
account.
4. Select the AD FS service account and
under "Permissions for <AD FS
Service Account Name>" make sure
Read permission is allowed (check
mark).
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
The AD FS SSL certificate does not have a AD FS TLS/SSL certificate was installed Update the TLS/SSL certificate on each AD FS
private key without a private key. As a result any server.
authentication request over the SSL will fail. 1. Obtain a publicly trusted TLS/SSL
For example, mail client authentication for certificate with the following
Office 365 will fail. requirements.
a. Certificate installation file
contains its private key.
b. Enhanced Key Usage is at least
Server Authentication.
c. Certificate Subject or Subject
Alternative Name (SAN)
contains the DNS name of the
Federation Service or
appropriate wild card. For
example: sso.contoso.com or
*.contoso.com
2. Install the new TLS/SSL certificate on
each server in the local machine
certificate store.
3. Ensure that the AD FS Service
Account has read access to the
certificate's Private Key
For AD FS 2.0 in Windows Ser ver
2008R2:
Bind the new TLS/SSL certificate to
the web site in IIS which hosts the
Federation Service. Note that you
must perform this step on each
Federation Server and Federation
Server proxy.
For AD FS in Windows Ser ver 2012
R2 or later versions:
Refer to: Managing SSL Certificates in AD
FS and WAP
The Primary AD FS Token Decrypting The Primary AD FS Token Decrypting If Auto-certificate roll-over is enabled, AD
certificate has expired certificate has expired. AD FS cannot decrypt FS manages the Token Decrypting
tokens from trusted claims providers. AD FS Certificate.
cannot decrypt encrypted SSO cookies. The
end users will not be able to authenticate to If you manage your certificate manually,
access resources. follow the below instructions.
1. Obtain a new Token Decr ypting
Cer tificate.
Ensure that the Enhanced Key
Usage (EKU) includes "Key
Encipherment".
Subject or Subject Alternative
Name (SAN) do not have any
restrictions.
Note that your Federation
Servers and Claims Provider
partners need to be able to
chain to a trusted root
certification authority when
validating your Token-
Decrypting certificate.
2. Decide how your Claims Provider
par tners will trust the new
Token-Decr ypting cer tificate
Ask partners to pull the
Federation Metadata after
updating the certificate.
Share the public key of the
new certificate. (.cer file) with
the partners. On the Claims
Provider partner's AD FS
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
server, launch AD FS
Management from the
Administrative Tools menu.
Under Trust
Relationships/Relying Party
Trusts, select the trust that was
created for you. Under
Properties/Encryption click
"Browse" to select the new
Token-Decrypting certificate
and click OK.
3. Install the cer tificate in the local
cer tificate store on each of your
Federation Ser ver.
Ensure that the certificate
installation file has the Private
Key of the certificate on each
server.
4. Ensure that the federation
ser vice account has access to
the new cer tificate's private key.
5. Add the new cer tificate to AD
FS.
Launch AD FS Management
from the Administrative Tools
menu
Expand Service and select
Certificates
In the Actions pane, click Add
Token-Decrypting Certificate
You will be presented with a
list of certificates that are valid
for Token-Decrypting. If you
find that your new certificate is
not being presented in the list,
you need to go back and
make sure that the certificate
is in the local computer
personal store with a private
key associated and the
certificate has the Key
Encipherment as Extended Key
Usage.
Select your new Token-
Decrypting certificate and click
OK.
6. Set the new Token-Decr ypting
Cer tificate as Primar y.
With the Certificates node in
AD FS Management selected,
you should now see two
certificates listed under Token-
Decrypting: existing and the
new certificate.
Select your new Token-
Decrypting certificate, right-
click, and select Set as primary.
Leave the old certificate as
secondary for roll-over
purposes. You should plan to
remove the old certificate once
you are confident it is no
longer needed for roll-over, or
when the certificate has
expired.
Domain controller is unreachable via LDAP Domain Controller is not reachable via LDAP Examine alerts list for related alerts, such
ping Ping. This can be caused due to Network as: Domain Controller is not advertising.
issues or machine issues. As a result, LDAP Ensure affected Domain Controller has
Pings will fail. sufficient disk space. Running out of space
will stop the DC from advertising itself as an
LDAP server.
Attempt to find the PDC: Run
netdom query fsmo
on the affected Domain Controller.
Ensure physical network is properly
configured/connected.
Active Directory replication error This domain controller is experiencing See additional details for the names of the
encountered replication issues, which can be found by affected source and destination DCs.
going to the Replication Status Dashboard. Navigate to Replication Status dashboard and
Replication errors may be due to improper look for the active errors on the affected DCs.
configuration or other related issues. Click on the error to open a blade with more
Untreated replication errors can lead to data details on how to remediate that particular
inconsistency. error.
Domain controller is unable to find a PDC A PDC is not reachable through this domain Examine alerts list for related alerts that
controller. This will lead to impacted user could be impacting your PDC, such as:
logons, unapplied group policy changes, and Domain Controller is not advertising.
system time synchronization failure. Attempt to find the PDC: Run
netdom query fsmo
on the affected Domain Controller.
Ensure network is working properly.
Domain controller is unable to find a Global A global catalog server is not reachable from Examine the alerts list for any Domain
Catalog server this domain controller. It will result in failed Controller is not adver tising alerts where
authentications attempted through this the impacted server might be a GC. If there
Domain Controller. are no advertising alerts, check the SRV
records for the GCs. You can check them by
running:
nltest /dnsgetdc: [ForestName] /gc
It should list the DCs advertising as GCs. If
the list is empty, check the DNS configuration
to ensure that the GC has registered the SRV
records. The DC is able to find them in DNS.
For troubleshooting Global Catalogs, see
Advertising as a Global Catalog Server.
Domain controller unable to reach local Sysvol contains important elements from See How to troubleshoot missing SYSVOL
SYSVOL share Group Policy Objects and scripts to be and Netlogon shares
distributed within DCs of a domain. The DC
will not advertise itself as DC and Group
Policies will not be applied.
Domain Controller time is out of sync The time on this Domain Controller is outside Restart Windows Time Service: Run
of the normal Time Skew range. As a result, net stop w32time
Kerberos authentications will fail. then
net start w32time
on the affected Domain Controller.
Resync Time: Run
w32tm /resync
on the affected Domain Controller.
A L ERT N A M E DESC RIP T IO N REM EDIAT IO N
Domain controller is not advertising This domain controller is not properly Examine alerts list for other related alerts
advertising the roles it's capable of such as: Replication is broken. Domain
performing. This can be caused by problems controller time is out of sync. Netlogon
with replication, DNS misconfiguration, critical service is not running. DFSR and/or NTFRS
services not running, or because of the services are not running. Identify and
server not being fully initialized. As a result, troubleshoot related DNS problems: Logon
domain controllers, domain members, and to affected Domain controller. Open System
other devices will not be able to locate this Event Log. If events 5774, 5775 or 5781 are
domain controller. Additionally, other domain present, see Troubleshooting Domain
controllers might not be able to replicate Controller Locator DNS Records Registration
from this domain controller. Failure Identify and troubleshoot related
Windows Time Service Issues: Ensure
Windows Time service is running: Run 'net
star t w32time ' on the affected Domain
Controller. Restart Windows Time Service:
Run 'net stop w32time ' then 'net star t
w32time ' on the affected Domain Controller.
GPSVC service is not running If the service is stopped or disabled, settings Run
configured by the admin will not be applied net start gpsvc
and applications and components will not be on the affected Domain Controller.
manageable through Group Policy. Any
components or applications that depend on
the Group Policy component might not be
functional if the service is disabled.
DFSR and/or NTFRS services are not running If both DFSR and NTFRS services are stopped, If using DFSR:
Domain Controllers will not be able to Run 'net star t dfsr ' on the affected
replicate SYSVOL data. SYSVOL Data will be Domain Controller.
out of consistency.
If using NTFRS:
Run 'net star t ntfrs ' on the affected
Domain Controller.
Netlogon service is not running Logon requests, registration, authentication, Run 'net star t netlogon ' on the affected
and locating of domain controllers will be Domain Controller
unavailable on this DC.
W32Time service is not running If Windows Time Service is stopped, date and Run 'net star t win32Time ' on the affected
time synchronization will be unavailable. If Domain Controller
this service is disabled, any services that
explicitly depend on it will fail to start.
ADWS service is not running If Active Directory Web Services service is Run 'net star t adws ' on the affected
stopped or disabled, client applications, such Domain Controller
as Active Directory PowerShell, will not be
able to access or manage any directory
service instances that are running locally on
this server.
Root PDC is not Syncing from NTP Server If you do not configure the PDC to On the affected Domain Controller, open a
synchronize time from an external or internal command prompt. Stop the Time service: net
time source, the PDC emulator uses its stop w32time
internal clock and is itself the reliable time Configure the external time source:
source for the forest. If time is not accurate w32tm /config /manualpeerlist:
on the PDC itself, all computers will have time.windows.com /syncfromflags:manual
incorrect time settings. /reliable:yes
Domain controller is quarantined This Domain Controller is not connected to Enable inbound and outbound replication:
any of the other working Domain Controllers. Run 'repadmin /options Ser verName -
This may be caused due to improper DISABLE_INBOUND_REPL ' on the affected
configuration. As a result, this DC is not Domain Controller. Run 'repadmin /options
being used and will not replicate from/to Ser verName -
anyone. DISABLE_OUTBOUND_REPL ' on the
affected Domain Controller. Create a new
replication connection to another Domain
Controller:
1. Open Active Directory Sites and
Services: Start menu, point to
Administrative Tools, then click Active
Directory Sites and Services.
2. In the console tree, expand Sites, and
then expand the site, which this DC
belongs to.
3. Expand the Servers container to
display the list of servers.
4. Expand the server object for this DC.
5. Right-click the NTDS Settings object,
and click on New Active Directory
Domain Services Connection...
6. Select a Server from the list, and click
Ok.
How to remove orphaned domains from
Active Directory.
Outbound Replication is Disabled DCs with disabled Outbound Replication, will To enable outbound replication on the
not be able to distribute any changes affected Domain Controller, follow these
originating within itself. steps: Click Start, click Run, type cmd and
then click OK. Type the following text, and
then press ENTER:
repadmin /options -
DISABLE_OUTBOUND_REPL
Inbound Replication is Disabled DCs with disabled Inbound Replication, will To enable inbound replication on the affected
not have the latest information. This Domain Controller, follow these steps: Click
condition can lead to logon failures. Start, click Run, type cmd and then click OK.
Type the following text, and then press
ENTER:
repadmin /options -
DISABLE_INBOUND_REPL
LanmanServer service is not running If this service is disabled, any services that Run 'net star t LanManSer ver ' on the
explicitly depend on it will fail to start. affected Domain Controller.
Kerberos Key Distribution Center service is If KDC Service is stopped, users will not be Run 'net star t kdc' on the affected Domain
not running able to authentication through this DC using Controller.
the Kerberos v5 authentication protocol.
DNS service is not running If DNS Service is stopped, computers and Run 'net star t dns ' on the affected Domain
users using that server for DNS purposes will Controller.
fail to find resources.
DC had USN Rollback When USN rollbacks occur, modifications to There are two approaches to recover from a
objects and attributes are not inbound USN rollback:
replicated by destination domain controllers Remove the Domain Controller from the
that have previously seen the USN. Because domain, following these steps:
these destination domain controllers believe
they are up to date, no replication errors are 1. Remove Active Directory from the
reported in Directory Service event logs or domain controller to force it to be a
by monitoring and diagnostic tools. USN stand-alone server. For more
rollback may affect the replication of any information, click the following article
object or attribute in any partition. The most number to view the article in the
frequently observed side effect is that user Microsoft Knowledge Base:
accounts and computer accounts that are 332199 Domain controllers do not
created on the rollback domain controller do
created on the rollback domain controller do demote gracefully when you use the
A L ERT N A M E DESC RIP Ton
not exist IO None or more replication partners. REM EDIAT IO N
Active Directory Installation Wizard to
Or, the password updates that originated on force demotion in Windows Server
the rollback domain controller do not exist on 2003 and in Windows 2000 Server.
replication partners. 2. Shut down the demoted server.
3. On a healthy domain controller, clean
up the metadata of the demoted
domain controller. For more
information, click the following article
number to view the article in the
Microsoft Knowledge Base:
216498 How to remove data in Active
Directory after an unsuccessful
domain controller demotion
4. If the incorrectly restored domain
controller hosts operations master
roles, transfer these roles to a healthy
domain controller. For more
information, click the following article
number to view the article in the
Microsoft Knowledge Base:
255504 Using Ntdsutil.exe to transfer
or seize FSMO roles to a domain
controller
5. Restart the demoted server.
6. If you are required to, install Active
Directory on the stand-alone server
again.
7. If the domain controller was
previously a global catalog, configure
the domain controller to be a global
catalog. For more information, click
the following article number to view
the article in the Microsoft Knowledge
Base:
313994 How to create or move a
global catalog in Windows 2000
8. If the domain controller previously
hosted operations master roles,
transfer the operations master roles
back to the domain controller. For
more information, click the following
article number to view the article in
the Microsoft Knowledge Base:
255504 Using Ntdsutil.exe to transfer
or seize FSMO roles to a domain
controller Restore the system state of
a good backup.
Evaluate whether valid system state
backups exist for this domain controller. If
a valid system state backup was made
before the rolled-back domain controller
was incorrectly restored, and the backup
contains recent changes that were made
on the domain controller, restore the
system state from the most recent
backup.
You can also use the snapshot as a
source of a backup. Or you can set the
database to give itself a new invocation
ID using the procedure in the section "To
restore a previous version of a virtual
domain controller VHD without system
state data backup" in this article
Next steps
Azure AD Connect Health FAQ
Azure AD Connect Health instructions for data
retrieval
9/7/2020 • 2 minutes to read • Edit Online
This document describes how to use Azure AD Connect to retrieve data from Azure AD Connect Health.
NOTE
This article provides steps for how to delete personal data from the device or service and can be used to support your
obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.
Retrieve all email addresses for users configured for health alerts.
To retrieve the email addresses for all of your users that are configured in Azure AD Connect Health to receive
alerts, use the following steps.
1. Start at the Azure Active Directory Connect health blade and select Sync Ser vices from the left-hand
navigation bar.
4. On the Notification Setting blade, you will find the list of email addresses that have been enabled as
recipients for health Alert notifications.
Next Steps
Azure AD Connect Health
Azure AD Connect Health Agent Installation
Azure AD Connect Health Operations
Azure AD Connect Health FAQ
Azure AD Connect Health Version History
Azure AD Connect: Staging server and disaster
recovery
9/7/2020 • 9 minutes to read • Edit Online
With a server in staging mode, you can make changes to the configuration and preview the changes before you
make the server active. It also allows you to run full import and full synchronization to verify that all changes
are expected before you make these changes into your production environment.
Staging mode
Staging mode can be used for several scenarios, including:
High availability.
Test and deploy new configuration changes.
Introduce a new server and decommission the old.
During installation, you can select the server to be in staging mode . This action makes the server active for
import and synchronization, but it does not run any exports. A server in staging mode is not running password
sync or password writeback, even if you selected these features during installation. When you disable staging
mode, the server starts exporting, enables password sync, and enables password writeback.
NOTE
Suppose you have an Azure AD Connect with Password Hash Synchronization feature enabled. When you enable staging
mode, the server stops synchronizing password changes from on-premises AD. When you disable staging mode, the
server resumes synchronizing password changes from where it last left off. If the server is left in staging mode for an
extended period of time, it can take a while for the server to synchronize all password changes that had occurred during
the time period.
You can still force an export by using the synchronization service manager.
A server in staging mode continues to receive changes from Active Directory and Azure AD and can quickly take
over the responsibilities of another server in the event of a failure. If you make configuration changes to your
primary server, it is your responsibility to make the same changes to the server in staging mode.
For those of you with knowledge of older sync technologies, the staging mode is different since the server has
its own SQL database. This architecture allows the staging mode server to be located in a different datacenter.
Verify the configuration of a server
To apply this method, follow these steps:
1. Prepare
2. Configuration
3. Import and Synchronize
4. Verify
5. Switch active server
Prepare
1. Install Azure AD Connect, select staging mode , and unselect star t synchronization on the last page in the
installation wizard. This mode allows you to run the sync engine manually.
2. Sign off/sign in and from the start menu select Synchronization Ser vice .
Configuration
If you have made custom changes to the primary server and want to compare the configuration with the
staging server, then use Azure AD Connect configuration documenter.
Import and Synchronize
1. Select Connectors , and select the first Connector with the type Active Director y Domain Ser vices . Click
Run , select Full impor t , and OK . Do these steps for all Connectors of this type.
2. Select the Connector with type Azure Active Director y (Microsoft) . Click Run , select Full impor t , and
OK .
3. Make sure the tab Connectors is still selected. For each Connector with type Active Director y Domain
Ser vices , click Run , select Delta Synchronization , and OK .
4. Select the Connector with type Azure Active Director y (Microsoft) . Click Run , select Delta
Synchronization , and OK .
You have now staged export changes to Azure AD and on-premises AD (if you are using Exchange hybrid
deployment). The next steps allow you to inspect what is about to change before you actually start the export to
the directories.
Verify
1. Start a cmd prompt and go to %ProgramFiles%\Microsoft Azure AD Sync\bin
2. Run: csexport "Name of Connector" %temp%\export.xml /f:x The name of the Connector can be found in
Synchronization Service. It has a name similar to "contoso.com – AAD" for Azure AD.
3. Run: CSExportAnalyzer %temp%\export.xml > %temp%\export.csv You have a file in %temp% named export.csv
that can be examined in Microsoft Excel. This file contains all changes that are about to be exported.
4. Make necessary changes to the data or configuration and run these steps again (Import and Synchronize
and Verify) until the changes that are about to be exported are expected.
Understanding the expor t.csv file Most of the file is self-explanatory. Some abbreviations to understand the
content:
OMODT – Object Modification Type. Indicates if the operation at an object level is an Add, Update, or Delete.
AMODT – Attribute Modification Type. Indicates if the operation at an attribute level is an Add, Update, or
delete.
Retrieve common identifiers The export.csv file contains all changes that are about to be exported. Each row
corresponds to a change for an object in the connector space and the object is identified by the DN attribute.
The DN attribute is a unique identifier assigned to an object in the connector space. When you have many
rows/changes in the export.csv to analyze, it may be difficult for you to figure out which objects the changes are
for based on the DN attribute alone. To simplify the process of analyzing the changes, use the csanalyzer.ps1
PowerShell script. The script retrieves common identifiers (for example, displayName, userPrincipalName) of the
objects. To use the script:
1. Copy the PowerShell script from the section CSAnalyzer to a file named csanalyzer.ps1 .
2. Open a PowerShell window and browse to the folder where you created the PowerShell script.
3. Run: .\csanalyzer.ps1 -xmltoimport %temp%\export.xml .
4. You now have a file named processedusers1.csv that can be examined in Microsoft Excel. Note that the file
provides a mapping from the DN attribute to common identifiers (for example, displayName and
userPrincipalName). It currently does not include the actual attribute changes that are about to be exported.
Switch active server
1. On the currently active server, either turn off the server (DirSync/FIM/Azure AD Sync) so it is not exporting to
Azure AD or set it in staging mode (Azure AD Connect).
2. Run the installation wizard on the server in staging mode and disable staging mode .
Disaster recovery
Part of the implementation design is to plan for what to do in case there is a disaster where you lose the sync
server. There are different models to use and which one to use depends on several factors including:
What is your tolerance for not being able make changes to objects in Azure AD during the downtime?
If you use password synchronization, do the users accept that they have to use the old password in Azure AD
in case they change it on-premises?
Do you have a dependency on real-time operations, such as password writeback?
Depending on the answers to these questions and your organization’s policy, one of the following strategies can
be implemented:
Rebuild when needed.
Have a spare standby server, known as staging mode .
Use virtual machines.
If you do not use the built-in SQL Express database, then you should also review the SQL High Availability
section.
Rebuild when needed
A viable strategy is to plan for a server rebuild when needed. Usually, installing the sync engine and do the
initial import and sync can be completed within a few hours. If there isn’t a spare server available, it is possible
to temporarily use a domain controller to host the sync engine.
The sync engine server does not store any state about the objects so the database can be rebuilt from the data
in Active Directory and Azure AD. The sourceAnchor attribute is used to join the objects from on-premises and
the cloud. If you rebuild the server with existing objects on-premises and the cloud, then the sync engine
matches those objects together again on reinstallation. The things you need to document and save are the
configuration changes made to the server, such as filtering and synchronization rules. These custom
configurations must be reapplied before you start synchronizing.
Have a spare standby server - staging mode
If you have a more complex environment, then having one or more standby servers is recommended. During
installation, you can enable a server to be in staging mode .
For more information, see staging mode.
Use virtual machines
A common and supported method is to run the sync engine in a virtual machine. In case the host has an issue,
the image with the sync engine server can be migrated to another server.
SQL High Availability
If you are not using the SQL Server Express that comes with Azure AD Connect, then high availability for SQL
Server should also be considered. The high availability solutions supported include SQL clustering and AOA
(Always On Availability Groups). Unsupported solutions include mirroring.
Support for SQL AOA was added to Azure AD Connect in version 1.1.524.0. You must enable SQL AOA before
installing Azure AD Connect. During installation, Azure AD Connect detects whether the SQL instance provided
is enabled for SQL AOA or not. If SQL AOA is enabled, Azure AD Connect further figures out if SQL AOA is
configured to use synchronous replication or asynchronous replication. When setting up the Availability Group
Listener, it is recommended that you set the RegisterAllProvidersIP property to 0. This is because Azure AD
Connect currently uses SQL Native Client to connect to SQL and SQL Native Client does not support the use of
MultiSubNetFailover property.
Appendix CSAnalyzer
See the section verify on how to use this script.
Param(
[Parameter(Mandatory=$true, HelpMessage="Must be a file generated using csexport 'Name of Connector'
export.xml /f:x)")]
[string]$xmltoimport="%temp%\exportedStage1a.xml",
[Parameter(Mandatory=$false, HelpMessage="Maximum number of users per output file")][int]$batchsize=1000,
[Parameter(Mandatory=$false, HelpMessage="Show console output")][bool]$showOutput=$false
[Parameter(Mandatory=$false, HelpMessage="Show console output")][bool]$showOutput=$false
)
[int]$count=1
[int]$outputfilecount=1
[array]$objOutputUsers=@()
$user = [System.Xml.Linq.XElement]::ReadFrom($reader)
if ($showOutput) {Write-Host Found an exported object... -ForegroundColor Green}
#object id
$outID=$user.Attribute('id').Value
if ($showOutput) {Write-Host ID: $outID}
$objOutputUser.ID=$outID
#object type
$outType=$user.Attribute('object-type').Value
if ($showOutput) {Write-Host Type: $outType}
$objOutputUser.Type=$outType
#dn
$outDN= $user.Element('unapplied-export').Element('delta').Attribute('dn').Value
if ($showOutput) {Write-Host DN: $outDN}
$objOutputUser.DN=$outDN
#operation
$outOperation= $user.Element('unapplied-export').Element('delta').Attribute('operation').Value
if ($showOutput) {Write-Host Operation: $outOperation}
$objOutputUser.operation=$outOperation
switch ($attrvalue)
{
{
"userPrincipalName"
{
if ($showOutput) {Write-Host UPN: $internalvalue}
$objOutputUser.UPN=$internalvalue
}
"displayName"
{
if ($showOutput) {Write-Host displayName: $internalvalue}
$objOutputUser.displayName=$internalvalue
}
"sourceAnchor"
{
if ($showOutput) {Write-Host sourceAnchor: $internalvalue}
$objOutputUser.sourceAnchor=$internalvalue
}
"alias"
{
if ($showOutput) {Write-Host alias: $internalvalue}
$objOutputUser.alias=$internalvalue
}
"proxyAddresses"
{
if ($showOutput) {Write-Host primarySMTP: ($internalvalue -replace "SMTP:","")}
$objOutputUser.primarySMTP=$internalvalue -replace "SMTP:",""
}
}
}
$objOutputUsers += $objOutputUser
$count+=1
} while ($reader.Read)
#need to write out any users that didn't get picked up in a batch of 1000
#export the collection of users as CSV
Write-Host Writing processedusers${outputfilecount}.csv -ForegroundColor Yellow
$objOutputUsers | Export-Csv -path processedusers${outputfilecount}.csv -NoTypeInformation
Next steps
Over view topics
Azure AD Connect sync: Understand and customize synchronization
Integrating your on-premises identities with Azure Active Directory
Azure AD Connect sync: Best practices for changing
the default configuration
9/7/2020 • 3 minutes to read • Edit Online
The purpose of this topic is to describe supported and unsupported changes to Azure AD Connect sync.
The configuration created by Azure AD Connect works “as is” for most environments that synchronize on-
premises Active Directory with Azure AD. However, in some cases, it is necessary to apply some changes to a
configuration to satisfy a particular need or requirement.
WARNING
If you make changes to the default sync rules then these changes will be overwritten the next time Azure AD Connect is
updated, resulting in unexpected and likely unwanted synchronization results.
You can change attribute flows if the default direct attribute flows are not suitable for your organization.
If you want to not flow an attribute and remove any existing attribute values in Azure AD, then you need to
create a rule for this scenario.
Disable an unwanted Sync Rule rather than deleting it. A deleted rule is recreated during an upgrade.
To change an out-of-box rule, you should make a copy of the original rule and disable the out-of-box rule. The
Sync Rule Editor prompts and helps you.
Export your custom synchronization rules using the Synchronization Rules Editor. The editor provides you with
a PowerShell script you can use to easily recreate them in a disaster recovery scenario.
WARNING
The out-of-box sync rules have a thumbprint. If you make a change to these rules, the thumbprint is no longer matching.
You might have problems in the future when you try to apply a new release of Azure AD Connect. Only make changes the
way it is described in this article.
In the picture above, the installation wizard has found an old Exchange 2003 schema in the account forest. This
schema extension was added before the resource forest was introduced in Fabrikam's environment. To ensure no
attributes from the old Exchange implementation are synchronized, the sync rule should be disabled as shown.
Change an out-of-box rule
The only time you should change an out-of-box rule is when you need to change the join rule. If you need to
change an attribute flow, then you should create a sync rule with higher precedence than the out-of-box rules. The
only rule you practically need to clone is the rule In from AD - User Join . You can override all other rules with a
higher precedence rule.
If you need to make changes to an out-of-box rule, then you should make a copy of the out-of-box rule and disable
the original rule. Then make the changes to the cloned rule. The Sync Rule Editor is helping you with those steps.
When you open an out-of-box rule, you are presented with this dialog box:
Select Yes to create a copy of the rule. The cloned rule is then opened.
On this cloned rule, make any necessary changes to scope, join, and transformations.
Next steps
Over view topics
Azure AD Connect sync: Understand and customize synchronization
Integrating your on-premises identities with Azure Active Directory
Azure AD Connect sync: Make a change to the
default configuration
9/7/2020 • 19 minutes to read • Edit Online
The purpose of this article is to walk you through how to make changes to the default configuration in Azure
Active Directory (Azure AD) Connect sync. It provides steps for some common scenarios. With this knowledge,
you should be able to make simple changes to your own configuration based on your own business rules.
WARNING
If you make changes to the default out-of-box sync rules then these changes will be overwritten the next time Azure AD
Connect is updated, resulting in unexpected and likely unwanted synchronization results.
The default out-of-box sync rules have a thumbprint. If you make a change to these rules, the thumbprint is no longer
matching. You might have problems in the future when you try to apply a new release of Azure AD Connect. Only make
changes the way it is described in this article.
When you open the editor, you see the default out-of-box rules.
Navigating in the editor
Using the drop-downs at the top of the editor, you can quickly find a specific rule. For example, if you want to see
the rules where the attribute proxyAddresses is included, you can change the drop-downs to the following:
This section is used to define to which objects the rule should apply. If it's left empty, the rule would apply to all
user objects. However, that would include conference rooms, service accounts, and other non-people user
objects.
4. On the Join rules page, leave the field empty.
5. On the Transformations page, change FlowType to Expression . For Target Attribute , select givenName .
And for Source , enter PCase([givenName]) .
The sync engine is case-sensitive for both the function name and the name of the attribute. If you type
something wrong, you see a warning when you add the rule. You can save and continue, but you need to
reopen and correct the rule.
6. Click Add to save the rule.
Your new custom rule should be visible with the other sync rules in the system.
Verify the change
With this new change, you want to make sure it is working as expected and is not throwing any errors. Depending
on the number of objects you have, there are two ways to do this step:
Run a full sync on all objects.
Run a preview and full sync on a single object.
Open the Synchronization Ser vice from the Star t menu. The steps in this section are all in this tool.
Full sync on all objects
1. Select Connectors at the top. Identify the connector that you changed in the previous section (in this case,
Active Directory Domain Services), and select it.
2. For Actions , select Run .
3. Select Full Synchronization , and then select OK .
The objects are now updated in the metaverse. Verify your changes by looking at the object in the metaverse.
Preview and full sync on a single object
1. Select Connectors at the top. Identify the connector that you changed in the previous section (in this case,
Active Directory Domain Services), and select it.
2. Select Search Connector Space .
3. Use Scope to find an object that you want to use to test the change. Select the object and click Preview .
4. On the new screen, select Commit Preview .
The change is now committed to the metaverse.
View the object in the metaverse
1. Pick a few sample objects to make sure that the value is expected and that the rule applied.
2. Select Metaverse Search from the top. Add any filter that you need to find the relevant objects.
3. From the search result, open an object. Look at the attribute values, and also verify in the Sync Rules column
that the rule applied as expected.
4. Leave Scoping filter empty. (That is, it should apply to all user objects in the forest.)
5. Leave Join rules empty. (That is, let the out-of-box rule handle any joins.)
6. In Transformations , create the following flows:
Length of attributes
String attributes are indexable by default, and the maximum length is 448 characters. If you are working with
string attributes that might contain more, make sure to include the following in the attribute flow:
attributeName <- Left([attributeName],448) .
In this expression, take everything left of the first @-sign (Word) and concatenate with a fixed string.
Convert a multi-value attribute to single value
Some attributes in Active Directory are multi-valued in the schema, even though they look single-valued in Active
Directory Users and Computers. An example is the description attribute:
description <- IIF(IsNullOrEmpty([description]),NULL,Left(Trim(Item([description],1)),448)) .
In this expression, if the attribute has a value, take the first item (Item) in the attribute, remove leading and trailing
spaces (Trim), and then keep the first 448 characters (Left) in the string.
Do not flow an attribute
For background on the scenario for this section, see Control the attribute flow process.
There are two ways to not flow an attribute. The first is by using the installation wizard to remove selected
attributes. This option works if you have never synchronized the attribute before. However, if you have started to
synchronize this attribute and later remove it with this feature, the sync engine stops managing the attribute and
the existing values are left in Azure AD.
If you want to remove the value of an attribute and make sure it does not flow in the future, you need create a
custom rule.
In this Fabrikam scenario, we have realized that some of the attributes we synchronize to the cloud should not be
there. We want to make sure these attributes are removed from Azure AD.
2. Create attribute flows with Expression for FlowType and with AuthoritativeNull for Source . The literal
AuthoritativeNull indicates that the value should be empty in the metaverse, even if a lower-precedence sync
rule tries to populate the value.
3. Save the sync rule. Start the Synchronization Ser vice , find the connector, select Run , and then select Full
Synchronization . This step recalculates all attribute flows.
4. Verify that the intended changes are about to be exported by searching the Connector Space.
Create rules with PowerShell
Using the sync rule editor works fine when you only have a few changes to make. If you need to make many
changes, PowerShell might be a better option. Some advanced features are only available with PowerShell.
Get the PowerShell script for an out-of-box rule
To see the PowerShell script that created an out-of-box rule, select the rule in the sync rules editor and click
Expor t . This action gives you the PowerShell script that created the rule.
Advanced precedence
The out-of-box sync rules start with a precedence value of 100. If you have many forests and you need to make
many custom changes, then 99 sync rules might not be enough.
You can instruct the sync engine that you want additional rules inserted before the out-of-box rules. To get this
behavior, follow these steps:
1. Mark the first out-of-box sync rule (In from AD-User Join ) in the sync rules editor and select Expor t . Copy
the SR Identifier value.
2. Create the new sync rule. You can use the sync rules editor to create it. Export the rule to a PowerShell script.
3. In the property PrecedenceBefore , insert the Identifier value from the out-of-box rule. Set the Precedence to
0 . Make sure the Identifier attribute is unique and that you are not reusing a GUID from another rule. Also
make sure that the ImmutableTag property is not set. This property should be set only for an out-of-box rule.
4. Save the PowerShell script and run it. The result is that your custom rule is assigned the precedence value of
100 and all other out-of-box rules are incremented.
You can have many custom sync rules by using the same PrecedenceBefore value when needed.
NOTE
The rest of this section covers these steps. They are described in the context of an Azure AD deployment with single-forest
topology and without custom synchronization rules. If you have multi-forest topology, custom synchronization rules
configured, or have a staging server, you need to adjust the steps accordingly.
Step 1: Disable the sync scheduler and verify there is no synchronization in progress
To avoid exporting unintended changes to Azure AD, ensure that no synchronization takes place while you are in
the middle of updating synchronization rules. To disable the built-in sync scheduler:
1. Start a PowerShell session on the Azure AD Connect server.
2. Disable scheduled synchronization by running the cmdlet Set-ADSyncScheduler -SyncCycleEnabled $false .
3. Open the Synchronization Service Manager by going to Star t > Synchronization Ser vice .
4. Go to the Operations tab and confirm there is no operation with a status of in progress.
Step 2: Add the source attribute to the on-premises AD Connector schema
Not all Azure AD attributes are imported into the on-premises AD Connector Space. To add the source attribute to
the list of the imported attributes:
1. Go to the Connectors tab in the Synchronization Service Manager.
2. Right-click the on-premises AD Connector and select Proper ties .
3. In the pop-up dialog box, go to the Select Attributes tab.
4. Make sure the source attribute is checked in the attribute list.
5. Click OK to save.
Step 3: Add the UserType attribute to the Azure AD Connector schema
By default, the UserType attribute is not imported into the Azure AD Connect Space. To add the UserType attribute
to the list of imported attributes:
1. Go to the Connectors tab in the Synchronization Service Manager.
2. Right-click the Azure AD Connector and select Proper ties .
3. In the pop-up dialog box, go to the Select Attributes tab.
4. Make sure the UserType attribute is checked in the attribute list.
5. Click OK to save.
Step 4: Create an inbound synchronization rule to flow the attribute value from on-premises Active Directory
The inbound synchronization rule permits the attribute value to flow from the source attribute from on-premises
Active Directory to the metaverse:
1. Open the Synchronization Rules Editor by going to Star t > Synchronization Rules Editor .
2. Set the search filter Direction to be Inbound .
3. Click the Add new rule button to create a new inbound rule.
4. Under the Description tab, provide the following configuration:
AT T RIB UT E VA L UE DETA IL S
Precedence Choose a number between 1–99 1–99 is reserved for custom sync
rules. Do not pick a value that is
used by another synchronization
rule.
5. Go to the Scoping filter tab and add a single scoping filter group with the following clause:
AT T RIB UT E O P ERATO R VA L UE
The scoping filter determines to which on-premises AD objects this inbound synchronization rule is
applied. In this example, we use the same scoping filter used in the In from AD – User Common out-of-box
synchronization rule, which prevents the synchronization rule from being applied to User objects created
through the Azure AD User writeback feature. You might need to tweak the scoping filter according to your
Azure AD Connect deployment.
6. Go to the Transformation tab and implement the desired transformation rule. For example, if you have
designated an unused on-premises AD attribute (such as extensionAttribute1) as the source attribute for
the UserType, you can implement a direct attribute flow:
In another example, you want to derive the value for the UserType attribute from other properties. For
example, you want to synchronize all users as Guest if their on-premises AD userPrincipalName attribute
ends with domain part @partners.fabrikam123.org. You can implement an expression like this:
AT T RIB UT E VA L UE DETA IL S
Precedence Choose a number between 1–99 1–99 is reserved for custom sync
rules. Do not pick a value that is
used by another synchronization
rule.
5. Go to the Scoping filter tab and add a single scoping filter group with two clauses:
AT T RIB UT E O P ERATO R VA L UE
The scoping filter determines to which Azure AD objects this outbound synchronization rule is applied. In
this example, we use the same scoping filter from the Out to AD – User Identity out-of-box synchronization
rule. It prevents the synchronization rule from being applied to User objects that are not synchronized from
on-premises Active Directory. You might need to tweak the scoping filter according to your Azure AD
Connect deployment.
6. Go to the Transformation tab and implement the following transformation rule:
NOTE
These steps do not include the full synchronization and export steps on the Azure AD Connector. These steps are not
required because the attribute values are flowing from on-premises Active Directory to Azure AD only.
Azure Active Directory (Azure AD) Connect uses default rules for synchronization. Unfortunately, these rules don't
apply universally to all organizations. Based on your requirements, you might need to modify them. This article
discusses two examples of the most common customizations, and explains the correct way to achieve these
customizations.
NOTE
Modifying existing default rules to achieve a needed customization isn't supported. If you do so, it prevents updating these
rules to the latest version in future releases. You won't get the bug fixes you need, or new features. This document explains
how to achieve the same result without modifying the existing default rules.
In the Editor, any modified default rules are shown with a warning icon in front of the name.
A disabled rule with same name next to it also appears (this is the standard default rule).
Common customizations
The following are common customizations to the default rules:
Change attribute flow
Change scoping filter
Change join condition
Before you change any rules:
Disable the sync scheduler. The scheduler runs every 30 minutes by default. Make sure it's not starting while
you're making changes and troubleshooting your new rules. To temporarily disable the scheduler, start
PowerShell, and run Set-ADSyncScheduler -SyncCycleEnabled $false .
The change in scoping filter can result in deletion of objects in the target directory. Be careful before making
any changes in the scoping of objects. We recommend that you make changes to a staging server before
making changes on the active server.
Run a preview on a single object, as mentioned in the Validate Sync Rule section, after adding any new rule.
Run a full sync after adding a new rule or modifying any custom sync rule. This sync applies new rules to all
the objects.
Follow your own naming convention to name the rule. Here, we use Custom In from AD - User . This means that
the rule is a custom rule, and is an inbound rule from the Active Directory connector space to the metaverse.
Provide your own description of the rule, so that future maintenance of the rule is easy. For example, the
description can be based on what the objective of the rule is, and why it's needed.
Make your selections for the Connected System , Connected System Object Type , and Metaverse Object
Type fields.
Specify the precedence value from 0 through 99 (the lower the number, the higher the precedence). For the Tag ,
Enable Password Sync , and Disabled fields, use the default selections.
Keep Scoping filter empty. This means that the rule applies to all the objects joined between the Active Directory
Connected System and the metaverse.
Keep Join rules empty. This means this rule uses the join condition defined in the standard default rule. This is
another reason not to disable or delete the standard default rule. If there is no join condition, the attribute won't
flow.
Add appropriate transformations for your attribute. You can assign a constant, to make a constant value flow to
your target attribute. You can use direct mapping between the source or target attribute. Or, you can use an
expression for the attribute. Here are various expression functions you can use.
Add an outbound sync rule
To link the attribute to the target directory, you need to create an outbound rule. This means that the source is the
metaverse, and the target is the connected system. To create an outbound rule, launch the Synchronization Rules
Editor , change the Direction to Outbound , and select Add new rule .
As with the inbound rule, you can use your own naming convention to name the rule. Select the Connected
System as the Azure AD tenant, and select the connected system object to which you want to set the attribute
value. Set the precedence from 0 through 99.
Keep Scoping filter and Join rules empty. Fill in the transformation as constant, direct, or expression.
You now know how to make a new attribute for a user object flow from Active Directory to Azure Active Directory.
You can use these steps to map any attribute from any object to source and target. For more information, see
Creating custom sync rules and Prepare to provision users.
Override the value of an existing attribute
You might want to override the value of an attribute that has already been mapped. For example, if you always
want to set a null value to an attribute in Azure AD, simply create an inbound rule only. Make the constant value,
AuthoritativeNull , flow to the target attribute.
NOTE
Use AuthoritativeNull instead of Null in this case. This is because the non-null value replaces the null value, even if it
has lower precedence (a higher number value in the rule). AuthoritativeNull , on the other hand, isn't replaced with a non-
null value by other rules.
IMPORTANT
Increasing the scope of objects configured by Azure AD Connect isn't recommended. Doing so makes it difficult for the
Microsoft support team to understand the customizations. If you must increase the scope of objects, edit the existing rule,
clone it, and disable the original rule.
cloudFiltered attribute
You can't set this attribute in Active Directory. Set the value of this attribute by adding a new inbound rule. You can
then use Transformation and Expression to set this attribute in the metaverse. The following example shows that
you don’t want to sync all the users whose department name starts with HRD (case-insensitive):
cloudFiltered <= IIF(Left(LCase([department]), 3) = "hrd", True, NULL)
We first converted the department from source (Active Directory) to lowercase. Then, using the Left function, we
took only the first three characters and compared it with hrd . If it matched, the value is set to True , otherwise
NULL . In setting the value to null, some other rule with lower precedence (a higher number value) can write to it
with a different condition. Run preview on one object to validate sync rule, as mentioned in the Validate sync rule
section.
Select Metaverse Search . Select the scope object as person , select Add Clause , and mention your search
criteria. Next, select Search , and double-click the object in the search results. Make sure that your data in Azure AD
Connect is up-to-date for that object, by running import and sync on the forest before you run this step.
On Metaverse Object Proper ties , select Connectors , select the object in the corresponding connector (forest),
and select Proper ties… .
Select Preview…
In the Preview window, select Generate Preview and Impor t Attribute Flow in the left pane.
Here, notice that the newly added rule is run on the object, and has set the cloudFiltered attribute to true.
To compare the modified rule with the default rule, export both of the rules separately, as text files. These rules are
exported as a PowerShell script file. You can compare them by using any file comparison tool (for example, windiff)
to see the changes.
Notice that in the modified rule, the msExchMailboxGuid attribute is changed to the Expression type, instead of
Direct . Also, the value is changed to NULL and ExecuteOnce option. You can ignore Identified and Precedence
differences.
To fix your rules to change them back to default settings, delete the modified rule and enable the default rule.
Ensure that you don't lose the customization you're trying to achieve. When you're ready, run Full
Synchronization .
Next steps
Hardware and prerequisites
Express settings
Customized settings
Azure AD Connect sync: Directory extensions
9/7/2020 • 2 minutes to read • Edit Online
You can use directory extensions to extend the schema in Azure Active Directory (Azure AD) with your own
attributes from on-premises Active Directory. This feature enables you to build LOB apps by consuming attributes
that you continue to manage on-premises. These attributes can be consumed through extensions. You can see the
available attributes by using Microsoft Graph Explorer. You can also use this feature to create dynamic groups in
Azure AD.
At present, no Office 365 workload consumes these attributes.
NOTE
In Azure AD Connect versions earlier than 1.2.65.0, the search box for Available Attributes is case-sensitive.
The installation shows the following attributes, which are valid candidates:
User and Group object types
Single-valued attributes: String, Boolean, Integer, Binary
Multi-valued attributes: String, Binary
NOTE
Although Azure AD Connect supports synchronizing multi-valued Active Directory attributes to Azure AD as multi-valued
directory extensions, there is currently no way to retrieve/consume the data uploaded in multi-valued directory extension
attributes.
The list of attributes is read from the schema cache that's created during installation of Azure AD Connect. If you
have extended the Active Directory schema with additional attributes, you must refresh the schema before these
new attributes are visible.
An object in Azure AD can have up to 100 attributes for directory extensions. The maximum length is 250
characters. If an attribute value is longer, the sync engine truncates it.
NOTE
In the Microsoft Graph API, you need to ask for the attributes to be returned. Explicitly select the attributes like this:
https://graph.microsoft.com/beta/users/abbie.spencer@fabrikamonline.com?
$select=extension_9d98ed114c4840d298fad781915f27e4_employeeID,extension_9d98ed114c4840d298fad781915f27e4_division
.
For more information, see Microsoft Graph: Use query parameters.
3. Open the property drop-down and note that the attributes you added are now visible.
Complete the expression to suit your requirements. In our example, the rule is set to
(user.extension_9d98ed114c4840d298fad781915f27e4_division -eq "Sales and marketing") .
4. After the group has been created, give Azure AD some time to populate the members and then review the
members.
Next steps
Learn more about the Azure AD Connect sync configuration.
Learn more about Integrating your on-premises identities with Azure Active Directory.
Azure Active Directory Connect sync: Configure
preferred data location for Office 365 resources
9/7/2020 • 10 minutes to read • Edit Online
The purpose of this topic is to walk you through how to configure the attribute for preferred data location in Azure
Active Directory (Azure AD) Connect sync. When someone uses Multi-Geo capabilities in Office 365, you use this
attribute to designate the geo-location of the user’s Office 365 data. (The terms region and geo are used
interchangeably.)
IMPORTANT
Multi-Geo is currently available to customers with an active Enterprise Agreement and a minimum of 250 Office 365 Services
subscriptions. Please talk to your Microsoft representative for details.
A list of all geos for Office 365 can be found in Where is your data located?.
The geos in Office 365 available for Multi-Geo are:
Australia AUS
Canada CAN
France FRA
India IND
Japan JPN
Korea KOR
Switzerland CHE
GEO P REF ERREDDATA LO C AT IO N VA L UE
If a geo is not listed in this table (for example, South America), then it cannot be used for Multi-Geo.
Not all Office 365 workloads support the use of setting a user's geo.
Azure AD Connect support for synchronization
Azure AD Connect supports synchronization of the preferredDataLocation attribute for User objects in version
1.1.524.0 and later. Specifically:
The schema of the object type User in the Azure AD Connector is extended to include the
preferredDataLocation attribute. The attribute is of the type, single-valued string.
The schema of the object type Person in the metaverse is extended to include the preferredDataLocation
attribute. The attribute is of the type, single-valued string.
By default, preferredDataLocation is not enabled for synchronization. This feature is intended for larger
organizations. The Active Directory schema in Windows Server 2019 has an attribute msDS-
preferredDataLocation you should use for this purpose. If you have not updated the Active Directory schema
and cannot do so, then you must identify an attribute to hold the Office 365 geo for your users. This is going to be
different for each organization.
IMPORTANT
Azure AD allows the preferredDataLocation attribute on cloud User objects to be directly configured by using Azure
AD PowerShell. To configure this attribute on synchronized User objects , you must use Azure AD Connect.
IMPORTANT
If you do not backport these values, Azure AD Connect removes the existing attribute values in Azure AD when
synchronization for the preferredDataLocation attribute is enabled.
Configure the source attribute on at least a couple of on-premises Active Directory User objects now. You
can use this for verification later.
The following sections provide the steps to enable synchronization of the preferredDataLocation attribute.
NOTE
The steps are described in the context of an Azure AD deployment with single-forest topology, and without custom
synchronization rules. If you have a multi-forest topology, custom synchronization rules configured, or have a staging server,
you should adjust the steps accordingly.
AT T RIB UT E VA L UE DETA IL S
Precedence Choose a number between 1–99 1–99 is reserved for custom sync
rules. Do not pick a value that is used
by another synchronization rule.
5. Keep the Scoping filter empty, to include all objects. You might need to tweak the scoping filter according
to your Azure AD Connect deployment.
6. Go to the Transformation tab , and implement the following transformation rule:
AT T RIB UT E VA L UE DETA IL S
Precedence Choose a number between 1–99 1–99 is reserved for custom sync
rules. Do not pick a value that is used
by another synchronization rule.
5. Go to the Scoping filter tab, and add a single scoping filter group with two clauses:
AT T RIB UT E O P ERATO R VA L UE
Scoping filter determines which Azure AD objects this outbound synchronization rule is applied to. In this
example, we use the same scoping filter from “Out to Azure AD – User Identity” OOB (out-of-box)
synchronization rule. It prevents the synchronization rule from being applied to User objects that are not
synchronized from an on-premises Active Directory. You might need to tweak the scoping filter according to
your Azure AD Connect deployment.
6. Go to the Transformation tab, and implement the following transformation rule:
NOTE
You might notice that the steps do not include the full synchronization step on the Azure AD Connector, or the export step
on the Active Directory Connector. The steps are not required, because the attribute values are flowing from on-premises
Active Directory to Azure AD only.
Assuming your tenant has been marked to be able to use this feature, the mailbox is moved to the correct geo.
This can be verified by looking at the server name where the mailbox is located.
Next steps
Learn more about Multi-Geo in Office 365:
Multi-Geo sessions at Ignite
Multi-Geo in OneDrive
Multi-Geo in SharePoint Online
Learn more about the configuration model in the sync engine:
Read more about the configuration model in Understanding Declarative Provisioning.
Read more about the expression language in Understanding Declarative Provisioning Expressions.
Overview topics:
Azure AD Connect sync: Understand and customize synchronization
Integrating your on-premises identities with Azure Active Directory
Azure AD Connect sync: Configure filtering
9/7/2020 • 22 minutes to read • Edit Online
By using filtering, you can control which objects appear in Azure Active Directory (Azure AD) from your on-
premises directory. The default configuration takes all objects in all domains in the configured forests. In general,
this is the recommended configuration. Users using Office 365 workloads, such as Exchange Online and Skype
for Business, benefit from a complete Global Address List so they can send email and call everyone. With the
default configuration, they would have the same experience that they would have with an on-premises
implementation of Exchange or Lync.
In some cases however, you're required make some changes to the default configuration. Here are some
examples:
You plan to use the multi-Azure AD directory topology. Then you need to apply a filter to control which
objects are synchronized to a particular Azure AD directory.
You run a pilot for Azure or Office 365 and you only want a subset of users in Azure AD. In the small pilot, it's
not important to have a complete Global Address List to demonstrate the functionality.
You have many service accounts and other nonpersonal accounts that you don't want in Azure AD.
For compliance reasons, you don't delete any user accounts on-premises. You only disable them. But in Azure
AD, you only want active accounts to be present.
This article covers how to configure the different filtering methods.
IMPORTANT
Microsoft doesn't support modifying or operating Azure AD Connect sync outside of the actions that are formally
documented. Any of these actions might result in an inconsistent or unsupported state of Azure AD Connect sync. As a
result, Microsoft can't provide technical support for such deployments.
3. You can now make configuration changes and run the sync engine manually from the Synchronization
Ser vice Manager console.
After you've completed all your filtering changes, don't forget to come back and Enable the task again.
Filtering options
You can apply the following filtering configuration types to the directory synchronization tool:
Group-based : Filtering based on a single group can only be configured on initial installation by using the
installation wizard.
Domain-based : By using this option, you can select which domains synchronize to Azure AD. You can also
add and remove domains from the sync engine configuration when you make changes to your on-premises
infrastructure after you install Azure AD Connect sync.
Organizational unit (OU)–based : By using this option, you can select which OUs synchronize to Azure AD.
This option is for all object types in selected OUs.
Attribute-based : By using this option, you can filter objects based on attribute values on the objects. You can
also have different filters for different object types.
You can use multiple filtering options at the same time. For example, you can use OU-based filtering to only
include objects in one OU. At the same time, you can use attribute-based filtering to filter the objects further.
When you use multiple filtering methods, the filters use a logical "AND" between the filters.
Domain-based filtering
This section provides you with the steps to configure your domain filter. If you added or removed domains in
your forest after you installed Azure AD Connect, you also have to update the filtering configuration.
The preferred way to change domain-based filtering is by running the installation wizard and changing domain
and OU filtering. The installation wizard automates all the tasks that are documented in this topic.
You should only follow these steps if you're unable to run the installation wizard for some reason.
Domain-based filtering configuration consists of these steps:
1. Select the domains that you want to include in the synchronization.
2. For each added and removed domain, adjust the run profiles.
3. Apply and verify changes.
Select the domains to be synchronized
There are two ways to select the domains to be synchronized: - Using the Synchronization Service - Using the
Azure AD Connect wizard.
Select the domains to be synchronized using the Synchronization Service
To set the domain filter, do the following steps:
1. Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the
ADSyncAdmins security group.
2. Start Synchronization Ser vice from the Star t menu.
3. Select Connectors , and in the Connectors list, select the Connector with the type Active Director y
Domain Ser vices . In Actions , select Proper ties .
6. When you're done, close the Proper ties dialog by clicking OK . If you removed domains from the forest, a
message pop-up says that a domain was removed and that configuration will be cleaned up.
7. Continue to adjust the run profiles.
Select the domains to be synchronized using the Azure AD Connect wizard
To set the domain filter, do the following steps:
1. Start the Azure AD Connect wizard
2. Click Configure .
3. Select Customize Synchronization Options and click Next .
4. Enter your Azure AD credentials
5. On the Connected Directories screen click Next .
6. On the Domain and OU filtering page click Refresh . New domains ill now appear and deleted domains
will disappear.
Update the run profiles
If you've updated your domain filter, you also need to update the run profiles.
1. In the Connectors list, make sure that the Connector that you changed in the previous step is selected. In
Actions , select Configure Run Profiles .
2. Find and identify the following profiles:
Full Import
Full Synchronization
Delta Import
Delta Synchronization
Export
3. For each profile, adjust the added and removed domains.
a. For each of the five profiles, do the following steps for each added domain:
a. Select the run profile and click New Step .
b. On the Configure Step page, in the Type drop-down menu, select the step type with the same
name as the profile that you're configuring. Then click Next .
c. On the Connector Configuration page, in the Par tition drop-down menu, select the name of
the domain that you've added to your domain filter.
4. Click Configure Director y Par titions , select the domain that you want to configure, and then click
Containers .
5. When you're prompted, provide any credentials with read access to your on-premises Active Directory. It
doesn't have to be the user that is prepopulated in the dialog box.
6. In the Select Containers dialog box, clear the OUs that you don’t want to synchronize with the cloud
directory, and then click OK .
The Computers container should be selected for your Windows 10 computers to be successfully
synchronized to Azure AD. If your domain-joined computers are located in other OUs, make sure those
are selected.
The ForeignSecurityPrincipals container should be selected if you have multiple forests with trusts.
This container allows cross-forest security group membership to be resolved.
The RegisteredDevices OU should be selected if you enabled the device writeback feature. If you use
another writeback feature, such as group writeback, make sure these locations are selected.
Select any other OU where Users, iNetOrgPersons, Groups, Contacts, and Computers are located. In the
picture, all these OUs are located in the ManagedObjects OU.
If you use group-based filtering, then the OU where the group is located must be included.
Note that you can configure whether new OUs that are added after the filtering configuration finishes
are synchronized or not synchronized. See the next section for details.
7. When you're done, close the Proper ties dialog by clicking OK .
8. To complete the configuration, you need to run a Full impor t and a Delta sync . Continue reading the
section Apply and verify changes.
Synchronize new OUs
New OUs that are created after filtering has been configured are synchronized by default. This state is indicated
by a selected check box. You can also unselect some sub-OUs. To get this behavior, click the box until it becomes
white with a blue check mark (its default state). Then unselect any sub-OUs that you don't want to synchronize.
If all sub-OUs are synchronized, then the box is white with a blue check mark.
If some sub-OUs have been unselected, then the box is gray with a white check mark.
With this configuration, a new OU that was created under ManagedObjects is synchronized.
The Azure AD Connect installation wizard always creates this configuration.
Don't synchronize new OUs
You can configure the sync engine to not synchronize new OUs after the filtering configuration has finished. This
state is indicated in the UI by the box appearing solid gray with no check mark. To get this behavior, click the box
until it becomes white with no check mark. Then select the sub-OUs that you want to synchronize.
With this configuration, a new OU that was created under ManagedObjects isn't synchronized.
Attribute-based filtering
Make sure that you're using the November 2015 (1.0.9125) or later build for these steps to work.
IMPORTANT
Microsoft recommends to not modify the default rules created by Azure AD Connect . If you want to modify the rule,
then clone it, and disable the original rule. Make any changes to the cloned rule. Please note that by doing so (disabling
original rule) you will miss any bug fixes or features enabled through that rule.
Attribute-based filtering is the most flexible way to filter objects. You can use the power of declarative
provisioning to control almost every aspect of when an object is synchronized to Azure AD.
You can apply inbound filtering from Active Directory to the metaverse, and outbound filtering from the
metaverse to Azure AD. We recommend that you apply inbound filtering because that is the easiest to maintain.
You should only use outbound filtering if it's required to join objects from more than one forest before the
evaluation can take place.
Inbound filtering
Inbound filtering uses the default configuration, where objects going to Azure AD must have the metaverse
attribute cloudFiltered not set to a value to be synchronized. If this attribute's value is set to True , then the object
isn't synchronized. It shouldn't be set to False , by design. To make sure other rules have the ability to contribute a
value, this attribute is only supposed to have the values True or NULL (absent).
In inbound filtering, you use the power of scope to determine which objects to synchronize or not synchronize.
This is where you make adjustments to fit your own organization's requirements. The scope module has a group
and a clause to determine when a sync rule is in scope. A group contains one or many clauses. There is a logical
"AND" between multiple clauses, and a logical "OR" between multiple groups.
Let us look at an example:
This should be read as (depar tment = IT) OR (depar tment = Sales AND c = US) .
In the following samples and steps, you use the user object as an example, but you can use this for all object
types.
In the following samples, the precedence value starts with 50. This can be any number not used, but should be
lower than 100.
Negative filtering: "do not sync these"
In the following example, you filter out (not synchronize) all users where extensionAttribute15 has the value
NoSync .
1. Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the
ADSyncAdmins security group.
2. Start Synchronization Rules Editor from the Star t menu.
3. Make sure Inbound is selected, and click Add New Rule .
4. Give the rule a descriptive name, such as "In from AD – User DoNotSyncFilter". Select the correct forest, select
User as the CS object type , and select Person as the MV object type . In Link Type , select Join . In
Precedence , type a value that isn't currently used by another synchronization rule (for example 50), and then
click Next .
5. In Scoping filter , click Add Group , and click Add Clause . In Attribute , select ExtensionAttribute15 .
Make sure that Operator is set to EQUAL , and type the value NoSync in the Value box. Click Next .
8. To complete the configuration, you need to run a Full sync . Continue reading the section Apply and verify
changes.
Positive filtering: "only sync these"
Expressing positive filtering can be more challenging because you also have to consider objects that aren't
obvious to be synchronized, such as conference rooms. You are also going to override the default filter in the out-
of-box rule In from AD - User Join . When you create your custom filter, make sure to not include critical
system objects, replication conflict objects, special mailboxes, and the service accounts for Azure AD Connect.
The positive filtering option requires two sync rules. You need one rule (or several) with the correct scope of
objects to synchronize. You also need a second catch-all sync rule that filters out all objects that haven't yet been
identified as an object that should be synchronized.
In the following example, you only synchronize user objects where the department attribute has the value Sales .
1. Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the
ADSyncAdmins security group.
2. Start Synchronization Rules Editor from the Star t menu.
3. Make sure Inbound is selected, and click Add New Rule .
4. Give the rule a descriptive name, such as "In from AD – User Sales sync". Select the correct forest, select User
as the CS object type , and select Person as the MV object type . In Link Type , select Join . In Precedence ,
type a value that isn't currently used by another synchronization rule (for example 51), and then click Next .
5. In Scoping filter , click Add Group , and click Add Clause . In Attribute , select depar tment . Make sure that
Operator is set to EQUAL , and type the value Sales in the Value box. Click Next .
12. To complete the configuration, you need to run a Full sync . Continue reading the section Apply and verify
changes.
If you need to, you can create more rules of the first type where you include more objects in the synchronization.
Outbound filtering
In some cases, it's necessary to do the filtering only after the objects have joined in the metaverse. For example, it
might be necessary to look at the mail attribute from the resource forest, and the userPrincipalName attribute
from the account forest, to determine if an object should be synchronized. In these cases, you create the filtering
on the outbound rule.
In this example, you change the filtering so that only users that have both their mail and userPrincipalName
ending in @contoso.com are synchronized:
1. Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the
ADSyncAdmins security group.
2. Start Synchronization Rules Editor from the Star t menu.
3. Under Rules Type , click Outbound .
4. Depending on the version of Connect you use, either find the rule named Out to AAD – User Join or Out
to AAD - User Join SOAInAD , and click Edit .
5. In the pop-up, answer Yes to create a copy of the rule.
6. On the Description page, change Precedence to an unused value, such as 50.
7. Click Scoping filter on the left-hand navigation, and then click Add clause . In Attribute , select mail . In
Operator , select ENDSWITH . In Value , type @contoso.com , and then click Add clause . In Attribute ,
select userPrincipalName . In Operator , select ENDSWITH . In Value , type @contoso.com .
8. Click Save .
9. To complete the configuration, you need to run a Full sync . Continue reading the section Apply and verify
changes.
3. In Run profiles , select the operation that was mentioned in the previous section. If you need to run two
actions, run the second after the first one has finished. (The State column is Idle for the selected connector.)
After the synchronization, all changes are staged to be exported. Before you actually make the changes in Azure
AD, you want to verify that all these changes are correct.
1. Start a command prompt, and go to %ProgramFiles%\Microsoft Azure AD Sync\bin .
2. Run csexport "Name of Connector" %temp%\export.xml /f:x .
The name of the Connector is in Synchronization Service. It has a name similar to "contoso.com – AAD" for
Azure AD.
3. Run CSExportAnalyzer %temp%\export.xml > %temp%\export.csv .
4. You now have a file in %temp% named export.csv that can be examined in Microsoft Excel. This file contains
all the changes that are about to be exported.
5. Make the necessary changes to the data or configuration, and run these steps again (Import, Synchronize, and
Verify) until the changes that are about to be exported are what you expect.
When you're satisfied, export the changes to Azure AD.
1. Select Connectors . In the Connectors list, select the Azure AD Connector. In Actions , select Run .
2. In Run profiles , select Expor t .
3. If your configuration changes delete many objects, then you see an error in the export when the number is
more than the configured threshold (by default 500). If you see this error, then you need to temporarily
disable the "prevent accidental deletes" feature.
Now it's time to enable the scheduler again.
1. Start Task Scheduler from the Star t menu.
2. Directly under Task Scheduler Librar y , find the task named Azure AD Sync Scheduler , right-click, and
select Enable .
Group-based filtering
You can configure group-based filtering the first time that you install Azure AD Connect by using custom
installation. It's intended for a pilot deployment where you want only a small set of objects to be synchronized.
When you disable group-based filtering, it can't be enabled again. It's not supported to use group-based filtering
in a custom configuration. It's only supported to configure this feature by using the installation wizard. When
you've completed your pilot, then use one of the other filtering options in this topic. When using OU-based
filtering in conjunction with group-based filtering, the OU(s) where the group and its members are located must
be included.
When synchronizing multiple AD forests, you can configure group-based filtering by specifying a different group
for each AD connector. If you wish to synchronize a user in one AD forest and the same user has one or more
corresponding objects in other AD forests, you must ensure that the user object and all its corresponding objects
are within group-based filtering scope. For examples:
You have a user in one forest that has a corresponding FSP (Foreign Security Principal) object in another
forest. Both objects must be within group-based filtering scope. Otherwise, the user will not be
synchronized to Azure AD.
You have a user in one forest that has a corresponding resource account (e.g., linked mailbox) in another
forest. Further, you have configured Azure AD Connect to link the user with the resource account. Both
objects must be within group-based filtering scope. Otherwise, the user will not be synchronized to Azure
AD.
You have a user in one forest that has a corresponding mail contact in another forest. Further, you have
configured Azure AD Connect to link the user with the mail contact. Both objects must be within group-
based filtering scope. Otherwise, the user will not be synchronized to Azure AD.
Next steps
Learn more about Azure AD Connect sync configuration.
Learn more about integrating your on-premises identities with Azure AD.
Azure AD Connect sync: Scheduler
9/7/2020 • 8 minutes to read • Edit Online
This topic describes the built-in scheduler in Azure AD Connect sync (sync engine).
This feature was introduced with build 1.1.105.0 (released February 2016).
Overview
Azure AD Connect sync synchronize changes occurring in your on-premises directory using a scheduler. There
are two scheduler processes, one for password sync and another for object/attribute sync and maintenance
tasks. This topic covers the latter.
In earlier releases, the scheduler for objects and attributes was external to the sync engine. It used Windows task
scheduler or a separate Windows service to trigger the synchronization process. The scheduler is with the 1.1
releases built-in to the sync engine and do allow some customization. The new default synchronization
frequency is 30 minutes.
The scheduler is responsible for two tasks:
Synchronization cycle . The process to import, sync, and export changes.
Maintenance tasks . Renew keys and certificates for Password reset and Device Registration Service (DRS).
Purge old entries in the operations log.
The scheduler itself is always running, but it can be configured to only run one or none of these tasks. For
example, if you need to have your own synchronization cycle process, you can disable this task in the scheduler
but still run the maintenance task.
IMPORTANT
By default every 30 minutes a synchronization cycle is run. If you have modified the synchronization cycley you will need
to make sure that a synchronization cycle is run at least once every 7 days.
A delta sync needs to happen within 7 days from the last delta sync.
A delta sync (following a full sync) needs to happen within 7 days from the time the last full sync completed.
Failure to do so may cause synchronization issues which will require you to run a full synchronization to resolve. This also
applies to servers in Staging mode.
Scheduler configuration
To see your current configuration settings, go to PowerShell and run Get-ADSyncScheduler . It shows you
something like this picture:
If you see The sync command or cmdlet is not available when you run this cmdlet, then the PowerShell
module is not loaded. This problem could happen if you run Azure AD Connect on a domain controller or on a
server with higher PowerShell restriction levels than the default settings. If you see this error, then run
Import-Module ADSync to make the cmdlet available.
AllowedSyncCycleInter val . The shortest time interval between synchronization cycles allowed by Azure
AD. You cannot synchronize more frequently than this setting and still be supported.
CurrentlyEffectiveSyncCycleInter val . The schedule currently in effect. It has the same value as
CustomizedSyncInterval (if set) if it is not more frequent than AllowedSyncInterval. If you use a build before
1.1.281 and you change CustomizedSyncCycleInterval, this change takes effect after next synchronization
cycle. From build 1.1.281 the change takes effect immediately.
CustomizedSyncCycleInter val . If you want the scheduler to run at any other frequency than the default
30 minutes, then you configure this setting. In the picture above, the scheduler has been set to run every
hour instead. If you set this setting to a value lower than AllowedSyncInterval, then the latter is used.
NextSyncCyclePolicyType . Either Delta or Initial. Defines if the next run should only process delta changes,
or if the next run should do a full import and sync. The latter would also reprocess any new or changed rules.
NextSyncCycleStar tTimeInUTC . Next time the scheduler starts the next sync cycle.
PurgeRunHistor yInter val . The time operation logs should be kept. These logs can be reviewed in the
synchronization service manager. The default is to keep these logs for 7 days.
SyncCycleEnabled . Indicates if the scheduler is running the import, sync, and export processes as part of
its operation.
MaintenanceEnabled . Shows if the maintenance process is enabled. It updates the certificates/keys and
purges the operations log.
StagingModeEnabled . Shows if staging mode is enabled. If this setting is enabled, then it suppresses the
exports from running but still run import and synchronization.
SchedulerSuspended . Set by Connect during an upgrade to temporarily block the scheduler from running.
You can change some of these settings with Set-ADSyncScheduler . The following parameters can be modified:
CustomizedSyncCycleInterval
NextSyncCyclePolicyType
PurgeRunHistoryInterval
SyncCycleEnabled
MaintenanceEnabled
In earlier builds of Azure AD Connect, isStagingModeEnabled was exposed in Set-ADSyncScheduler. It is
unsuppor ted to set this property. The property SchedulerSuspended should only be modified by Connect. It
is unsuppor ted to set this with PowerShell directly.
The scheduler configuration is stored in Azure AD. If you have a staging server, any change on the primary
server also affects the staging server (except IsStagingModeEnabled).
CustomizedSyncCycleInterval
Syntax: Set-ADSyncScheduler -CustomizedSyncCycleInterval d.HH:mm:ss
d - days, HH - hours, mm - minutes, ss - seconds
Example: Set-ADSyncScheduler -CustomizedSyncCycleInterval 03:00:00
Changes the scheduler to run every 3 hours.
Example: Set-ADSyncScheduler -CustomizedSyncCycleInterval 1.0:0:0
Changes change the scheduler to run daily.
Disable the scheduler
If you need to make configuration changes, then you want to disable the scheduler. For example, when you
configure filtering or make changes to synchronization rules.
To disable the scheduler, run Set-ADSyncScheduler -SyncCycleEnabled $false .
When you've made your changes, do not forget to enable the scheduler again with
Set-ADSyncScheduler -SyncCycleEnabled $true .
Example: If you made changes to the synchronization rules for Connector “AD Forest A” that don’t require any
new attributes to be imported you would run the following cmdlets to run a delta sync cycle which also did a
Full Sync step for that Connector.
Set-ADSyncSchedulerConnectorOverride -ConnectorName “AD Forest A” -FullSyncRequired $true
Example: If you made changes to the synchronization rules for Connector “AD Forest A” so that they now require
a new attribute to be imported you would run the following cmdlets to run a delta sync cycle which also did a
Full Import, Full Sync step for that Connector.
Set-ADSyncSchedulerConnectorOverride -ConnectorName “AD Forest A” -FullImportRequired $true
When a sync cycle is running, you cannot make configuration changes. You could wait until the scheduler has
finished the process, but you can also stop it so you can make your changes immediately. Stopping the current
cycle is not harmful and pending changes are processed with next run.
1. Start by telling the scheduler to stop its current cycle with the PowerShell cmdlet Stop-ADSyncSyncCycle .
2. If you use a build before 1.1.281, then stopping the scheduler does not stop the current Connector from its
current task. To force the Connector to stop, take the following actions:
Start Synchronization Ser vice from the start menu. Go to Connectors , highlight the Connector
with the state Running , and select Stop from the Actions.
The scheduler is still active and starts again on next opportunity.
Custom scheduler
The cmdlets documented in this section are only available in build 1.1.130.0 and later.
If the built-in scheduler does not satisfy your requirements, then you can schedule the Connectors using
PowerShell.
Invoke -ADSyncRunProfile
You can start a profile for a Connector in this way:
The names to use for Connector names and Run Profile Names can be found in the Synchronization Service
Manager UI.
The Invoke-ADSyncRunProfile cmdlet is synchronous, that is, it does not return control until the Connector has
completed the operation, either successfully or with an error.
When you schedule your Connectors, the recommendation is to schedule them in the following order:
1. (Full/Delta) Import from on-premises directories, such as Active Directory
2. (Full/Delta) Import from Azure AD
3. (Full/Delta) Synchronization from on-premises directories, such as Active Directory
4. (Full/Delta) Synchronization from Azure AD
5. Export to Azure AD
6. Export to on-premises directories, such as Active Directory
This order is how the built-in scheduler runs the Connectors.
Get-ADSyncConnectorRunStatus
You can also monitor the sync engine to see if it is busy or idle. This cmdlet returns an empty result if the sync
engine is idle and is not running a Connector. If a Connector is running, it returns the name of the Connector.
Get-ADSyncConnectorRunStatus
In the picture above, the first line is from a state where the sync engine is idle. The second line from when the
Azure AD Connector is running.
Next steps
Learn more about the Azure AD Connect sync configuration.
Learn more about Integrating your on-premises identities with Azure Active Directory.
How to customize a synchronization rule
9/7/2020 • 2 minutes to read • Edit Online
Recommended Steps
You can use the synchronization rule editor to edit or create a new synchronization rule. You need to be an
advanced user to make changes to synchronization rules. Any wrong changes may result in deletion of objects
from your target directory. Please read Recommended Documents to gain expertise in synchronization rules. To
modify a synchronization rule go through following steps:
Launch the synchronization editor from the application menu in desktop as shown below:
In order to customize a default synchronization rule, clone the existing rule by clicking the “Edit” button on
the Synchronization Rules Editor, which will create a copy of the standard default rule and disable it. Save the
cloned rule with a precedence less than 100. Precedence determines what rule wins(lower numeric value) a
conflict resolution if there is an attribute flow conflict.
When modifying a specific attribute, ideally you should only keep the modifying attribute in the cloned rule.
Then enable the default rule so that modified attribute comes from cloned rule and other attributes are
picked from default standard rule.
Please note that in the case where the calculated value of the modified attribute is NULL in your cloned rule
and is not NULL in the default standard rule then, the not NULL value will win and will replace the NULL
value. If you don’t want a NULL value to be replace with a not NULL value then assign AuthoritativeNull in
your cloned rule.
To modify an Outbound rule, change filter from the synchronization rule editor.
Recommended Documents
Azure AD Connect sync: Technical Concepts
Azure AD Connect sync: Understanding the architecture
Azure AD Connect sync: Understanding Declarative Provisioning
Azure AD Connect sync: Understanding Declarative Provisioning Expressions
Azure AD Connect sync: Understanding the default configuration
Azure AD Connect sync: Understanding Users, Groups, and Contacts
Azure AD Connect sync: Shadow attributes
Next Steps
Azure AD Connect sync.
What is hybrid identity?.
Azure AD Connect sync V2 endpoint API (public
preview)
9/7/2020 • 9 minutes to read • Edit Online
Microsoft has deployed a new endpoint (API) for Azure AD Connect that improves the performance of the
synchronization service operations to Azure Active Directory. By utilizing the new V2 endpoint, you will experience
noticeable performance gains on export and import to Azure AD. This new endpoint supports the following:
syncing groups with up to 250k members
performance gains on export and import to Azure AD
NOTE
Currently, the new endpoint does not have a configured group size limit for O365 groups that are written back. This may
have an effect on your Active Directory and sync cycle latencies. It is recommended to increase your group sizes
incrementally.
Pre-requisites
In order to use the new V2 endpoint, you will need to use Azure AD Connect version 1.5.30.0 or later and follow the
deployment steps provided below to enable the V2 endpoint for your Azure AD Connect server.
NOTE
Currently, this public preview is only available in the Azure global cloud and not available for national clouds.
IMPORTANT
While support is provided for this public preview release, Microsoft may not always be able to fix all issues you may
encounter immediately. For this reason, it is recommended that you use your best judgement before deploying this release in
your production environment.
Deployment guidance
You will need to deploy Azure AD Connect version 1.5.30.0 or later to use the V2 endpoint. Use the link provided to
download.
It is recommended that you follow the swing migration method for rolling out the new endpoint in your
environment. This will provide a clear contingency plan in the event, that a major rollback is necessary. The
following example illustrates how a swing migration can be used in this scenario. For more information on the
swing migration deployment method, refer to the link provided.
Swing migration for deploying V2 endpoint
The following steps will guide you through deploying the v2 endpoint using the swing method.
1. Deploy the V2 endpoint on the current staging server. This server will be known as the V2 ser ver in the steps
below. The current active server will continue to process the production workload using the V1 endpoint, which
will be called the V1 ser ver below.
2. Validate that the V2 ser ver is still processing imports as expected. At this stage, large groups will not be
provisioned to Azure AD or on-prem AD, but you will be able to verify that the upgrade did not result in any
other unexpected impact to the existing synchronization process.
3. Once validation is complete, switch the V2 ser ver to be the active server and the V1 ser ver to be the staging
server. At this time, large groups that are in scope to be synced will be provisioned to Azure AD, as well as large
O365 unified groups will be provisioned to AD, if group writeback is enabled.
4. Validate that the V2 ser ver is performing and processing large groups successfully. You may choose to stay at
this step and monitor the synchronization process for a period.
NOTE
If you need to transition back to your previous configuration, you can perform a swing migration from the V2 ser ver back
to the V1 ser ver . Since the V1 endpoint does not support groups with over 50k members, any large group that was
provisioned by Azure AD Connect, in either Azure AD or on-prem AD, will be subsequently deleted. 4. Once you are
confident in using the V2 endpoint, upgrade the V1 ser ver to begin using the V2 endpoint.
Set-ADSyncAADConnectorImportApiVersion 2
You have now enabled the V2 endpoint for your server. Take some time to verify that there are no unexpected
results after enabling the V2 endpoint before you move to the next phase where you will increase the group size
limit.
NOTE
The file / module paths may use a different drive letter, depending on the installation path provided when installing Azure AD
Connect.
5. Click the Yes button to disable the default rule and create an editable copy.
6. In the pop-up window on the Description page, set the precedence to an available value between 1 and 99
7. On the Transformations page, update the Source value for the member transformation, replacing
‘50000’ with a value between 50001 and 250000. This replacement will increase the maximum membership
size of groups that will sync to Azure AD. We suggest starting with a number of 100k, to understand the
impact that syncing large groups will have on your sync performance.
Example
IIF((ValueCount("member")> 75000),Error("Maximum Group member count exceeded"),IgnoreThisFlow)
9. Click Save
10. Open admin PowerShell prompt
11. Re-enable the Sync Scheduler
Set-ADSyncScheduler -SyncCycleEnabled $true
NOTE
If Azure AD Connect Health is not enabled, change the windows application event log settings to archive the logs, instead of
overwriting them. The logs may be used to assist in future troubleshooting efforts.
NOTE
After enabling the new endpoint, you may see additional export errors on the AAD connector with name ‘dn-attributes-
failure’. There will be a corresponding event log entry for each error with id 6949, . The errors are informational and do not
indicate a problem with your installation, but rather that the sync process could not add certain members to a group in
Azure AD because the member object itself was not synced to Azure AD.
The new V2 endpoint code handles some types of export errors slightly different from how the V1 code did. You
may see more of the informational error messages when you use the V2 endpoint.
NOTE
When upgrading Azure AD Connect, ensure that the steps in Phase 2 are rerun, as the changes are not preserved through
the upgrade process.
During subsequent increases to the group member limit in the Out to AAD – Group Join sync rule, a full sync is
not necessary, so you can elect to suppress the full sync by running the following command in PowerShell.
Set-ADSyncSchedulerConnectorOverride -FullSyncRequired $false -ConnectorName "<AAD Connector Name>"
NOTE
If you have O365 unified groups that have more than 50k members, the groups will be read into Azure AD Connect, and if
group writeback is enabled, they will be written to your on-premises AD.
Rollback
If you have enabled the v2 endpoint and need to rollback, follow these steps:
1. On the Azure AD Connect server: a. [Optional] Take database backup
2. Open an admin PowerShell prompt:
3. Disable the sync scheduler after verifying that no synchronization operations are running
Set-ADSyncScheduler -SyncCycleEnabled $false
Set-ADSyncAADConnectorExportApiVersion 1
Set-ADSyncAADConnectorImportApiVersion 1
Next steps
Azure AD Connect sync: Understand and customize synchronization
Integrating your on-premises identities with Azure Active Directory
Using the Sync Service Manager Operations tab
9/7/2020 • 2 minutes to read • Edit Online
The operations tab shows the results from the most recent operations. This tab is key to understand and
troubleshoot issues.
STAT US C O M M EN T
stopped-* The run could not complete. For example, if the remote
system is down and cannot be contacted.
stopped-error-limit There are more than 5,000 errors. The run was automatically
stopped due to the large number of errors.
completed-*-errors The run completed, but there are errors (fewer than 5,000)
that should be investigated.
STAT US C O M M EN T
completed-*-warnings The run completed, but some data is not in the expected
state. If you have errors, then this message is usually only a
symptom. Until you have addressed errors, you should not
investigate warnings.
success No issues.
When you select a row, the bottom updates to show the details of that run. To the far left of the bottom, you might
have a list saying Step # . This list only appears if you have multiple domains in your forest where each domain is
represented by a step. The domain name can be found under the heading Par tition . Under Synchronization
Statistics , you can find more information about the number of changes that were processed. You can click the
links to get a list of the changed objects. If you have objects with errors, those errors show up under
Synchronization Errors .
For more information, see troubleshoot an object that is not synchronizing
Next steps
Learn more about the Azure AD Connect sync configuration.
Learn more about Integrating your on-premises identities with Azure Active Directory.
Using connectors with the Azure AD Connect Sync
Service Manager
9/7/2020 • 2 minutes to read • Edit Online
The Connectors tab is used to manage all systems the sync engine is connected to.
Connector actions
A C T IO N C O M M EN T
Configure Run Profiles Except for domain filtering, nothing to configure here. You can
use this action to see already configured run profiles.
Refresh Schema Refreshes the cached schema. It is preferred to use the option
in the installation wizard instead, since that also updates sync
rules.
Search Connector Space Used to find objects and to Follow an object and its data
through the system.
Delete
The delete action is used for two different things.
The option Delete connector space only removes all data, but keep the configuration.
The option Delete Connector and connector space removes the data and the configuration. This option is
used when you do not want to connect to a forest anymore.
Both options sync all objects and update the metaverse objects. This action is a long running operation.
Configure Run Profiles
This option allows you to see the run profiles configured for a Connector.
Search Connector Space
The search connector space action is useful to find objects and troubleshoot data issues.
Start by selecting a scope . You can search based on data (RDN, DN, Anchor, Sub-Tree), or state of the object (all
other options).
If you for example do a Sub-Tree search, you get all objects in one OU.
From this grid you can select an object, select proper ties , and follow it from the source connector space, through
the metaverse, and to the target connector space.
Changing the AD DS account password
If you change the account password, the Synchronization Service will no longer be able to import/export changes
to on-premises AD. You may see the following:
The import/export step for the AD connector fails with "no-start-credentials" error.
Under Windows Event Viewer, the application event log contains an error with Event ID 6000 and message
“The management agent “contoso.com” failed to run because the credentials were invalid.”
To resolve the issue, update the AD DS user account using the following:
1. Start the Synchronization Service Manager (START → Synchronization Service).
9. Click OK to save the new password and restart the Synchronization Service to remove the old password from
memory cache.
Next steps
Learn more about the Azure AD Connect sync configuration.
Learn more about Integrating your on-premises identities with Azure Active Directory.
Sync Service Manager Metaverse Designer
9/7/2020 • 2 minutes to read • Edit Online
Next steps
Learn more about the Azure AD Connect sync configuration.
Learn more about Integrating your on-premises identities with Azure Active Directory.
Sync Service Manager Metaverse Search
9/7/2020 • 2 minutes to read • Edit Online
The metaverse search tab is useful for troubleshooting data-related problems. In the top half, you can create a
query based on a combination of attributes. When you are satisfied with your query, click Search . The result is
visible in the bottom grid. You can select which columns should be visible with Column Settings .
In the search results, select an object and Proper ties to see the metaverse object properties.
Next steps
Learn more about the Azure AD Connect sync configuration.
Learn more about Integrating your on-premises identities with Azure Active Directory.
What is the Azure AD Connect Admin Agent?
9/7/2020 • 2 minutes to read • Edit Online
The Azure AD Connect Administration Agent is a new component of Azure Active Directory Connect that can be
installed on an Azure Active Directory Connect server. It is used to collect specific data from your Active Directory
environment that helps a Microsoft support engineer to troubleshoot issues when you open a support case.
NOTE
The admin agent is not installed and enabled by default. You must install the agent in order to collect data to assist with
support cases.
When installed, the Azure AD Connect Administration Agent waits for specific requests for data from Azure Active
Directory, gets the requested data from the sync environment and sends it to Azure Active Directory, where it is
presented to the Microsoft support engineer.
The information that the Azure AD Connect Administration Agent retrieves from your environment is not stored in
any way - it is only displayed to the Microsoft support engineer to assist them in investigating and troubleshooting
the Azure Active Directory Connect related support case that you opened The Azure AD Connect Administration
Agent is not installed on the Azure AD Connect Server by default.
The Azure AD Connect Administration Agent binaries are placed in the AAD Connect server. To install the agent, do
the following:
1. Open powershell in admin mode
2. Navigate to the directory where the application is located cd "C:\Program Files\Microsoft Azure Active Directory
Connect\Tools"
3. Run ConfigureAdminAgent.ps1
When prompted, please enter your Azure AD global admin credentials. This should be the same credentials entered
during Azure AD Connect installation.
After the agent is installed, you'll see the following two new programs in the "Add/Remove Programs" list in the
Control Panel of your server:
What data in my Sync service is shown to the Microsoft service
engineer?
When you open a support case the Microsoft Support Engineer can see, for a given user, the relevant data in Active
Directory, the Active Directory connector space in the Azure Active Directory Connect server, the Azure Active
Directory connector space in the Azure Active Directory Connect server and the Metaverse in the Azure Active
Directory Connect server.
The Microsoft Support Engineer cannot change any data in your system and cannot see any passwords.
<appSettings>
<add key="TraceFilename" value="ADAdministrationAgent.log" />
<add key="UserDataEnabled" value="false" />
</appSettings>
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Troubleshoot Azure AD connectivity with the
ADConnectivityTool PowerShell module
9/7/2020 • 2 minutes to read • Edit Online
The ADConnectivity tool is a PowerShell module that is used in one of the following:
During installation when a network connectivity problem prevents the successful validation of the Active
Directory credentials the user provided in the Wizard.
Post installation by a user who calls the functions from a PowerShell session.
The tool is located in: C:\Program Files\Microsoft Azure Active Director y Connect\Tools\
ADConnectivityTool.psm1
Next Steps
Azure AD Connect: Accounts and permissions
Express Installation
Custom Installation
ADConnectivityTools Reference
Troubleshoot Azure AD connectivity
9/7/2020 • 7 minutes to read • Edit Online
This article explains how connectivity between Azure AD Connect and Azure AD works and how to troubleshoot
connectivity issues. These issues are most likely to be seen in an environment with a proxy server.
NOTE
In some non-Microsoft blogs, it is documented that changes should be made to miiserver.exe.config instead. However, this
file is overwritten on every upgrade so even if it works during initial install, the system stops working on first upgrade. For
that reason, the recommendation is to update machine.config instead.
The proxy server must also have the required URLs opened. The official list is documented in Office 365 URLs and
IP address ranges.
Of these URLs, the following table is the absolute bare minimum to be able to connect to Azure AD at all. This list
does not include any optional features, such as password writeback, or Azure AD Connect Health. It is documented
here to help in troubleshooting for the initial configuration.
If you see this error, verify the machine.config has been correctly configured.
If that looks correct, follow the steps in Verify proxy connectivity to see if the issue is present outside the wizard
as well.
A Microsoft account is used
If you use a Microsoft account rather than a school or organization account, you see a generic error.
this error:
Is the password a temporary password and must be changed? Is it actually the correct password? Try to sign in
to https://login.microsoftonline.com (on another computer than the Azure AD Connect server) and verify the
account is usable.
Verify proxy connectivity
To verify if the Azure AD Connect server has actual connectivity with the Proxy and Internet, use some PowerShell
to see if the proxy is allowing web requests or not. In a PowerShell prompt, run
Invoke-WebRequest -Uri https://adminwebservice.microsoftonline.com/ProvisioningService.svc . (Technically the first
call is to https://login.microsoftonline.com and this URI works as well, but the other URI is faster to respond.)
PowerShell uses the configuration in machine.config to contact the proxy. The settings in winhttp/netsh should not
impact these cmdlets.
If the proxy is correctly configured, you should get a success status:
If you receive Unable to connect to the remote ser ver , then PowerShell is trying to make a direct call without
using the proxy or DNS is not correctly configured. Make sure the machine.config file is correctly configured.
403 Forbidden The proxy has not been opened for the
requested URL. Revisit the proxy
configuration and make sure the URLs
have been opened.
407 Proxy Authentication Required The proxy server required a sign-in and
none was provided. If your proxy server
requires authentication, make sure to
have this setting configured in the
machine.config. Also make sure you are
using domain accounts for the user
running the wizard and for the service
account.
T IM E URL
Configure
T IM E URL
Initial Sync
T IM E URL
Authentication errors
This section covers errors that can be returned from ADAL (the authentication library used by Azure AD Connect)
and PowerShell. The error explained should help you in understand your next steps.
Invalid Grant
Invalid username or password. For more information, see The password cannot be verified.
Unknown User Type
Your Azure AD directory cannot be found or resolved. Maybe you try to login with a username in an unverified
domain?
User Realm Discovery Failed
Network or proxy configuration issues. The network cannot be reached. See Troubleshoot connectivity issues in
the installation wizard.
User Password Expired
Your credentials have expired. Change your password.
Authorization Failure
Failed to authorize user to perform action in Azure AD.
Authentication Canceled
The multi-factor authentication (MFA) challenge was canceled.
Connect To MS Online Failed
Authentication was successful, but Azure AD PowerShell has an authentication problem.
Azure AD Global Admin Role Needed
User was authenticated successfully. However user is not assigned global admin role. This is how you can assign
global admin role to the user.
Privileged Identity Management Enabled
Authentication was successful. Privileged identity management has been enabled and you are currently not a
global administrator. For more information, see Privileged Identity Management.
Company Information Unavailable
Authentication was successful. Could not retrieve company information from Azure AD.
Domain Information Unavailable
Authentication was successful. Could not retrieve domain information from Azure AD.
Unspecified Authentication Failure
Shown as Unexpected error in the installation wizard. Can happen if you try to use a Microsoft Account rather
than a school or organization account .
If you see this error, look at the proxy configuration in netsh and verify it is correct.
If that looks correct, follow the steps in Verify proxy connectivity to see if the issue is present outside the wizard
as well.
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Troubleshooting Errors during synchronization
9/7/2020 • 14 minutes to read • Edit Online
Errors could occur when identity data is synchronized from Windows Server Active Directory (AD DS) to Azure
Active Directory (Azure AD). This article provides an overview of different types of sync errors, some of the
possible scenarios that cause those errors and potential ways to fix the errors. This article includes the common
error types and may not cover all the possible errors.
This article assumes the reader is familiar with the underlying design concepts of Azure AD and Azure AD Connect.
With the latest version of Azure AD Connect (August 2016 or higher), a report of Synchronization Errors is
available in the Azure portal as part of Azure AD Connect Health for sync.
Starting September 1, 2016 Azure Active Directory Duplicate Attribute Resiliency feature will be enabled by default
for all the new Azure Active Directory Tenants. This feature will be automatically enabled for existing tenants in the
upcoming months.
Azure AD Connect performs three types of operations from the directories it keeps in sync: Import,
Synchronization, and Export. Errors can take place in all the operations. This article mainly focuses on errors during
Export to Azure AD.
NOTE
Azure AD Attribute Duplicate Attribute Resiliency feature is also being rolled out as the default behavior of Azure Active
Directory. This will reduce the number of synchronization errors seen by Azure AD Connect (as well as other sync clients) by
making Azure AD more resilient in the way it handles duplicated ProxyAddresses and UserPrincipalName attributes present
in on premises AD environments. This feature does not fix the duplication errors. So the data still needs to be fixed. But it
allows provisioning of new objects which are otherwise blocked from being provisioned due to duplicated values in Azure
AD. This will also reduce the number of synchronization errors returned to the synchronization client. If this feature is
enabled for your Tenant, you will not see the InvalidSoftMatch synchronization errors seen during provisioning of new
objects.
Related Articles
Duplicate or invalid attributes prevent directory synchronization in Office 365
ObjectTypeMismatch
Description
When Azure AD attempts to soft match two objects, it is possible that two objects of different "object type" (such as
User, Group, Contact etc.) have the same values for the attributes used to perform the soft match. As duplication of
these attributes is not permitted in Azure AD, the operation can result in "ObjectTypeMismatch" synchronization
error.
Example Scenarios for ObjectTypeMismatch error
A mail enabled security group is created in Office 365. Admin adds a new user or contact in on premises AD
(that's not synchronized to Azure AD yet) with the same value for the ProxyAddresses attribute as that of the
Office 365 group.
Example case
1. Admin creates a new mail enabled security group in Office 365 for the Tax department and provides an email
address as tax@contoso.com. This group is assigned the ProxyAddresses attribute value of smtp:
tax@contoso.com
2. A new user joins Contoso.com and an account is created for the user on premises with the proxyAddress as
smtp: tax@contoso.com
3. When Azure AD Connect will sync the new user account, it will get the "ObjectTypeMismatch" error.
How to fix ObjectTypeMismatch error
The most common reason for the ObjectTypeMismatch error is two objects of different type (User, Group, Contact
etc.) have the same value for the ProxyAddresses attribute. In order to fix the ObjectTypeMismatch:
1. Identify the duplicated proxyAddresses (or other attribute) value that's causing the error. Also identify which
two (or more) objects are involved in the conflict. The report generated by Azure AD Connect Health for sync
can help you identify the two objects.
2. Identify which object should continue to have the duplicated value and which object should not.
3. Remove the duplicated value from the object that should NOT have that value. Note that you should make the
change in the directory where the object is sourced from. In some cases, you may need to delete one of the
objects in conflict.
4. If you made the change in the on premises AD, let Azure AD Connect sync the change. Sync error report within
Azure AD Connect Health for sync gets updated every 30 minutes and includes the errors from the latest
synchronization attempt.
Duplicate Attributes
AttributeValueMustBeUnique
Description
Azure Active Directory schema does not allow two or more objects to have the same value of the following
attributes. That is each object in Azure AD is forced to have a unique value of these attributes at a given instance.
ProxyAddresses
UserPrincipalName
If Azure AD Connect attempts to add a new object or update an existing object with a value for the above attributes
that is already assigned to another object in Azure Active Directory, the operation results in the
"AttributeValueMustBeUnique" sync error.
Possible Scenarios:
1. Duplicate value is assigned to an already synced object, which conflicts with another synced object.
Example case:
1. Bob Smith is a synced user in Azure Active Directory from on premises Active Directory of contoso.com
2. Bob Smith's UserPrincipalName on premises is set as bobs@contoso.com .
3. Bob also has following values for the proxyAddresses attribute:
smtp: bobs@contoso.com
smtp: bob.smith@contoso.com
smtp: bob@contoso.com
4. A new user, Bob Taylor , is added to the on premises Active Directory.
5. Bob Taylor's UserPrincipalName is set as bobt@contoso.com .
6. Bob Taylor has the following values for the ProxyAddresses attribute i. smtp: bobt@contoso.com ii. smtp:
bob.taylor@contoso.com
7. Bob Taylor's object is synchronized with Azure AD successfully.
8. Admin decided to update Bob Taylor's ProxyAddresses attribute with the following value: i. smtp:
bob@contoso.com
9. Azure AD will attempt to update Bob Taylor's object in Azure AD with the above value, but that operation will
fail as that ProxyAddresses value is already assigned to Bob Smith, resulting in "AttributeValueMustBeUnique"
error.
How to fix AttributeValueMustBeUnique error
The most common reason for the AttributeValueMustBeUnique error is two objects with different SourceAnchor
(immutableId) have the same value for the ProxyAddresses and/or UserPrincipalName attributes. In order to fix
AttributeValueMustBeUnique error
1. Identify the duplicated proxyAddresses, userPrincipalName or other attribute value that's causing the error. Also
identify which two (or more) objects are involved in the conflict. The report generated by Azure AD Connect
Health for sync can help you identify the two objects.
2. Identify which object should continue to have the duplicated value and which object should not.
3. Remove the duplicated value from the object that should NOT have that value. Note that you should make the
change in the directory where the object is sourced from. In some cases, you may need to delete one of the
objects in conflict.
4. If you made the change in the on premises AD, let Azure AD Connect sync the change for the error to get fixed.
Related Articles
-Duplicate or invalid attributes prevent directory synchronization in Office 365
LargeObject
Description
When an attribute exceeds the allowed size limit, length limit or count limit set by Azure Active Directory schema,
the synchronization operation results in the LargeObject or ExceededAllowedLength sync error. Typically this
error occurs for the following attributes
userCertificate
userSMIMECertificate
thumbnailPhoto
proxyAddresses
Possible Scenarios
1. Bob's userCertificate attribute is storing too many certificates assigned to Bob. These may include older, expired
certificates. The hard limit is 15 certificates. For more information on how to handle LargeObject errors with
userCertificate attribute, please refer to article Handling LargeObject errors caused by userCertificate attribute.
2. Bob's userSMIMECertificate attribute is storing too many certificates assigned to Bob. These may include older,
expired certificates. The hard limit is 15 certificates.
3. Bob's thumbnailPhoto set in Active Directory is too large to be synced in Azure AD.
4. During automatic population of the ProxyAddresses attribute in Active Directory, an object has too many
ProxyAddresses assigned.
How to fix
1. Ensure that the attribute causing the error is within the allowed limitation.
How to fix
To resolve this issue do the following:
1. Remove the Azure AD account (owner) from all admin roles.
2. Hard Delete the Quarantined object in the cloud.
3. The next sync cycle will take care of soft-matching the on-premises user to the cloud account (since the cloud
user is now no longer a global GA).
4. Restore the role memberships for the owner.
NOTE
You can assign the administrative role to the existing user object again after the soft match between the on-premises user
object and the Azure AD user object has completed.
Related links
Locate Active Directory Objects in Active Directory Administrative Center
How to query Azure Active Directory for an object using Azure Active Directory PowerShell
Troubleshoot an object that is not synchronizing with
Azure Active Directory
9/7/2020 • 10 minutes to read • Edit Online
If an object is not syncing as expected with Microsoft Azure Active Directory (Azure AD), it can be because of
several reasons. If you have received an error email from Azure AD or you see the error in Azure AD Connect
Health, read Troubleshooting errors during synchronization instead. But if you are troubleshooting a problem
where the object is not in Azure AD, this article is for you. It describes how to find errors in the on-premises
component Azure AD Connect synchronization.
IMPORTANT
For Azure AD Connect deployment with version 1.1.749.0 or higher, use the troubleshooting task in the wizard to
troubleshoot object syncing issues.
Synchronization process
Before we investigate syncing issues, let’s understand the Azure AD Connect syncing process:
Terminology
CS: Connector space, a table in a database
MV: Metaverse, a table in a database
Synchronization steps
The syncing process involves following steps:
1. Impor t from AD: Active Directory objects are brought into the Active Directory CS.
2. Impor t from Azure AD: Azure AD objects are brought into the Azure AD CS.
3. Synchronization: Inbound synchronization rules and outbound synchronization rules are run in the order
of precedence number, from lower to higher. To view the synchronization rules, go to the Synchronization
Rules Editor from the desktop applications. The inbound synchronization rules bring in data from CS to MV.
The outbound synchronization rules move data from MV to CS.
4. Expor t to AD: After syncing, objects are exported from the Active Directory CS to Active Directory.
5. Expor t to Azure AD: After syncing, objects are exported from the Azure AD CS to Azure AD.
Troubleshooting
To find the errors, look at a few different places, in the following order:
1. The operation logs to find errors identified by the synchronization engine during import and synchronization.
2. The connector space to find missing objects and synchronization errors.
3. The metaverse to find data-related problems.
Start Synchronization Service Manager before you begin these steps.
Operations
The Operations tab in Synchronization Service Manager is where you should start your troubleshooting. This tab
shows the results from the most recent operations.
The top half of the Operations tab shows all runs in chronological order. By default, the operations log keeps
information about the last seven days, but this setting can be changed with the scheduler. Look for any run that
does not show a success status. You can change the sorting by clicking the headers.
The Status column contains the most important information and shows the most severe problem for a run. Here's
a quick summary of the most common statuses in order of investigation priority (where * indicates several
possible error strings).
STAT US C O M M EN T
stopped-* The run could not finish. This might happen, for example, if
the remote system is down and cannot be contacted.
stopped-error-limit There are more than 5,000 errors. The run was automatically
stopped due to the large number of errors.
completed-*-errors The run finished, but there are errors (fewer than 5,000) that
should be investigated.
STAT US C O M M EN T
completed-*-warnings The run finished, but some data is not in the expected state. If
you have errors, this message is usually only a symptom.
Don't investigate warnings until you have addressed errors.
success No issues.
When you select a row, the bottom of the Operations tab is updated to show the details of that run. On the far-left
side of this area, you might have a list titled Step # . This list appears only if you have multiple domains in your
forest and each domain is represented by a step. The domain name can be found under the heading Par tition .
Under the Synchronization Statistics heading, you can find more information about the number of changes
that were processed. Select the links to get a list of the changed objects. If you have objects with errors, those
errors show up under the Synchronization Errors heading.
Errors on the Operations tab
When you have errors, Synchronization Service Manager shows both the object in error and the error itself as
links that provide more information.
Start by selecting the error string. (In the preceding figure, the error string is sync-rule-error-function-
triggered .) You are first presented with an overview of the object. To see the actual error, select Stack Trace . This
trace provides debug-level information for the error.
Right-click the Call Stack Information box, click Select All , and then select Copy . Then copy the stack and look
at the error in your favorite editor, such as Notepad.
If the error is from SyncRulesEngine , the call stack information first lists all attributes on the object. Scroll down
until you see the heading InnerException => .
The line after the heading shows the error. In the preceding figure, the error is from a custom synchronization rule
that Fabrikam created.
If the error does not give enough information, it's time to look at the data itself. Select the link with the object
identifier and continue troubleshooting the connector space imported object.
If you don't find the object you're looking for, it might have been filtered with domain-based filtering or OU-based
filtering. To verify that the filtering is configured as expected, read Azure AD Connect sync: Configure filtering.
You can perform another useful search by selecting the Azure AD Connector. In the Scope box, select Pending
Impor t , and then select the Add check box. This search gives you all synced objects in Azure AD that cannot be
associated with an on-premises object.
Those objects were created by another synchronization engine or a synchronization engine with a different
filtering configuration. These orphan objects are no longer managed. Review this list and consider removing these
objects by using the Azure AD PowerShell cmdlets.
CS import
When you open a CS object, there are several tabs at the top. The Impor t tab shows the data that is staged after
an import.
The Old Value column shows what currently is stored in Connect, and the New Value column shows what has
been received from the source system and has not been applied yet. If there is an error on the object, changes are
not processed.
The Synchronization Error tab is visible in the Connector Space Object Proper ties window only if there is a
problem with the object. For more information, review how to troubleshoot sync errors on the Operations tab.
CS lineage
The Lineage tab in the Connector Space Object Proper ties window shows how the connector space object is
related to the metaverse object. You can see when the connector last imported a change from the connected
system and which rules applied to populate data in the metaverse.
In the preceding figure, the Action column shows an inbound synchronization rule with the action Provision .
That indicates that as long as this connector space object is present, the metaverse object remains. If the list of
synchronization rules instead shows an outbound synchronization rule with a Provision action, this object is
deleted when the metaverse object is deleted.
In the preceding figure, you can also see in the PasswordSync column that the inbound connector space can
contribute changes to the password since one synchronization rule has the value True . This password is sent to
Azure AD through the outbound rule.
From the Lineage tab, you can get to the metaverse by selecting Metaverse Object Proper ties .
Preview
In the lower-left corner of the Connector Space Object Proper ties window is the Preview button. Select this
button to open the Preview page, where you can sync a single object. This page is useful if you are
troubleshooting some custom synchronization rules and want to see the effect of a change on a single object. You
can select a Full sync or a Delta sync . You can also select Generate Preview , which only keeps the change in
memory. Or select Commit Preview , which updates the metaverse and stages all changes to target connector
spaces.
In the preview you can inspect the object and see which rule applied for a particular attribute flow.
Log
Next to the Preview button, select the Log button to open the Log page. Here you can see the password sync
status and history. For more information, see Troubleshoot password hash synchronization with Azure AD Connect
sync.
View each rule in the list from above and check the Scoping filter . In the following scoping filter, if the
isCriticalSystemObject value is null or FALSE or empty, it's in scope.
Go to the CS Import attribute list and check which filter is blocking the object from moving to the MV. The
Connector Space attribute list will show only non-null and non-empty attributes. For example, if
isCriticalSystemObject doesn't show up in the list, the value of this attribute is null or empty.
Object not found in the Azure AD CS
If the object is not present in the connector space of Azure AD but is present in the MV, look at the scoping filter of
the outbound rules of the corresponding connector space, and find out if the object is filtered out because the MV
attributes don't meet the criteria.
To look at the outbound scoping filter, select the applicable rules for the object by adjusting the filter below. View
each rule and look at the corresponding MV attribute value.
MV Attributes
On the Attributes tab, you can see the values and which connectors contributed them.
If an object is not syncing, ask the following questions about attribute states in the metaverse:
Is the attribute cloudFiltered present and set to True ? If it is, it has been filtered according to the steps in
attribute-based filtering.
Is the attribute sourceAnchor present? If not, do you have an account-resource forest topology? If an object is
identified as a linked mailbox (the attribute msExchRecipientTypeDetails has the value 2 ), the
sourceAnchor is contributed by the forest with an enabled Active Directory account. Make sure the master
account has been imported and synced correctly. The master account must be listed among the connectors for
the object.
MV connectors
The Connectors tab shows all connector spaces that have a representation of the object.
Next steps
Learn more about Azure AD Connect sync.
Learn more about hybrid identity.
Troubleshooting Source Anchor Issues during
Installation
9/7/2020 • 2 minutes to read • Edit Online
This article explains the different source anchor related issues that may occur during installation and offers ways to
resolve these issues.
To resolve this issue, you can manually override the source anchor by selecting a specific attribute. Proceed with
this option if and only if you are certain of which attribute to select. If you are not certain, contact Microsoft support
for guidance. If you change the source anchor policy, it can break the association between your on-premises users
and their associated Azure resources.
Express Installation
During express installation, Azure AD Connect reads the source anchor policy from Azure Active Directory. If the
policy exists in Azure Active Directory, Azure AD Connect applies the same policy. There is no option to do manual
override.
During this read operation, it is possible that the source anchor policy in Azure Active Directory is unexpected. In
this case, Azure AD Connect does not know what the source anchor should be.
To resolve this issue, you need to re-install using the custom mode and manually override the source anchor by
selecting a specific attribute. Proceed with this option if and only if you are certain of which attribute to select. If you
are not certain, contact Microsoft support for guidance. If you change the source anchor policy, it can break the
association between your on-premises users and their associated Azure resources.
Invalid Source Anchor in Sync Engine
During installation, it is possible Azure AD Connect attempts to configure the sync engine using an invalid source
anchor. This operation is most likely a product issue and the installation of Azure AD Connect will fail. Contact
Microsoft support if you run in to this issue.
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Troubleshoot object synchronization with Azure AD
Connect sync
9/7/2020 • 3 minutes to read • Edit Online
This article provides steps for troubleshooting issues with object synchronization by using the troubleshooting
task. To see how troubleshooting works in Azure Active Directory (Azure AD) Connect, watch this short video.
Troubleshooting task
For Azure AD Connect deployment with version 1.1.749.0 or higher, use the troubleshooting task in the wizard to
troubleshoot object synchronization issues. For earlier versions, please troubleshoot manually as described here.
Run the troubleshooting task in the wizard
To run the troubleshooting task in the wizard, perform the following steps:
1. Open a new Windows PowerShell session on your Azure AD Connect server with the Run as Administrator
option.
2. Run Set-ExecutionPolicy RemoteSigned or Set-ExecutionPolicy Unrestricted .
3. Start the Azure AD Connect wizard.
4. Navigate to the Additional Tasks page, select Troubleshoot, and click Next.
5. On the Troubleshooting page, click Launch to start the troubleshooting menu in PowerShell.
6. In the main menu, select Troubleshoot Object Synchronization.
HTML Report
In addition to analyzing the object, the troubleshooting task also generates an HTML report that has everything
known about the object. This HTML report can be shared with support team to do further troubleshooting, if
needed.
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Troubleshoot password hash synchronization with
Azure AD Connect sync
9/7/2020 • 13 minutes to read • Edit Online
This topic provides steps for how to troubleshoot issues with password hash synchronization. If passwords are
not synchronizing as expected, it can be either for a subset of users or for all users.
For Azure Active Directory (Azure AD) Connect deployment with version 1.1.614.0 or after, use the
troubleshooting task in the wizard to troubleshoot password hash synchronization issues:
If you have an issue where no passwords are synchronized, refer to the No passwords are synchronized:
troubleshoot by using the troubleshooting task section.
If you have an issue with individual objects, refer to the One object is not synchronizing passwords:
troubleshoot by using the troubleshooting task section.
For deployment with version 1.1.524.0 or later, there is a diagnostic cmdlet that you can use to troubleshoot
password hash synchronization issues:
If you have an issue where no passwords are synchronized, refer to the No passwords are synchronized:
troubleshoot by using the diagnostic cmdlet section.
If you have an issue with individual objects, refer to the One object is not synchronizing passwords:
troubleshoot by using the diagnostic cmdlet section.
For older versions of Azure AD Connect deployment:
If you have an issue where no passwords are synchronized, refer to the No passwords are synchronized:
manual troubleshooting steps section.
If you have an issue with individual objects, refer to the One object is not synchronizing passwords: manual
troubleshooting steps section.
NOTE
The troubleshooting task is available only for Azure AD Connect version 1.1.614.0 or later.
The rest of this section describes specific results that are returned by the task and corresponding issues.
password hash synchronization feature isn't enabled
If you haven't enabled password hash synchronization by using the Azure AD Connect wizard, the following error
is returned:
NOTE
The troubleshooting task is available only for Azure AD Connect version 1.1.614.0 or later.
The rest of this section describes specific results returned by the cmdlet and corresponding issues.
The Active Directory object isn't exported to Azure AD
password hash synchronization for this on-premises Active Directory account fails because there is no
corresponding object in the Azure AD tenant. The following error is returned:
NOTE
The Invoke-ADSyncDiagnostics cmdlet is available only for Azure AD Connect version 1.1.524.0 or later.
NOTE
The Invoke-ADSyncDiagnostics cmdlet is available only for Azure AD Connect version 1.1.524.0 or later.
3. If the feature is not enabled in Azure AD or if the sync channel status is not enabled, run the Connect
installation wizard. Select Customize synchronization options , and unselect password sync. This
change temporarily disables the feature. Then run the wizard again and re-enable password sync. Run the
script again to verify that the configuration is correct.
4. Look in the event log for errors. Look for the following events, which would indicate a problem:
Source: "Directory synchronization" ID: 0, 611, 652, 655 If you see these events, you have a connectivity
problem. The event log message contains forest information where you have a problem. For more
information, see [Connectivity problem](#connectivity problem).
5. If you see no heartbeat or if nothing else worked, run Trigger a full sync of all passwords. Run the script
only once.
6. See the Troubleshoot one object that is not synchronizing passwords section.
Connectivity problems
Do you have connectivity with Azure AD?
Does the account have required permissions to read the password hashes in all domains? If you installed Connect
by using Express settings, the permissions should already be correct.
If you used custom installation, set the permissions manually by doing the following:
1. To find the account used by the Active Directory connector, start Synchronization Ser vice Manager .
2. Go to Connectors , and then search for the on-premises Active Directory forest you are troubleshooting.
3. Select the connector, and then click Proper ties .
4. Go to Connect to Active Director y Forest .
Note the username and the domain where the account is located.
5. Start Active Director y Users and Computers , and then verify that the account you found earlier has
the follow permissions set at the root of all domains in your forest:
Replicate Directory Changes
Replicate Directory Changes All
6. Are the domain controllers reachable by Azure AD Connect? If the Connect server cannot connect to all
domain controllers, configure Only use preferred domain controller .
7. Go back to Synchronization Ser vice Manager and Configure Director y Par tition .
8. Select your domain in Select director y par titions , select the Only use preferred domain controllers
check box, and then click Configure .
9. In the list, enter the domain controllers that Connect should use for password sync. The same list is used
for import and export as well. Do these steps for all your domains.
NOTE
To apply these changes, restart the Microsoft Azure AD Sync (ADSync) service.
10. If the script shows that there is no heartbeat, run the script in Trigger a full sync of all passwords.
f. Locate the user you are looking for, and then click Proper ties to see all the attributes. If the user is not in
the search result, verify your filtering rules and make sure that you run Apply and verify changes for the
user to appear in Connect.
g. To see the password sync details of the object for the past week, click Log .
If the object log is empty, Azure AD Connect has been unable to read the password hash from Active
Directory. Continue your troubleshooting with Connectivity Errors. If you see any other value than success ,
refer to the table in Password sync log.
h. Select the lineage tab, and make sure that at least one sync rule in the PasswordSync column is True .
In the default configuration, the name of the sync rule is In from AD - User AccountEnabled .
Verify that there is no cloudFiltered attribute present. Make sure that the domain attributes
(domainFQDN and domainNetBios) have the expected values.
j. Click the Connectors tab. Make sure that you see connectors to both on-premises Active Directory and
Azure AD.
k. Select the row that represents Azure AD, click Proper ties , and then click the Lineage tab. The connector
space object should have an outbound rule in the PasswordSync column set to True . In the default
configuration, the name of the sync rule is Out to AAD - User Join .
TargetNotExportedToDirectory The object in the Azure AD connector space has not yet been
exported.
MigratedCheckDetailsForMoreInfo Log entry was created before build 1.0.9125.0 and is shown
in its legacy state.
NOTE
Run this script only once. If you need to run it more than once, something else is the problem. To troubleshoot the problem,
contact Microsoft support.
You can trigger a full sync of all passwords by using the following script:
$adConnector = "<CASE SENSITIVE AD CONNECTOR NAME>"
$aadConnector = "<CASE SENSITIVE AAD CONNECTOR NAME>"
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter
"Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable
$false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable
$true
Next steps
Implementing password hash synchronization with Azure AD Connect sync
Azure AD Connect Sync: Customizing synchronization options
Integrating your on-premises identities with Azure Active Directory
Troubleshoot Azure Active Directory Pass-through
Authentication
9/7/2020 • 7 minutes to read • Edit Online
This article helps you find troubleshooting information about common issues regarding Azure AD Pass-through
Authentication.
IMPORTANT
If you are facing user sign-in issues with Pass-through Authentication, don't disable the feature or uninstall Pass-through
Authentication Agents without having a cloud-only Global Administrator account to fall back on. Learn about adding a
cloud-only Global Administrator account. Doing this step is critical and ensures that you don't get locked out of your
tenant.
General issues
Check status of the feature and Authentication Agents
Ensure that the Pass-through Authentication feature is still Enabled on your tenant and the status of
Authentication Agents shows Active , and not Inactive . You can check status by going to the Azure AD
Connect blade on the Azure Active Directory admin center.
User-facing sign-in error messages
If the user is unable to sign into using Pass-through Authentication, they may see one of the following user-
facing errors on the Azure AD sign-in screen:
AADSTS80001 Unable to connect to Active Directory Ensure that agent servers are
members of the same AD forest as the
users whose passwords need to be
validated and they are able to connect
to Active Directory.
AADSTS80004 The username passed to the agent Ensure the user is attempting to sign
was not valid in with the right username.
AADSTS80007 An error occurred communicating with Check the agent logs for more
Active Directory information and verify that Active
Directory is operating as expected.
Invoke-PassthroughAuthOnPremLogonTroubleshooter
4. When you are prompted to enter credentials, enter the same username and password that are used to sign
in to (https://login.microsoftonline.com).
If you get the same username/password error, this means that the Pass-through Authentication agent is
working correctly and the issue may be that the on-premises UPN is non-routable. To learn more, see
Configuring Alternate Login ID.
IMPORTANT
If the Azure AD Connect server isn't domain joined, a requirement mentioned in Azure AD Connect: Prerequisites, the
invalid username/password issue occurs.
Sign-in failure reasons on the Azure Active Directory admin center (needs Premium license )
If your tenant has an Azure AD Premium license associated with it, you can also look at the sign-in activity
report on the Azure Active Directory admin center.
Navigate to Azure Active Director y -> Sign-ins on the Azure Active Directory admin center and click a
specific user's sign-in activity. Look for the SIGN-IN ERROR CODE field. Map the value of that field to a failure
reason and resolution using the following table:
50144 User's Active Directory password has Reset the user's password in your on-
expired. premises Active Directory.
80004 Incorrect User Principal Name (UPN) Ask the user to sign in with the correct
used in sign-in request. username.
80005 Authentication Agent: Error occurred. Transient error. Try again later.
IMPORTANT
Pass-through Authentication Agents authenticate Azure AD users by validating their usernames and passwords against
Active Directory by calling the Win32 LogonUser API. As a result, if you have set the "Logon To" setting in Active
Directory to limit workstation logon access, you will have to add servers hosting Pass-through Authentication Agents to
the list of "Logon To" servers as well. Failing to do this will block your users from signing into Azure AD.
You can get descriptive details of the error ('1328' in the preceding example) by opening up the command
prompt and running the following command (Note: Replace '1328' with the actual error number that you see in
your logs):
Net helpmsg 1328
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[EventData[Data[@Name='ProcessName'] and (Data='C:\Program Files\Microsoft
Azure AD Connect Authentication Agent\AzureADConnectAuthenticationAgentService.exe')]]</Select>
</Query>
</QueryList>
IMPORTANT
Pass-through Authentication provides high availability using multiple Authentication Agents, and not load balancing.
Depending on your configuration, not all your Authentication Agents receive roughly equal number of requests. It is
possible that a specific Authentication Agent receives no traffic at all.
Troubleshoot Azure Active Directory Seamless Single
Sign-On
9/7/2020 • 7 minutes to read • Edit Online
This article helps you find troubleshooting information about common problems regarding Azure Active
Directory (Azure AD) Seamless Single Sign-On (Seamless SSO).
Known issues
In a few cases, enabling Seamless SSO can take up to 30 minutes.
If you disable and re-enable Seamless SSO on your tenant, users will not get the single sign-on experience till
their cached Kerberos tickets, typically valid for 10 hours, have expired.
If Seamless SSO succeeds, the user does not have the opportunity to select Keep me signed in . Due to this
behavior, SharePoint and OneDrive mapping scenarios don't work.
Office 365 Win32 clients (Outlook, Word, Excel, and others) with versions 16.0.8730.xxxx and above are
supported using a non-interactive flow. Other versions are not supported; on those versions, users will enter
their usernames, but not passwords, to sign-in. For OneDrive, you will have to activate the OneDrive silent
config feature for a silent sign-on experience.
Seamless SSO doesn't work in private browsing mode on Firefox.
Seamless SSO doesn't work in Internet Explorer when Enhanced Protected mode is turned on.
Seamless SSO doesn't work on mobile browsers on iOS and Android.
If a user is part of too many groups in Active Directory, the user's Kerberos ticket will likely be too large to
process, and this will cause Seamless SSO to fail. Azure AD HTTPS requests can have headers with a maximum
size of 50 KB; Kerberos tickets need to be smaller than that limit to accommodate other Azure AD artifacts
(typically, 2 - 5 KB) such as cookies. Our recommendation is to reduce user's group memberships and try
again.
If you're synchronizing 30 or more Active Directory forests, you can't enable Seamless SSO through Azure AD
Connect. As a workaround, you can manually enable the feature on your tenant.
Adding the Azure AD service URL ( https://autologon.microsoftazuread-sso.com ) to the Trusted sites zone
instead of the Local intranet zone blocks users from signing in.
Seamless SSO supports the AES256_HMAC_SHA1, AES128_HMAC_SHA1 and RC4_HMAC_MD5 encryption
types for Kerberos. It is recommended that the encryption type for the AzureADSSOAcc$ account is set to
AES256_HMAC_SHA1, or one of the AES types vs. RC4 for added security. The encryption type is stored on the
msDS-SupportedEncryptionTypes attribute of the account in your Active Directory. If the AzureADSSOAcc$
account encryption type is set to RC4_HMAC_MD5, and you want to change it to one of the AES encryption
types, please make sure that you first roll over the Kerberos decryption key of the AzureADSSOAcc$ account
as explained in the FAQ document under the relevant question, otherwise Seamless SSO will not happen.
81001 User's Kerberos ticket is too large. Reduce the user's group memberships
and try again.
81002 Unable to validate the user's Kerberos See the troubleshooting checklist.
ticket.
81003 Unable to validate the user's Kerberos See the troubleshooting checklist.
ticket.
81008 Unable to validate the user's Kerberos See the troubleshooting checklist.
ticket.
81009 Unable to validate the user's Kerberos See the troubleshooting checklist.
ticket.
81010 Seamless SSO failed because the user's The user needs to sign in from a
Kerberos ticket has expired or is invalid. domain-joined device inside your
corporate network.
81011 Unable to find the user object based on Use Azure AD Connect to synchronize
the information in the user's Kerberos the user's information into Azure AD.
ticket.
81012 The user trying to sign in to Azure AD The user needs to sign in from a
is different from the user that is signed different device.
in to the device.
SIGN - IN ERRO R C O DE SIGN - IN FA IL URE REA SO N RESO L UT IO N
81013 Unable to find the user object based on Use Azure AD Connect to synchronize
the information in the user's Kerberos the user's information into Azure AD.
ticket.
Troubleshooting checklist
Use the following checklist to troubleshoot Seamless SSO problems:
Ensure that the Seamless SSO feature is enabled in Azure AD Connect. If you can't enable the feature (for
example, due to a blocked port), ensure that you have all the prerequisites in place.
If you have enabled both Azure AD Join and Seamless SSO on your tenant, ensure that the issue is not with
Azure AD Join. SSO from Azure AD Join takes precedence over Seamless SSO if the device is both registered
with Azure AD and domain-joined. With SSO from Azure AD Join the user sees a sign-in tile that says
"Connected to Windows".
Ensure that the Azure AD URL ( https://autologon.microsoftazuread-sso.com ) is part of the user's Intranet zone
settings.
Ensure that the corporate device is joined to the Active Directory domain. The device doesn't need to be Azure
AD Joined for Seamless SSO to work.
Ensure that the user is logged on to the device through an Active Directory domain account.
Ensure that the user's account is from an Active Directory forest where Seamless SSO has been set up.
Ensure that the device is connected to the corporate network.
Ensure that the device's time is synchronized with the time in both Active Directory and the domain controllers,
and that they are within five minutes of each other.
Ensure that the AZUREADSSOACC computer account is present and enabled in each AD forest that you want
Seamless SSO enabled. If the computer account has been deleted or is missing, you can use PowerShell
cmdlets to re-create them.
List the existing Kerberos tickets on the device by using the klist command from a command prompt.
Ensure that the tickets issued for the AZUREADSSOACC computer account are present. Users' Kerberos tickets are
typically valid for 10 hours. You might have different settings in Active Directory.
If you disabled and re-enabled Seamless SSO on your tenant, users will not get the single sign-on experience
till their cached Kerberos tickets have expired.
Purge existing Kerberos tickets from the device by using the klist purge command, and try again.
To determine if there are JavaScript-related problems, review the console logs of the browser (under
Developer Tools ).
Review the domain controller logs.
Domain controller logs
If you enable success auditing on your domain controller, then every time a user signs in through Seamless SSO, a
security entry is recorded in the event log. You can find these security events by using the following query. (Look
for event 4769 associated with the computer account AzureADSSOAcc$ .)
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[EventData[Data[@Name='ServiceName'] and (Data='AZUREADSSOACC$')]]</Select>
</Query>
</QueryList>
NOTE
The domain administrator credentials username must be entered in the SAM account name format
(contoso\johndoe or contoso.com\johndoe). We use the domain portion of the username to locate the Domain
Controller of the Domain Administrator using DNS.
NOTE
The domain administrator account used must not be a member of the Protected Users group. If so, the operation
will fail.
NOTE
The domain administrator credentials username must be entered in the SAM account name format
(contoso\johndoe or contoso.com\johndoe). We use the domain portion of the username to locate the Domain
Controller of the Domain Administrator using DNS.
NOTE
The domain administrator account used must not be a member of the Protected Users group. If so, the operation
will fail.
2. Repeat the preceding step for each Active Directory forest where you want to set up the feature.
Step 5. Enable the feature on your tenant
To turn on the feature on your tenant, call Enable-AzureADSSO -Enable $true .
Azure AD Connect sync: Handling LargeObject errors
caused by userCertificate attribute
9/7/2020 • 8 minutes to read • Edit Online
Azure AD enforces a maximum limit of 15 certificate values on the userCer tificate attribute. If Azure AD Connect
exports an object with more than 15 values to Azure AD, Azure AD returns a LargeObject error with message:
"The provisioned object is too large. Trim the number of attribute values on this object. The operation will be
retried in the next synchronization cycle..."
The LargeObject error may be caused by other AD attributes. To confirm it is indeed caused by the userCertificate
attribute, you need to verify against the object either in on-premises AD or in the Synchronization Service Manager
Metaverse Search.
To obtain the list of objects in your tenant with LargeObject errors, use one of the following methods:
If your tenant is enabled for Azure AD Connect Health for sync, you can refer to the Synchronization Error
Report provided.
The notification email for directory synchronization errors that is sent at the end of each sync cycle has the
list of objects with LargeObject errors.
The Synchronization Service Manager Operations tab displays the list of objects with LargeObject errors if
you click the latest Export to Azure AD operation.
Mitigation options
Until the LargeObject error is resolved, other attribute changes to the same object cannot be exported to Azure AD.
To resolve the error, you can consider the following options:
Upgrade Azure AD Connect to build 1.1.524.0 or after. In Azure AD Connect build 1.1.524.0, the out-of-box
synchronization rules have been updated to not export attributes userCertificate and userSMIMECertificate
if the attributes have more than 15 values. For details on how to upgrade Azure AD Connect, refer to article
Azure AD Connect: Upgrade from a previous version to the latest.
Implement an outbound sync rule in Azure AD Connect that exports a null value instead of the actual
values for objects with more than 15 cer tificate values . This option is suitable if you do not require
any of the certificate values to be exported to Azure AD for objects with more than 15 values. For details on
how to implement this sync rule, refer to next section Implementing sync rule to limit export of
userCertificate attribute.
Reduce the number of certificate values on the on-premises AD object (15 or less) by removing values that
are no longer in use by your organization. This is suitable if the attribute bloat is caused by expired or
unused certificates. You can use the PowerShell script available here to help find, backup, and delete expired
certificates in your on-premises AD. Before deleting the certificates, it is recommended that you verify with
the Public-Key-Infrastructure administrators in your organization.
Configure Azure AD Connect to exclude the userCertificate attribute from being exported to Azure AD. In
general, we do not recommend this option since the attribute may be used by Microsoft Online Services to
enable specific scenarios. In particular:
The userCertificate attribute on the User object is used by Exchange Online and Outlook clients for
message signing and encryption. To learn more about this feature, refer to article S/MIME for
message signing and encryption.
The userCertificate attribute on the Computer object is used by Azure AD to allow Windows 10 on-
premises domain-joined devices to connect to Azure AD. To learn more about this feature, please
refer to article Connect domain-joined devices to Azure AD for Windows 10 experiences.
IMPORTANT
Exporting null value removes certificate values previously exported successfully to Azure AD.
NOTE
The preceding steps are only applicable to newer versions (1.1.xxx.x) of Azure AD Connect with the built-in scheduler. If you
are using older versions (1.0.xxx.x) of Azure AD Connect that uses Windows Task Scheduler, or you are using your own
custom scheduler (not common) to trigger periodic synchronization, you need to disable them accordingly.
1. Start the Synchronization Ser vice Manager by going to START → Synchronization Service.
2. Go to the Operations tab and confirm there is no operation whose status is “in progress.”
Step 2. Find the existing outbound sync rule for userCertificate attribute
There should be an existing sync rule that is enabled and configured to export userCertificate attribute for User
objects to Azure AD. Locate this sync rule to find out its precedence and scoping filter configuration:
1. Start the Synchronization Rules Editor by going to START → Synchronization Rules Editor.
2. Configure the search filters with the following values:
AT T RIB UT E VA L UE
Direction Outbound
3. If you are using OOB (out-of-box) sync rules to Azure AD connector to export userCertficiate attribute for
User objects, you should get back the “Out to AAD – User ExchangeOnline” rule.
4. Note down the precedence value of this sync rule.
5. Select the sync rule and click Edit .
6. In the “Edit Reserved Rule Confirmation” pop-up dialog, click No . (Don’t worry, we are not going to make
any change to this sync rule).
7. In the edit screen, select the Scoping filter tab.
8. Note down the scoping filter configuration. If you are using the OOB sync rule, there should exactly be one
scoping filter group containing two clauses , including:
AT T RIB UT E O P ERATO R VA L UE
AT T RIB UT E VA L UE DETA IL S
3. Go to the Scoping filter tab and implement the same scoping filter the existing sync rule is using.
4. Skip the Join rules tab.
5. Go to the Transformations tab to add a new transformation using following configuration:
AT T RIB UT E VA L UE
NOTE
The preceding steps are only applicable to newer versions (1.1.xxx.x) of Azure AD Connect with the built-in scheduler. If you
are using older versions (1.0.xxx.x) of Azure AD Connect that uses Windows Task Scheduler, or you are using your own
custom scheduler (not common) to trigger periodic synchronization, you need to disable them accordingly.
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Azure AD Connect: How to recover from LocalDB 10-
GB limit
9/7/2020 • 4 minutes to read • Edit Online
Azure AD Connect requires a SQL Server database to store identity data. You can either use the default SQL Server
2012 Express LocalDB installed with Azure AD Connect or use your own full SQL. SQL Server Express imposes a
10-GB size limit. When using LocalDB and this limit is reached, Azure AD Connect Synchronization Service can no
longer start or synchronize properly. This article provides the recovery steps.
Symptoms
There are two common symptoms:
Azure AD Connect Synchronization Service is running but fails to synchronize with “stopped-database-
disk-full” error.
Azure AD Connect Synchronization Service is unable to star t . When you attempt to start the service, it
fails with event 6323 and error message "The server encountered an error because SQL Server is out of disk
space."
The name of the database created for Azure AD Connect is ADSync . To perform a Shrink operation, you must log in
either as the sysadmin or DBO of the database. During Azure AD Connect installation, the following accounts are
granted sysadmin rights:
Local Administrators
The user account that was used to run Azure AD Connect installation.
The Sync Service account that is used as the operating context of Azure AD Connect Synchronization Service.
The local group ADSyncAdmins that was created during installation.
1. Back up the database by copying ADSync.mdf and ADSync_log.ldf files located under
%ProgramFiles%\Microsoft Azure AD Sync\Data to a safe location.
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Troubleshoot SQL connectivity issues with Azure AD
Connect
9/7/2020 • 4 minutes to read • Edit Online
This article explains how to troubleshoot connectivity issues between Azure AD Connect and SQL Server.
The following screenshot shows a typical error, if the SQL Server cannot be found.
Troubleshooting steps
Open a powershell window and Import the ADSyncTools Powershell module
NOTE
Install-Module requires updating to PowerShell 5.0 (WMF 5.0) or later;
Or install PackageManagement PowerShell Modules Preview - March 2016 for PowerShell 3.0/4.0
Attempting to connect to SQL1 using a TCP binding for the default instance.
Data Source=tcp:SQL1\;Integrated Security=True.ConnectionString
Successfully connected.
StatisticsEnabled : False
AccessToken :
ConnectionString : Data Source=tcp:SQL1\;Integrated Security=True
ConnectionTimeout : 15
Database : master
DataSource : tcp:SQL1\
PacketSize : 8000
ClientConnectionId : 23e06ef2-0a38-4f5f-9291-da931de40375
ServerVersion : 13.00.4474
State : Open
WorkstationId : SQL1
Credential :
FireInfoMessageEventOnUserErrors : False
Site :
Container :
TROUBLESHOOTING: Attempting to query the SQL Server Browser service configuration on SQL1.
Get-ADSyncSQLBrowserInstances : Unable to read the SQL Server Browser configuration. An existing connection was
forcibly closed by the remote host.
Ensure port 1434 (UDP) is open on SQL1 and the SQL Server Browser service is running.
At C:\Program Files\Microsoft Azure Active Directory Connect\tools\AdSyncTools.psm1:1717 char:18
+ $instances = Get-ADSyncSQLBrowserInstances $Server
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ConnectionError: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-ADSyncSQLBrowserInstances
Each SQL instance must be bound to an explicit static TCP port and paired with an inbound firewall rule on SQL1
to allow connection. Enable the SQL Se
rver Browser service temporarily on the SQL server and run this cmdLet again to further troubleshoot the issue.
Alternatively use the SQL Server Configur
ation Manager on SQL1 to verify the instance name and TCP/IP port assignment manually.
You must specify both the instance name and the port to connect when the SQL Server Browser service is not
running. An inbound firewall rule on SQL1 is required for the associated port.
Example: 'MySQLInstance,1234' where 1234 has a matching firewall rule.
TROUBLESHOOTING: Attempting to query the SQL Server Browser service configuration on SQL1.
SQL browser response contained 2 instances.
Verifying protocol bindings and port connectivity.
MSSQLSERVER : Enabled - port 1433 is assigned and reachable through the firewall
INSTANCE1 : Blocked - the inbound firewall rule for port 58379 is missing or disabled
Each SQL instance must be bound to an explicit static TCP port and paired with an
inbound firewall rule on SQL1 to allow connection. Review the TcpStatus field
for each instance and take corrective action.
InstanceName : MSSQLSERVER
tcp : 1433
TcpStatus : Enabled - port 1433 is assigned and reachable through the firewall
InstanceName : INSTANCE1
tcp : 58379
TcpStatus : Blocked - the inbound firewall rule for port 58379 is missing or disabled
Next Steps
Integrating your on-premises identities with Azure Active Directory
Azure AD connectivity with Azure AD Connect
Troubleshoot an attribute not synchronizing in Azure
AD Connect
9/7/2020 • 2 minutes to read • Edit Online
Recommended Steps
Before investigating attribute syncing issues, let’s understand the Azure AD Connect syncing process:
Terminology
CS: Connector Space, a table in database.
MV: Metaverse, a table in database.
AD: Active Directory
AAD: Azure Active Directory
Synchronization Steps
Import from AD: Active Directory objects are brought into AD CS.
Import from AAD: Azure Active Directory objects are brought into AAD CS.
Synchronization: Inbound Synchronization Rules and Outbound Synchronization Rules are run in
the order of precedence number from lower to higher. To view the Synchronization Rules, you can go to
Synchronization Rules Editor from the desktop applications. The Inbound Synchronization Rules
brings in data from CS to MV. The Outbound Synchronization Rules moves data from MV to CS.
Export to AD: After running Synchronization, objects are exported from AD CS to Active Director y .
Export to AAD: After running Synchronization, objects are exported from AAD CS to Azure Active
Director y .
Step by Step Investigation
We will start our search from the Metaverse and look at the attribute mapping from source to target.
Launch Synchronization Ser vice Manager from the desktop applications, as shown below:
On the Synchronization Ser vice Manager , select the Metaverse Search , select Scope by Object
Type , select the object using an attribute, and click Search button.
Double click the object found in the Metaverse search to view all its attributes. You can click on the
Connectors tab to look at corresponding object in all the Connector Spaces .
Double click on the Active Director y Connector to view the Connector Space attributes. Click on the
Preview button, on the following dialog click on the Generate Preview button.
Now click on the Impor t Attribute Flow , this shows flow of attributes from Active Director y Connector
Space to the Metaverse . Sync Rule column shows which Synchronization Rule contributed to that
attribute. Data Source column shows you the attributes from the Connector Space . Metaverse
Attribute column shows you the attributes in the Metaverse . You can look for the attribute not syncing
here. If you don't find the attribute here, then this is not mapped and you have to create new custom
Synchronization Rule to map the attribute.
Click on the Expor t Attribute Flow in the left pane to view the attribute flow from Metaverse back to
Active Director y Connector Space using Outbound Synchronization Rules .
Similarly, you can view the Azure Active Director y Connector Space object and can generate the
Preview to view attribute flow from Metaverse to the Connector Space and vice versa, this way you can
investigate why an attribute is not syncing.
Recommended Documents
Azure AD Connect sync: Technical Concepts
Azure AD Connect sync: Understanding the architecture
Azure AD Connect sync: Understanding Declarative Provisioning
Azure AD Connect sync: Understanding Declarative Provisioning Expressions
Azure AD Connect sync: Understanding the default configuration
Azure AD Connect sync: Understanding Users, Groups, and Contacts
Azure AD Connect sync: Shadow attributes
Next Steps
Azure AD Connect sync.
What is hybrid identity?.
Troubleshoot: Azure AD Connect install issues
9/7/2020 • 2 minutes to read • Edit Online
Recommended Steps
Please check which Azure AD Connect installation type is suitable for you. If you meet the criteria of express
installation, then we highly recommend you to go with the express installation. The express installation gives you
minimal options needed to finish the installation, therefore there is less likelihood of any issues.
However, if you don’t meet the express installation criteria and must do the custom installation then here are some
best practices you can follow to avoid common issues. For the sake of simplicity only selective options are
mentioned here:
Ensure you are an administrator on the machine on which you are installing AAD Connect. Log in on to the
machine with same administrator credentials.
Let all the options to be default on the following page, except for “Use an existing SQL Server”, if you want to
use existing SQL Server. Here are more details about how to use custom installation options.
On the following page, pick option “Create new AD account", to avoid any permission issues with existing
account.
Common Issues
Connectivity issues with on-premises Active Directory.
Connectivity issues with online Azure Active Directory.
Permission issues with on-premises Active Directory.
Recommended Documents
Prerequisites for Azure AD Connect
Select which installation type to use for Azure AD Connect
Getting started with Azure AD Connect using express settings
Custom installation of Azure AD Connect
Azure AD Connect: Upgrade from a previous version to the latest
Azure AD Connect: What is staging server?
What is the ADConnectivityTool PowerShell Module?
Next steps
Azure AD Connect sync.
What is hybrid identity?
Plan and troubleshoot User Principal Name changes
in Azure Active Directory
9/7/2020 • 10 minutes to read • Edit Online
A User Principal Name (UPN) is an attribute that is an internet communication standard for user accounts. A UPN
consists of a UPN prefix (the user account name) and a UPN suffix (a DNS domain name). The prefix joins the suffix
using the "@" symbol. For example, someone@example.com. A UPN must be unique among all security principal
objects within a directory forest.
This ar ticle assumes you're using UPN as the user identifier. It addresses planning for UPN changes,
and recovering from issues that may result from UPN changes.
NOTE
For developers, we recommend that you use the user objectID as the immutable identifier, rather than UPN or email
addresses as their values can change.
IMPORTANT
If you are changing the suffix in Active Directory, you must ensure that a matching custom domain name has been added
and verified on Azure AD.
Next steps
See these resources:
Azure AD Connect: Design concepts
Azure AD UserPrincipalName population
Microsoft identity platform ID tokens
Hybrid Identity Required Ports and Protocols
3/26/2020 • 3 minutes to read • Edit Online
The following document is a technical reference on the required ports and protocols for implementing a hybrid
identity solution. Use the following illustration and refer to the corresponding table.
LDAP 389 (TCP/UDP) Used for data import from AD. Data is
encrypted with Kerberos Sign & Seal.
LDAP/SSL 636 (TCP/UDP) Used for data import from AD. The data
transfer is signed and encrypted. Only
used if you are using TLS.
P ROTO C O L P O RT S DESC RIP T IO N
RPC 49152- 65535 (Random high RPC Port) Used during the initial configuration of
(TCP) Azure AD Connect when it binds to the
AD forests, and during Password
synchronization. See KB929851,
KB832017, and KB224196 for more
information.
For a list of URLs and IP addresses you need to open in your firewall, see Office 365 URLs and IP address ranges
and Troubleshooting Azure AD Connect connectivity.
In addition, Azure AD Connect needs to be able to make direct IP connections to the Azure data center IP ranges.
Table 6b - Password Hash Sync with SSO
P ROTO C O L P O RT N UM B ER DESC RIP T IO N
In addition, Azure AD Connect needs to be able to make direct IP connections to the Azure data center IP ranges.
Again, this is only required for the SSO registration process.
Table 7a & 7b - Azure AD Connect Health agent for (AD FS/Sync) and
Azure AD
The following tables describe the endpoints, ports, and protocols that are required for communication between
Azure AD Connect Health agents and Azure AD
Table 7a - Ports and Protocols for Azure AD Connect Health agent for (AD FS/Sync) and Azure AD
This table describes the following outbound ports and protocols that are required for communication between the
Azure AD Connect Health agents and Azure AD.
Azure Service Bus port 5671 is no longer required for the latest version of agent. The latest Azure AD Connect
Health agent version only required port 443.
7b - Endpoints for Azure AD Connect Health agent for (AD FS/Sync) and Azure AD
For a list of endpoints, see the Requirements section for the Azure AD Connect Health agent.
Azure AD Connect: Version release history
9/7/2020 • 14 minutes to read • Edit Online
The Azure Active Directory (Azure AD) team regularly updates Azure AD Connect with new features and
functionality. Not all additions are applicable to all audiences.
This article is designed to help you keep track of the versions that have been released, and to understand what
the changes are in the latest version.
This table is a list of related topics:
TO P IC DETA IL S
Steps to upgrade from Azure AD Connect Different methods to upgrade from a previous version to the
latest Azure AD Connect release.
NOTE
Releasing a new version of Azure AD Connect is a process that requires several quality control step to ensure the
operation functionality of the service, and while we go through this process the version number of a new release as well as
the release status will be updated to reflect the most recent state. While we go through this process, the version number
of the release will be shown with an "X" in the minor release number position, as in "1.3.X.0" - this indicates that the
release notes in this document are valid for all versions beginning with "1.3.". As soon as we have finalized the release
process the release version number will be updated to the most recently released version and the release status will be
updated to "Released for download and auto upgrade". Not all releases of Azure AD Connect will be made available for
auto upgrade. The release status will indicate whether a release is made available for auto upgrade or for download only. If
auto upgrade was enabled on your Azure AD Connect server then that server will automatically upgrade to the latest
version of Azure AD Connect that is released for auto upgrade. Note that not all Azure AD Connect configurations are
eligible for auto upgrade. Please follow this link to read more about auto upgrade
IMPORTANT
Starting on November 1st, 2020, we will begin implementing a deprecation process whereby versions of Azure AD
Connect that were released more than 18 months ago will be deprecated. At that time we will begin this process by
deprecating all releases of Azure AD Connect with version 1.3.20.0 (which was released on 4/24/2019) and older, and we
will proceed to evaluate the deprecation of older versions of Azure AD Connect every time a new version releases.
You need to make sure you are running a recent version of Azure AD Connect to receive an optimal support experience.
If you run a deprecated version of Azure AD Connect you may not have the latest security fixes, performance
improvements, troubleshooting and diagnostic tools and service enhancements, and if you require support we may not be
able to provide you with the level of service your organization needs.
If you have enabled Azure AD Connect for sync you will soon automatically begin receiving Health notifications that warn
you about upcoming deprecations when you are running one of the older versions.
Please refer to this article to learn more about how to upgrade Azure AD Connect to the latest version.
For version history information on deprecated versions, see Azure AD Connect version release history archive
1.5.45.0
Release status
07/29/2020: Released for download
Functional changes
This is a bug fix release. There are no functional changes in this release.
Fixed issues
Fixed an issue where admin can’t enable “Seamless Single Sign On” if AZUREADSSOACC computer account is
already present in the “Active Directory”.
Fixed an issue that caused a staging error during V2 API delta import for a conflicting object that was repaired
via the health portal.
Fixed an issue in the import/export configuration where disabled custom rule was imported as enabled.
1.5.42.0
Release status
07/10/2020: Released for download
Functional changes
This release includes a public preview of the functionality to export the configuration of an existing Azure AD
Connect server into a .JSON file which can then be used when installing a new Azure AD Connect server to
create a copy of the original server.
A detailed description of this new feature can be found in this article
Fixed issues
Fixed a bug where there would be a false warning about the local DB size on the localized builds during
upgrade.
Fixed a bug where there would be a false error in the app events for the account name/domain name swap.
Fixed an error where Azure AD Connect would fail to install on a DC, giving error "member not found".
1.5.30.0
Release status
05/07/2020: Released for download
Fixed issues
This hotfix build fixes an issue where unselected domains were getting incorrectly selected from the wizard UI if
only grandchild containers were selected.
NOTE
This version includes the new Azure AD Connect sync V2 endpoint API. This new V2 endpoint is currently in public
preview. This version or later is required to use the new V2 endpoint API. However, simply installing this version does not
enable the V2 endpoint. You will continue to use the V1 endpoint unless you enable the V2 endpoint. You need to follow
the steps under Azure AD Connect sync V2 endpoint API (public preview) in order to enable it and opt-in to the public
preview.
1.5.29.0
Release status
04/23/2020: Released for download
Fixed issues
This hotfix build fixes an issue introduced in build 1.5.20.0 where a tenant administrator with MFA was not able
to enable DSSO.
1.5.22.0
Release status
04/20/2020: Released for download
Fixed issues
This hotfix build fixes an issue in build 1.5.20.0 if you have cloned the In from AD - Group Join rule and have
not cloned the In from AD - Group Common rule.
1.5.20.0
Release status
04/09/2020: Released for download
Fixed issues
This hotfix build fixes an issue with build 1.5.18.0 if you have the Group Filtering feature enabled and use mS-
DS-ConsistencyGuid as the source anchor.
Fixed an issue in the ADSyncConfig PowerShell module, where invoking DSACLS command used in all the
Set-ADSync* Permissions cmdlets would cause one of the following errors:
GrantAclsNoInheritance : The parameter is incorrect. The command failed to complete successfully.
GrantAcls : No GUID Found for computer …
IMPORTANT
If you have cloned the In from AD - Group Join sync rule and have not cloned the In from AD - Group Common
sync rule and plan to upgrade, complete the following steps as part of the upgrade:
1. During Upgrade, uncheck the option Star t the synchronization process when configuration completes .
2. Edit the cloned join sync rule and add the following two transformations:
Set direct flow objectGUID to sourceAnchorBinary .
Set expression flow ConvertToBase64([objectGUID]) to sourceAnchor .
3. Enable the scheduler using Set-ADSyncScheduler -SyncCycleEnabled $true .
1.5.18.0
Release status
04/02/2020: Released for download
Functional changes ADSyncAutoUpgrade
Added support for the mS-DS-ConsistencyGuid feature for group objects. This allows you to move groups
between forests or reconnect groups in AD to Azure AD where the AD group objectID has changed, e.g. when
an AD server is rebuilt after a calamity. For more information see Moving groups between forests.
The mS-DS-ConsistencyGuid attribute is automatically set on all synced groups and you do not have to do
anything to enable this feature.
Removed the Get-ADSyncRunProfile because it is no longer in use.
Changed the warning you see when attempting to use an Enterprise Admin or Domain Admin account for the
AD DS connector account to provide more context.
Added a new cmdlet to remove objects from the connector space the old CSDelete.exe tool is removed, and it
is replaced with the new Remove-ADSyncCSObject cmdlet. The Remove-ADSyncCSObject cmdlet takes a
CsObject as input. This object can be retrieved by using the Get-ADSyncCSObject cmdlet.
NOTE
The old CSDelete.exe tool has been removed and replaced with the new Remove-ADSyncCSObject cmdlet
Fixed issues
Fixed a bug in the group writeback forest/OU selector on rerunning the Azure AD Connect wizard after
disabling the feature.
Introduced a new error page that will be displayed if the required DCOM registry values are missing with a
new help link. Information is also written to log files.
Fixed an issue with the creation of the Azure Active Directory synchronization account where enabling
Directory Extensions or PHS may fail because the account has not propagated across all service replicas
before attempted use.
Fixed a bug in the sync errors compression utility that was not handling surrogate characters correctly.
Fixed a bug in the auto upgrade which left the server in the scheduler suspended state.
1.4.38.0
Release status
12/9/2019: Release for download. Not available through auto-upgrade.
New features and improvements
We updated Password Hash Sync for Azure AD Domain Services to properly account for padding in Kerberos
hashes. This will provide a performance improvement during password synchronization from Azue AD to
Azure AD Domain Services.
We added support for reliable sessions between the authentication agent and service bus.
This release enforces TLS 1.2 for communication between authentication agent and cloud services.
We added a DNS cache for websocket connections between authentication agent and cloud services.
We added the ability to target specific agent from cloud to test for agent connectivity.
Fixed issues
Release 1.4.18.0 had a bug where the PowerShell cmdlet for DSSO was using the login windows credentials
instead of the admin credentials provided while running ps. As a result of which it was not possible to enable
DSSO in multiple forest through the Azure AD Connect user interface.
A fix was made to enable DSSO simultaneously in all forest through the Azure AD Connect user interface
1.4.32.0
Release status
11/08/2019: Released for download. Not available through auto-upgrade.
IMPORTANT
Due to an internal schema change in this release of Azure AD Connect, if you manage AD FS trust relationship
configuration settings using MSOnline PowerShell then you must update your MSOnline PowerShell module to version
1.1.183.57 or higher
Fixed issues
This version fixes an issue with existing Hybrid Azure AD joined devices. This release contains a new device sync
rule that corrects this issue. Note that this rule change may cause deletion of obsolete devices from Azure AD.
This is not a cause for concern, as these device objects are not used by Azure AD during Conditional Access
authorization. For some customers, the number of devices that will be deleted through this rule change can
exceed the deletion threshold. If you see the deletion of device objects in Azure AD exceeding the Export Deletion
Threshold, it is advised to allow the deletions to go through. How to allow deletes to flow when they exceed the
deletion threshold
1.4.25.0
Release status
9/28/2019: Released for auto-upgrade to select tenants. Not available for download.
This version fixes a bug where some servers that were auto-upgraded from a previous version to 1.4.18.0 and
experienced issues with Self-service password reset (SSPR) and Password Writeback.
Fixed issues
Under certain circumstances, servers that were auto upgraded to version 1.4.18.0 did not re-enable Self-service
password reset and Password Writeback after the upgrade was completed. This auto upgrade release fixes that
issue and re-enables Self-service password reset and Password Writeback.
We fixed a bug in the sync errors compression utility that was not handling surrogate characters correctly.
1.4.18.0
WARNING
We are investigating an incident where some customers are experiencing an issue with existing Hybrid Azure AD joined
devices after upgrading to this version of Azure AD Connect. We advise customers who have deployed Hybrid Azure AD
join to postpone upgrading to this version until the root cause of these issues are fully understood and mitigated. More
information will be provided as soon as possible.
IMPORTANT
With this version of Azure AD Connect some customers may see some or all of their Windows devices disappear from
Azure AD. This is not a cause for concern, as these device identities are not used by Azure AD during Conditional Access
authorization. For more information see Understanding Azure AD Connect 1.4.xx.x device disappearnce
Release status
9/25/2019: Released for auto-upgrade only.
New features and improvements
New troubleshooting tooling helps troubleshoot "user not syncing", "group not syncing" or "group member
not syncing" scenarios.
Add support for national clouds in Azure AD Connect troubleshooting script
Customers should be informed that the deprecated WMI endpoints for MIIS_Service have now been
removed. Any WMI operations should now be done via PS cmdlets.
Security improvement by resetting constrained delegation on AZUREADSSOACC object
When adding/editing a sync rule, if there are any attributes used in the rule that are in the connector schema
but not added to the connector, the attributes automatically added to the connector. The same is true for the
object type the rule affects. If anything is added to the connector, the connector will be marked for full import
on the next sync cycle.
Using an Enterprise or Domain admin as the connector account is no longer supported in new Azure AD
Connect Deployments. Current Azure AD Connect deployments using an Enterprise or Domain admin as the
connector account will not be affected by this release.
In the Synchronization Manager a full sync is run on rule creation/edit/deletion. A popup will appear on any
rule change notifying the user if full import or full sync is going to be run.
Added mitigation steps for password errors to 'connectors > properties > connectivity' page
Added a deprecation warning for the sync service manager on the connector properties page. This warning
notifies the user that changes should be made through the Azure AD Connect wizard.
Added new error for issues with a user's password policy.
Prevent misconfiguration of group filtering by domain and OU filters. Group filtering will show an error when
the domain/OU of the entered group is already filtered out and keep the user from moving forward until the
issue is resolved.
Users can no longer create a connector for Active Directory Domain Services or Windows Azure Active
Directory in the Synchronization Service Manager UI.
Fixed accessibility of custom UI controls in the Synchronization Service Manager.
Enabled six federation management tasks for all sign-in methods in Azure AD Connect. (Previously, only the
“Update AD FS TLS/SSL certificate” task was available for all sign-ins.)
Added a warning when changing the sign-in method from federation to PHS or PTA that all Azure AD
domains and users will be converted to managed authentication.
Removed token-signing certificates from the “Reset Azure AD and AD FS trust” task and added a separate
sub-task to update these certificates.
Added a new federation management task called “Manage certificates” which has sub-tasks to update the TLS
or token-signing certificates for the AD FS farm.
Added a new federation management sub-task called “Specify primary server” which allows administrators
to specify a new primary server for the AD FS farm.
Added a new federation management task called “Manage servers” which has sub-tasks to deploy an AD FS
server, deploy a Web Application Proxy server, and specify primary server.
Added a new federation management task called “View federation configuration” that displays the current AD
FS settings. (Because of this addition, AD FS settings have been removed from the “Review your solution”
page.)
Fixed issues
Resolved sync error issue for the scenario where a user object taking over its corresponding contact object
has a self-reference (e.g. user is their own manager).
Help popups now show on keyboard focus.
For Auto upgrade, if any conflicting app is running from 6 hours, kill it and continue with upgrade.
Limit the number of attributes a customer can select to 100 per object when selecting directory extensions.
This will prevent the error from occurring during export as Azure has a maximum of 100 extension attributes
per object.
Fixed a bug to make the AD Connectivity script more robust
Fixed a bug to make Azure AD Connect install on a machine using an existing Named Pipes WCF service
more robust.
Improved diagnostics and troubleshooting around group policies that do not allow the ADSync service to
start when initially installed.
Fixed a bug where display name for a Windows computer was written incorrectly.
Fix a bug where OS type for a Windows computer was written incorrectly.
Fixed a bug where non-Windows 10 computers were syncing unexpectedly. Note that the effect of this
change is that non-Windows-10 computers that were previously synced will now be deleted. This does not
affect any features as the sync of Windows computers is only used for Hybrid Azure AD domain join, which
only works for Windows-10 devices.
Added several new (internal) cmdlets to the ADSync PowerShell module.
1.3.21.0
IMPORTANT
There is a known issue with upgrading Azure AD Connect from an earlier version to 1.3.21.0 where the O365 portal does
not reflect the updated version even though Azure AD Connect upgraded successfully.
To resolve this you need to import the AdSync module and then run the Set-ADSyncDirSyncConfiguration PowerShell
cmdlet on the Azure AD Connect server. You can use the following steps:
1. Open PowerShell in administator mode.
2. Run Import-Module "ADSync" .
3. Run Set-ADSyncDirSyncConfiguration -AnchorAttribute "" .
Release status
05/14/2019: Released for download
Fixed issues
Fixed an elevation of privilege vulnerability that exists in Microsoft Azure Active Directory Connect build
1.3.20.0. This vulnerability, under certain conditions, may allow an attacker to execute two PowerShell cmdlets
in the context of a privileged account, and perform privileged actions. This security update addresses the issue
by disabling these cmdlets. For more information see security update.
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Azure AD Connect Health: Version Release History
9/7/2020 • 6 minutes to read • Edit Online
The Azure Active Directory team regularly updates Azure AD Connect Health with new features and functionality.
This article lists the versions and features that have been released.
NOTE
Connect Health agents are updated automatically when new version is released. Please ensure the auto-upgrade settings is
enabled from Azure portal.
Azure AD Connect Health for Sync is integrated with Azure AD Connect installation. Read more about Azure AD
Connect release history For feature feedback, vote at Connect Health User Voice channel
April 2020
Agent Update
Azure AD Connect Health agent for AD FS (version 3.1.77.0)
1. Bug fix for “Invalid Service Principal Name (SPN) for AD FS service” alert, for which the alert was
reporting incorrectly.
July 2019
Agent Update
Azure AD Connect Health agent for AD FS (version 3.1.59.0)
1. Text change in TestWindowsTransport
2. Changes for AD FS RP upload
Azure AD Connect Health agent for AD FS (version 3.1.56.0)
1. Add TestWindowsTransport test and remove WsTrust endpoints checks in CheckOffice365Endpoints test
2. Log OS and .NET information
3. Increase RP configuration message upload size to 1MB.
4. Bug fixes
Azure AD Connect Health agent for AD DS (version 3.1.56.0)
1. Log OS and .NET information
2. Bug fixes
May 2019
Agent Update:
Azure AD Connect Health agent for AD FS (version 3.1.51.0)
1. Bug fix to distinguish between multiple sign ins that share the same client-request-id.
2. Bug fix to parse bad username/password errors on language localized servers.
April 2019
Agent Update:
Azure AD Connect Health agent for AD FS (version 3.1.46.0)
1. Fix Check Duplicate SPN alert process for ADFS
March 2019
Agent Update:
Azure AD Connect Health agent for AD DS (version 3.1.41.0)
1. .NET version collection
2. Improvement of performance counter collection when missing certain categories
3. Bug fix on preventing spawning of multiple Monitoring Agent instances
Azure AD Connect Health agent for AD FS (version 3.1.41.0)
1. Integrate and upgrade of AD FS test scripts using ADFSToolBox
2. Implement .NET version collection
3. Improvement of performance counter collection when missing certain categories
4. Bug fix on preventing spawning of multiple Monitoring Agent instances
November 2018
New GA features:
Azure AD Connect Health for Sync - Diagnose and remediate duplicated attribute sync errors from the portal
Agent Update:
Azure AD Connect Health agent for AD DS (version 3.1.24.0)
1. Transport Layer Security (TLS) protocol version 1.2 compliance and enforcement
2. Reduce Global Catalog alert noise
3. Health agent registration bug fixes
Azure AD Connect Health agent for AD FS (version 3.1.24.0)
1. Transport Layer Security (TLS) protocol version 1.2 compliance and enforcement
2. Support of Test-ADFSRequestToken for localized operating system
3. Solved diagnostic agent EventHandler locking issue
4. Health agent registration bug fixes
August 2018
Azure AD Connect Health agent for Sync (version 3.1.7.0) released with Azure AD Connect version 1.1.880.0
1. Hotfix for high CPU issue of monitoring agent with .NET Framework KB releases
June 2018
New preview features:
Azure AD Connect Health for Sync - Diagnose and remediate duplicated attribute sync errors from the portal
Agent Update:
Azure AD Connect Health agent for AD DS (version 3.1.7.0)
1. Hotfix for high CPU issue of monitoring agent with .NET Framework KB releases
Azure AD Connect Health agent for AD FS (version 3.1.7.0)
1. Hotfix for high CPU issue of monitoring agent with .NET Framework KB releases
2. Test results fixes on ADFS Server 2016 secondary server
Azure AD Connect Health agent for AD FS (version 3.1.2.0)
1. Hotfix for agent memory management and related alerts specifically for version 3.0.244.0
May 2018
Agent Update:
Azure AD Connect Health agent for AD DS (version 3.0.244.0)
1. Agent privacy improvement
2. Bug fixes and general improvements
Azure AD Connect Health agent for AD FS (version 3.0.244.0)
1. Agent Diagnostics Service and related PowerShell module improvements
2. Agent privacy improvement
3. Bug fixes and general improvements
Azure AD Connect Health agent for Sync (version 3.0.164.0) released with Azure AD Connect version
1.1.819.0
1. Agent privacy improvement
2. Bug fixes and general improvements
March 2018
New preview features:
Azure AD Connect Health for AD FS - Risky IP report and alert.
Agent Update:
Azure AD Connect Health agent for AD DS (version 3.0.176.0)
1. Agent availability improvements
2. Bug fixes and general improvements
Azure AD Connect Health agent for AD FS (version 3.0.176.0)
1. Agent availability improvements
2. Bug fixes and general improvements
Azure AD Connect Health agent for Sync (version 3.0.129.0) released with Azure AD Connect version 1.1.750.0
1. Agent availability improvements
2. Bug fixes and general improvements
December 2017
Agent Update:
Azure AD Connect Health agent for AD DS (version 3.0.145.0)
1. Agent availability improvements
2. Added new agent troubleshooting commands
3. Bug fixes and general improvements
Azure AD Connect Health agent for AD FS (version 3.0.145.0)
1. Added new agent troubleshooting commands
2. Agent availability improvements
3. Bug fixes and general improvements
October 2017
Agent Update:
Azure AD Connect Health agent for Sync (version 3.0.129.0) released with Azure AD Connect version 1.1.649.0
Fixed a version compatibility issue between Azure AD Connect and Azure AD Connect Health Agent for Sync.
This issue affects customers who are performing Azure AD Connect in-place upgrade to version 1.1.647.0, but
currently has Health Agent version 3.0.127.0. After the upgrade, the Health Agent can no longer send health
data about Azure AD Connect Synchronization Service to Azure AD Health Service. With this fix, Health Agent
version 3.0.129.0 is installed during Azure AD Connect in-place upgrade. Health Agent version 3.0.129.0 does
not have compatibility issue with Azure AD Connect version 1.1.649.0.
July 2017
Agent Update:
Azure AD Connect Health agent for AD DS (version 3.0.68.0)
1. Bug fixes and general improvements
2. Sovereign cloud support
Azure AD Connect Health agent for AD FS (version 3.0.68.0)
1. Bug fixes and general improvements
2. Sovereign cloud support
Azure AD Connect Health agent for Sync (version 3.0.68.0) released with Azure AD Connect version 1.1.614.0
1. Support for Microsoft Azure Government Cloud and Microsoft Cloud Germany
April 2017
Agent Update:
Azure AD Connect Health agent for AD FS (version 3.0.12.0)
1. Bug fixes and general improvements
Azure AD Connect Health agent for AD DS (version 3.0.12.0)
1. Performance counters upload improvements
2. Bug fixes and general improvements
October 2016
Agent Update:
Azure AD Connect Health agent for AD FS (version 2.6.408.0)
Improvements in detecting client IP addresses in authentication requests
Bug Fixes related to Alerts
Azure AD Connect Health agent for AD DS (version 2.6.408.0)
Bug fixes related to Alerts.
Azure AD Connect Health agent for Sync (version 2.6.353.0) released with Azure AD Connect version 1.1.281.0
Provide the required data for the Synchronization Error Reports
Bug fixes related to Alerts
New preview features:
Synchronization Error Reports for Azure AD Connect
New features:
Azure AD Connect Health for AD FS - IP address field is available in the report about top 50 users with bad
username/password.
July 2016
New preview features:
Azure AD Connect Health for AD DS.
January 2016
Agent Update:
Azure AD Connect Health agent for AD FS (version 2.6.91.1512)
New features:
Test Connectivity Tool for Azure AD Connect Health Agents
November 2015
New features:
Support for Azure role-based access control (Azure RBAC)
New preview features:
Azure AD Connect Health for sync.
Fixed issues:
Bug fixes for errors seen during agent registrations.
September 2015
New features:
Wrong Username password report for AD FS
Support to configure Unauthenticated HTTP Proxy
Support to configure agent on Server core
Improvements to Alerts for AD FS
Improvements in Azure AD Connect Health Agent for AD FS for connectivity and data upload.
Fixed issues:
Bug fixes in Usage Insights for AD FS Error types.
June 2015
Initial release of Azure AD Connect Health for AD FS and AD FS Proxy.
New features:
Alerts for monitoring AD FS and AD FS Proxy servers with email notifications.
Easy access to AD FS topology and patterns in AD FS Performance Counters.
Trend in successful token requests on AD FS servers grouped by Applications, Authentication Methods,
Request Network Location etc.
Trends in failed request on AD FS servers grouped by Applications, Error Types etc.
Simpler Agent Deployment using Azure AD Global Admin credentials.
Next steps
Learn more about Monitor your on-premises identity infrastructure and synchronization services in the cloud.
Azure AD Pass-through Authentication agent: Version
release history
9/7/2020 • 2 minutes to read • Edit Online
The agents installed on-premises that enable Pass-through Authentication are updated regularly to provide new
capabilities. This article lists the versions and features that are added when new functionality is introduced. Pass-
through authentication agents are updated automatically when a new version is released.
Here are related topics:
User sign-in with Azure AD Pass-through Authentication
Azure AD Pass-through Authentication agent installation
1.5.1742.0
Release Status:
04/09/2020: Released for download
New features and improvements
Added support for targeting cloud environments upon installation. The bundle can be pinned to a given cloud
environment.
1.5.1007.0
Release status
1/22/2019: Released for download
New features and improvements
Added support for Service Bus reliable channels to add another layer of connection resiliency for outbound
connections
Enforce TLS 1.2 during agent registration
1.5.643.0
Release status
4/10/2018: Released for download
New features and improvements
Web socket connection support
Set TLS 1.2 as the default protocol for the agent
1.5.405.0
Release status
1/31/2018: Released for download
Fixed issues
Fixed a bug that caused some memory leaks in the agent.
Updated the Azure Service Bus version, which includes a bug fix for connector timeout issues.
1.5.405.0
Release status
11/26/2017: Released for download
New features and improvements
Added support for websocket based connections between the agent and Azure AD services to improve
connection resiliency
1.5.402.0
Release status
11/25/2017: Released for download
Fixed issues
Fixed bugs related to the DNS cache for default proxy scenarios
1.5.389.0
Release status
10/17/2017: Released for download
New features and improvements
Added DNS cache functionality for outbound connections to add resiliency from DNS failures
1.5.261.0
Release status
08/31/2017: Released for download
New features and improvements
GA version of the Azure AD Pass-through authentication agent
Next steps
User sign-in with Azure Active Directory Pass-through Authentication
Azure AD Connect: Accounts and permissions
9/7/2020 • 14 minutes to read • Edit Online
Azure AD Connect uses 3 accounts in order to synchronize information from on-premises or Windows Server
Active Directory to Azure Active Directory. These accounts are:
AD DS Connector account : used to read/write information to Windows Server Active Directory
ADSync ser vice account : used to run the synchronization service and access the SQL database
Azure AD Connector account : used to write information to Azure AD
In addition to these three accounts used to run Azure AD Connect, you will also need the following additional
accounts to install Azure AD Connect. These are:
Local Administrator account : The administrator who is installing Azure AD Connect and who has local
Administrator permissions on the machine.
AD DS Enterprise Administrator account : Optionally used to create the “AD DS Connector account”
above.
Azure AD Global Administrator account : used to create the Azure AD Connector account and
configure Azure AD.
SQL SA account (optional) : used to create the ADSync database when using the full version of SQL
Server. This SQL Server may be local or remote to the Azure AD Connect installation. This account may be
the same account as the Enterprise Administrator. Provisioning the database can now be performed out of
band by the SQL administrator and then installed by the Azure AD Connect administrator with database
owner rights. For information on this see Install Azure AD Connect using SQL delegated administrator
permissions
IMPORTANT
As of build 1.4.###.# it is no longer supported to use an enterprise admin or a domain admin account as the AD DS
Connector account. If you attempt to enter an account that is an enterprise admin or domain admin when specifying use
existing account , you will receive an error.
NOTE
It is supported to manage the administrative accounts used in Azure AD Connect from an ESAE Administrative Forest (also
know as "Red forest"). Dedicated administrative forests allow organizations to host administrative accounts, workstations,
and groups in an environment that has stronger security controls than the production environment. To learn more about
dedicated administrative forests please refer to ESAE Administrative Forest Design Approach.
NOTE
The Global Administrator role is not required after the initial setup and the only required account will be the Director y
Synchronization Accounts role account. That does not necessarily mean that you will want to just remove the account
with the Global Administrator role. It is better to change the role to a less powerful role, as totally removing the account
may introduce issues if you ever need to re-run the wizard again. By reducing the privilege of the role you can always re-
elevate the privileges if you have to utilize the Azure AD Connect wizard again.
The following is a summary of the express installation wizard pages, the credentials collected, and what they are
used for.
N/A User running the installation Administrator of the local Creates the ADSync
wizard server service account that is used
as to run the
synchronization service.
W IZ A RD PA GE C REDEN T IA L S C O L L EC T ED P ERM ISSIO N S REQ UIRED USED F O R
Connect to Azure AD Azure AD directory Global administrator role in Enabling sync in the
credentials Azure AD Azure AD directory.
Creation of the Azure AD
Connector account that is
used for on-going sync
operations in Azure AD.
N/A User running the installation Administrator of the local By default, creates the local
wizard server account that is used as the
If using a full SQL Server, sync engine service account.
the user must be System The account is only created
Administrator (SA) in SQL when the admin does not
specify a particular account.
Install synchronization AD or local user account User, permissions are If the admin specifies an
services, Service account credentials granted by the installation account, this account is used
option wizard as the service account for
the sync service.
Connect to Azure AD Azure AD directory Global administrator role in Enabling sync in the
credentials Azure AD Azure AD directory.
Creation of the Azure AD
Connector account that is
used for on-going sync
operations in Azure AD.
Connect your directories On-premises Active The permissions depend on This account is used to read
Directory credentials for which features you enable and write directory
each forest that is and can be found in Create information during
connected to Azure AD the AD DS Connector synchronization.
account
AD FS Servers For each server in the list, Domain Administrator Installation and
the wizard collects configuration of the AD FS
credentials when the sign-in server role.
credentials of the user
running the wizard are
insufficient to connect
Web application proxy For each server in the list, Local admin on the target Installation and
servers the wizard collects machine configuration of WAP server
credentials when the sign-in role.
credentials of the user
running the wizard are
insufficient to connect
Proxy trust credentials Federation service trust Domain account that is a Initial enrollment of FS-WAP
credentials (the credentials local administrator of the trust certificate.
the proxy uses to enroll for AD FS server
a trust certificate from the
FS
AD FS Service Account AD user account credentials Domain user The Azure AD user account
page, "Use a domain user whose credentials are
account option" provided is used as the
sign-in account of the AD FS
service.
The account you specify on the Connect your directories page must be present in Active Directory prior to
installation. Azure AD Connect version 1.1.524.0 and later has the option to let the Azure AD Connect wizard
create the AD DS Connector account used to connect to Active Directory.
It must also have the required permissions granted. The installation wizard does not verify the permissions and
any issues are only found during synchronization.
Which permissions you require depends on the optional features you enable. If you have multiple domains, the
permissions must be granted for all domains in the forest. If you do not enable any of these features, the default
Domain User permissions are sufficient.
Exchange Mail Public Folder Read permissions to the attributes documented in Exchange
Mail Public Folder for public folders.
Group writeback Allows you to writeback Office 365 Groups to a forest with
Exchange installed.
Upgrade
When you upgrade from one version of Azure AD Connect to a new release, you need the following permissions:
IMPORTANT
Starting with build 1.1.484, Azure AD Connect introduced a regression bug which requires sysadmin permissions to
upgrade the SQL database. This bug is corrected in build 1.1.647. If you are upgrading to this build, you will need sysadmin
permissions. Dbo permissions are not sufficient. If you attempt to upgrade Azure AD Connect without having sysadmin
permissions, the upgrade will fail and Azure AD Connect will no longer function correctly afterwards. Microsoft is aware of
this and is working to correct this.
P RIN C IPA L P ERM ISSIO N S REQ UIRED USED F O R
User running the installation wizard Administrator of the local server Update binaries.
User running the installation wizard Member of ADSyncAdmins Make changes to Sync Rules and other
configuration.
User running the installation wizard If you use a full SQL server: DBO (or Make database level changes, such as
similar) of the sync engine database updating tables with new columns.
If you use custom settings, then you are responsible for creating the account before you start the installation. See
Create the AD DS Connector account.
ADSync service account
The sync service can run under different accounts. It can run under a Vir tual Ser vice Account (VSA), a Group
Managed Ser vice Account (gMSA/sMSA), or a regular user account. The supported options were changed with
the 2017 April release of Connect when you do a fresh installation. If you upgrade from an earlier release of
Azure AD Connect, these additional options are not available.
Virtual Service Account Express and custom, 2017 April and This is the option used for all express
later installations, except for installations on
a Domain Controller. For custom, it is
the default option unless another
option is used.
Group Managed Service Account Custom, 2017 April and later If you use a remote SQL server, then
we recommend to use a group
managed service account.
User account Express and custom, 2017 April and A user account prefixed with AAD_ is
later only created during installation when
installed on Windows Server 2008 and
when installed on a Domain Controller.
User account Express and custom, 2017 March and A local account prefixed with AAD_ is
earlier created during installation. When using
custom installation, another account
can be specified.
If you use Connect with a build from 2017 March or earlier, then you should not reset the password on the
service account since Windows destroys the encryption keys for security reasons. You cannot change the account
to any other account without reinstalling Azure AD Connect. If you upgrade to a build from 2017 April or later,
then it is supported to change the password on the service account but you cannot change the account used.
IMPORTANT
You can only set the service account on first installation. It is not supported to change the service account after the
installation has completed.
This is a table of the default, recommended, and supported options for the sync service account.
Legend:
Bold indicates the default option and in most cases the recommended option.
Italic indicates the recommended option when it is not the default option.
2008 - Default option when installed on Windows Server 2008
Non-bold - Supported option
Local account - Local user account on the server
Domain account - Domain user account
sMSA - standalone Managed Service account
gMSA - group Managed Service account
LO C A L DB LO C A L DB / LO C A L SQ L REM OT E SQ L
EXP RESS C USTO M C USTO M
The VSA is intended to be used with scenarios where the sync engine and SQL are on the same server. If you use
remote SQL, then we recommend to use a Group Managed Service Account instead.
This feature requires Windows Server 2008 R2 or later. If you install Azure AD Connect on Windows Server 2008,
then the installation falls back to using a user account instead.
Group managed service account
If you use a remote SQL server, then we recommend to using a group managed ser vice account . For more
information on how to prepare your Active Directory for Group Managed Service account, see Group Managed
Service Accounts Overview.
To use this option, on the Install required components page, select Use an existing ser vice account , and select
Managed Ser vice Account .
It is also supported to use a standalone managed service account. However, these can only be used on the local
machine and there is no benefit to use them over the default virtual service account.
This feature requires Windows Server 2012 or later. If you need to use an older operating system and use remote
SQL, then you must use a user account.
User account
A local service account is created by the installation wizard (unless you specify the account to use in custom
settings). The account is prefixed AAD_ and used for the actual sync service to run as. If you install Azure AD
Connect on a Domain Controller, the account is created in the domain. The AAD_ service account must be located
in the domain if:
you use a remote server running SQL server
you use a proxy that requires authentication
The account is created with a long complex password that does not expire.
This account is used to store the passwords for the other accounts in a secure way. These other accounts
passwords are stored encrypted in the database. The private keys for the encryption keys are protected with the
cryptographic services secret-key encryption using Windows Data Protection API (DPAPI).
If you use a full SQL Server, then the service account is the DBO of the created database for the sync engine. The
service will not function as intended with any other permissions. A SQL login is also created.
The account is also granted permissions to files, registry keys, and other objects related to the Sync Engine.
Azure AD Connector account
An account in Azure AD is created for the sync service's use. This account can be identified by its display name.
The name of the server the account is used on can be identified in the second part of the user name. In the
picture, the server name is DC1. If you have staging servers, each server has its own account.
The account is created with a long complex password that does not expire. It is granted a special role Director y
Synchronization Accounts that has only permissions to perform directory synchronization tasks. This special
built-in role cannot be granted outside of the Azure AD Connect wizard. The Azure portal shows this account with
the role User .
There is a limit of 20 sync service accounts in Azure AD. To get the list of existing Azure AD service accounts in
your Azure AD, run the following Azure AD PowerShell cmdlet:
Get-AzureADDirectoryRole | where {$_.DisplayName -eq "Directory Synchronization Accounts"} | Get-
AzureADDirectoryRoleMember
To remove unused Azure AD service accounts, run the following Azure AD PowerShell cmdlet:
Remove-AzureADUser -ObjectId <ObjectId-of-the-account-you-wish-to-remove>
NOTE
Before you can use the above PowerShell commands you will need to install the Azure Active Directory PowerShell for
Graph module and connect to your instance of Azure AD using Connect-AzureAD
For additional information on how to manage or reset the password for the Azure AD Connector account see
Manage the Azure AD Connect account
Related documentation
If you did not read the documentation on Integrating your on-premises identities with Azure Active Directory, the
following table provides links to related topics.
TO P IC L IN K
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Azure Active Directory Connect FAQ
9/7/2020 • 17 minutes to read • Edit Online
General installation
Q: How can I harden my Azure AD Connect ser ver to decrease the security attack surface?
Microsoft recommends hardening your Azure AD Connect server to decrease the security attack surface for this
critical component of your IT environment. Following the recommendations below will decrease the security risks
to your organization.
Deploy Azure AD Connect on a domain joined server and restrict administrative access to domain
administrators or other tightly controlled security groups
To learn more, see:
Securing administrators groups
Securing built-in administrator accounts
Security improvement and sustainment by reducing attack surfaces
Reducing the Active Directory attack surface
Q: Will installation work if the Azure Active Director y (Azure AD) Global Admin has two-factor
authentication (2FA) enabled?
As of the February 2016 builds, this scenario is supported.
Q: Is there a way to install Azure AD Connect unattended?
Azure AD Connect installation is supported only when you use the installation wizard. An unattended, silent
installation is not supported.
Q: I have a forest where one domain cannot be contacted. How do I install Azure AD Connect?
As of the February 2016 builds, this scenario is supported.
Q: Does the Azure Active Director y Domain Ser vices (Azure AD DS) health agent work on ser ver
core?
Yes. After you install the agent, you can complete the registration process by using the following PowerShell cmdlet:
Register-AzureADConnectHealthADDSAgent -Credentials $cred
Q: Does Azure AD Connect suppor t syncing from two domains to an Azure AD?
Yes, this scenario is supported. Refer to Multiple Domains.
Q: Can you have multiple connectors for the same Active Director y domain in Azure AD Connect?
No, multiple connectors for the same AD domain are not supported.
Q: Can I move the Azure AD Connect database from the local database to a remote SQL Ser ver
instance?
Yes, the following steps provide general guidance on how to do this. We are currently working on a more detailed
document.
1. Back up the LocalDB ADSync database. The simplest way to do this is to use SQL Server Management Studio
installed on the same machine as Azure AD Connect. Connect to (LocalDb).\ADSync, and then back up the
ADSync database.
2. Restore the ADSync database to your remote SQL Server instance.
3. Install Azure AD Connect against the existing remote SQL database. The article demonstrates how to migrate
to using a local SQL database. If you are migrating to using a remote SQL database, in step 5 of the process
you must also enter an existing service account that the Windows Sync service will run as. This sync engine
service account is described here:
Use an existing ser vice account : By default, Azure AD Connect uses a virtual service account for the
synchronization services to use. If you use a remote SQL Server instance or use a proxy that requires
authentication, use a managed service account or a service account in the domain, and know the password.
In those cases, enter the account to use. Make sure that users who are running the installation are system
administrators in SQL so that login credentials for the service account can be created. For more information,
see Azure AD Connect accounts and permissions.
With the latest build, provisioning the database can now be performed out of band by the SQL administrator
and then installed by the Azure AD Connect administrator with database owner rights. For more information,
see Install Azure AD Connect by using SQL delegated administrator permissions.
To keep things simple, we recommend that users who install Azure AD Connect be system administrators in SQL.
However, with recent builds you can now use delegated SQL administrators, as described in Install Azure AD
Connect using SQL delegated administrator permissions.
Q: What are some of the best practices from the field?
The following is an informational document that presents some of the best practices that engineering, support and
our consultants have developed over the years. This is presented in a bullet list that can be quickly referenced.
Although this list attempts to be comprehensive, there may be additional best practices that might not have made it
on the list yet.
If using Full SQL then it should remain local vs. remote
Fewer hops
Easier to troubleshoot
Less complexity
Need to designate resources to SQL and allow overhead for Azure AD Connect and OS
Bypass Proxy if at all possible, if you are unable to bypass the proxy then you need to ensure that the timeout
value is greater than 5 minutes.
If proxy is required then you must add the proxy to the machine.config file
Be aware of local SQL jobs and maintenance and how they will impact Azure AD Connect - particularly re-
indexing
Ensure than DNS can resolve externally
Ensure that server specifications are per recommendation whether you are using physical or virtual servers
Ensure that if you are using a virtual server that resources required are dedicated
Ensure that you have the disk and disk configuration meet Best Practices for SQL Server
Install and configure Azure AD Connect Health for monitoring
Use the Delete Threshold that is built into Azure AD Connect.
Carefully review release updates to be prepared for all changes and new attributes that may be added
Backup everything
Backup Keys
Backup Synchronization Rules
Backup Server Configuration
Backup SQL Database
Ensure that there are no 3rd party backup agents that are backing up SQL without the SQL VSS Writer
(common in virtual servers with 3rd party snapshots)
Limit the amount of custom synchronization rules that are used as they add complexity
Treat Azure AD Connect Servers as Tier 0 Servers
Be leery of modifying cloud synchronization rules without great understanding of the impact and the right
business drivers
Make sure that the correct URL's and Firewall ports are open for support of Azure AD Connect and Azure AD
Connect Health
Leverage the cloud filtered attribute to troubleshoot and prevent phantom objects
With the Staging Server ensure that you are using the Azure AD Connect Configuration Documenter for
consistency between servers
Staging Servers should be in separate datacenters (Physical Locations
Staging servers are not meant to be a High Availability solution, but you can have multiple staging servers
Introducing a "Lag" Staging Servers could mitigate some potential downtime in case of error
Test and Validate all upgrades on the Staging Server first
Always validate exports before switching over to the staging server. Leverage the staging server for Full Imports
and Full Synchronizations to reduce business impact
Keep version consistency between Azure AD Connect Servers as much as possible
Q: Can I allow Azure AD Connect to create the Azure AD Connector account on Workgroup machine?
No. In order to allow Azure AD Connect to auto-create the Azure AD Connector account, the machine must be
domain-joined.
Network
Q: I have a firewall, network device, or something else that limits the time that connections can stay
open on my network . What should my client-side timeout threshold be when I use Azure AD
Connect?
All networking software, physical devices, or anything else that limits the maximum time that connections can
remain open should use a threshold of at least five minutes (300 seconds) for connectivity between the server
where the Azure AD Connect client is installed and Azure Active Directory. This recommendation also applies to all
previously released Microsoft Identity synchronization tools.
Q: Are single label domains (SLDs) suppor ted?
While we strongly recommend against this network configuration (see article), using Azure AD Connect sync with a
single label domain is supported, as long as the network configuration for the single level domain is functioning
correctly.
Q: Are Forests with disjoint AD domains suppor ted?
No, Azure AD Connect does not support on-premises forests that contain disjoint namespaces.
Q: Are "dotted" NetBIOS names suppor ted?
No, Azure AD Connect does not support on-premises forests or domains where the NetBIOS name contains a dot
(.).
Q: Is pure IPv6 environment suppor ted?
No, Azure AD Connect does not support a pure IPv6 environment.
Q:I have a multi-forest environment and the network between the two forests is using NAT (Network
Address Translation). Is using Azure AD Connect between these two forests suppor ted?
No, using Azure AD Connect over NAT is not supported.
Federation
Q: What do I do if I receive an email that asks me to renew my Office 365 cer tificate?
For guidance about renewing the certificate, see renew certificates.
Q: I have "Automatically update relying par ty" set for the Office 365 relying par ty. Do I have to take
any action when my token signing cer tificate automatically rolls over?
Use the guidance that's outlined in the article renew certificates.
Environment
Q: Is it suppor ted to rename the ser ver after Azure AD Connect has been installed?
No. Changing the server name renders the sync engine unable to connect to the SQL database instance, and the
service cannot start.
Q: Are Next Generation Cr yptographic (NGC) sync rules suppor ted on a FIPS-enabled machine?
No. They are not supported.
Q. If I disabled a synced device (for example: HAADJ) in the Azure por tal, why it is re-enabled?
Synced devices might be authored or mastered on premises. If a synced device is enabled on premises, it might be
re-enabled in the Azure portal even if was previously disabled by an administrator. To disable a synced device, use
the on-premises Active Directory to disable the computer account.
Q. If I block user sign-in at the Office 365 or Azure AD por tal for synced users, why it is unblocked
upon signing in again?
Synced users might be authored or mastered on premises. If the account is enabled on premises, it can unblock the
sign-in block placed by administrator.
Identity data
Q: Why doesn't the userPrincipalName (UPN) attribute in Azure AD match the on-premises UPN?
For information, see these articles:
Usernames in Office 365, Azure, or Intune don't match the on-premises UPN or alternate login ID
Changes aren't synced by the Azure Active Directory sync tool after you change the UPN of a user account to
use a different federated domain
You can also configure Azure AD to allow the sync engine to update the UPN, as described in Azure AD Connect
sync service features.
Q: Is it suppor ted to soft-match an on-premises Azure AD group or contact object with an existing
Azure AD group or contact object?
Yes, this soft match is based on the proxyAddress. Soft matching is not supported for groups that are not mail-
enabled.
Q: Is it suppor ted to manually set the ImmutableId attribute on an existing Azure AD group or
contact object to hard-match it to an on-premises Azure AD group or contact object?
No, manually setting the ImmutableId attribute on an existing Azure AD group or contact object to hard-match it is
currently not supported.
Custom configuration
Q: Where are the PowerShell cmdlets for Azure AD Connect documented?
With the exception of the cmdlets that are documented on this site, other PowerShell cmdlets found in Azure AD
Connect are not supported for customer use.
Q: Can I use the "Ser ver expor t/ser ver impor t" option that's found in Synchronization Ser vice
Manager to move the configuration between ser vers?
No. This option does not retrieve all configuration settings, and it should not be used. Instead, use the wizard to
create the base configuration on the second server, and use the sync rule editor to generate PowerShell scripts to
move any custom rule between servers. For more information, see Swing migration.
Q: Can passwords be cached for the Azure sign-in page, and can this caching be prevented because it
contains a password input element with the autocomplete = "false" attribute?
Currently, modifying the HTML attributes of the Password field, including the autocomplete tag, is not supported.
We are currently working on a feature that allows for custom JavaScript, which lets you add any attribute to the
Password field.
Q: The Azure sign-in page displays the usernames of users who have previously signed in
successfully. Can this behavior be turned off ?
Currently, modifying the HTML attributes of the Password input field, including the autocomplete tag, is not
supported. We are currently working on a feature that allows for custom JavaScript, which lets you add any
attribute to the Password field.
Q: Is there a way to prevent concurrent sessions?
No.
Auto upgrade
Q: What are the advantages and consequences of using auto upgrade?
We are advising all customers to enable auto upgrade for their Azure AD Connect installation. The benefit is that
you always receive the latest patches, including security updates for vulnerabilities that have been found in Azure
AD Connect. The upgrade process is painless and happens automatically as soon as a new version is available.
Many thousands of Azure AD Connect customers use auto upgrade with every new release.
The auto-upgrade process always first establishes whether an installation is eligible for auto upgrade. If it is eligible,
the upgrade is performed and tested. The process also includes looking for custom changes to rules and specific
environmental factors. If the tests show that an upgrade is unsuccessful, the previous version is automatically
restored.
Depending on the size of the environment, the process can take a couple of hours. While the upgrade is in progress,
no sync between Windows Server Active Directory and Azure AD happens.
Q: I received an email telling me that my auto upgrade no longer works and I need to install a new
version. Why do I need to do this?
Last year, we released a version of Azure AD Connect that, under certain circumstances, might have disabled the
auto-upgrade feature on your server. We have fixed the issue in Azure AD Connect version 1.1.750.0. If you have
been affected by the issue, you can mitigate it by running a PowerShell script to repair it or by manually upgrading
to the latest version of Azure AD Connect.
To run the PowerShell script, download the script and run it on your Azure AD Connect server in an administrative
PowerShell window. To learn how to run the script, view this short video.
To manually upgrade, you must download and run the latest version of the AADConnect.msi file.
If your current version is older than 1.1.750.0, download and upgrade to the latest version.
If your Azure AD Connect version is 1.1.750.0 or later, no further action is required. You’re already using the
version that contains the auto-upgrade fix.
Q: I received an email telling me to upgrade to the latest version to re-enable auto upgrade. I am
using version 1.1.654.0. Do I need to upgrade?
Yes, you need to upgrade to version 1.1.750.0 or later to re-enable auto upgrade. Download and upgrade to the
latest version.
Q: I received an email telling me to upgrade to the latest version to re-enable auto upgrade. If I have
used PowerShell to enable auto upgrade, do I still need to install the latest version?
Yes, you still need to upgrade to version 1.1.750.0 or later. Enabling the auto-upgrade service with PowerShell does
not mitigate the auto-upgrade issue found in versions before 1.1.750.0.
Q: I want to upgrade to a newer version but I’m not sure who installed Azure AD Connect, and we do
not have the username and password. Do we need this? You don’t need to know the username and
password that was initially used to upgrade Azure AD Connect. Use any Azure AD account that has the Global
Administrator role.
Q: How can I find which version of Azure AD Connect I am using?
To verify which version of Azure AD Connect is installed on your server, go to Control Panel and look up the
installed version of Microsoft Azure AD Connect by selecting Programs > Programs and Features , as shown
here:
Troubleshooting
Q: How can I get help with Azure AD Connect?
Search the Microsoft Knowledge Base (KB)
Search the KB for technical solutions to common break-fix issues about support for Azure AD Connect.
Microsoft Q&A question page for Azure Active Directory
Search for technical questions and answers or ask your own questions by going to the Azure AD community.
Get support for Azure AD
Q: Why am I seeing Events 6311 and 6401 occur after Sync Step Errors?
The events 6311 - The ser ver encountered an unexpected error while performing a callback and 6401 -
The management agent controller encountered an unexpected error - are always logged after a
synchronization step error. To resolve these errors, you need to clean up the synchronization step errors. For more
information, see Troubleshooting errors during synchronization and Troubleshoot object synchronization with
Azure AD Connect sync
Azure AD Connect Health frequently asked
questions
9/7/2020 • 9 minutes to read • Edit Online
This article includes answers to frequently asked questions (FAQs) about Azure Active Directory (Azure AD)
Connect Health. These FAQs cover questions about how to use the service, which includes the billing model,
capabilities, limitations, and support.
General questions
Q: I manage multiple Azure AD directories. How do I switch to the one that has Azure Active
Director y Premium?
To switch between different Azure AD tenants, select the currently signed-in User Name on the upper-right
corner, and then choose the appropriate account. If the account is not listed here, select Sign out , and then use
the global admin credentials of the directory that has Azure Active Directory Premium enabled to sign in.
Q: What version of identity roles are suppor ted by Azure AD Connect Health?
The following table lists the roles and supported operating system versions.
RO L E O P ERAT IN G SY ST EM / VERSIO N
To ensure the agent connectivity of Connect Health for sync, please configure the installation requirement
accordingly.
Installation questions
Q: What is the impact of installing the Azure AD Connect Health Agent on individual ser vers?
The impact of installing the Microsoft Azure AD Connect Health Agent, AD FS, web application proxy servers,
Azure AD Connect (sync) servers, domain controllers is minimal with respect to the CPU, memory consumption,
network bandwidth, and storage.
The following numbers are an approximation:
CPU consumption: ~1-5% increase.
Memory consumption: Up to 10 % of the total system memory.
NOTE
If the agent cannot communicate with Azure, the agent stores the data locally for a defined maximum limit. The agent
overwrites the “cached” data on a “least recently serviced” basis.
Local buffer storage for Azure AD Connect Health Agents: ~20 MB.
For AD FS servers, we recommend that you provision a disk space of 1,024 MB (1 GB) for the AD FS audit
channel for Azure AD Connect Health Agents to process all the audit data before it is overwritten.
Q: Will I have to reboot my ser vers during the installation of the Azure AD Connect Health Agents?
No. The installation of the agents will not require you to reboot the server. However, installation of some
prerequisite steps might require a reboot of the server.
For example, on Windows Server 2008 R2, installation of .NET 4.5 Framework requires a server reboot.
Q: Does Azure AD Connect Health work through a pass-through HTTP proxy?
Yes. For ongoing operations, you can configure the Health Agent to use an HTTP proxy to forward outbound
HTTP requests. Read more about configuring HTTP Proxy for Health Agents.
If you need to configure a proxy during agent registration, you might need to modify your Internet Explorer Proxy
settings beforehand.
1. Open Internet Explorer > Settings > Internet Options > Connections > L AN Settings .
2. Select Use a Proxy Ser ver for your L AN .
3. Select Advanced if you have different proxy ports for HTTP and HTTPS/Secure.
Q: Does Azure AD Connect Health suppor t Basic authentication when connecting to HTTP proxies?
No. A mechanism to specify an arbitrary user name and password for Basic authentication is not currently
supported.
Q: What firewall por ts do I need to open for the Azure AD Connect Health Agent to work?
See the requirements section for the list of firewall ports and other connectivity requirements.
Q: Why do I see two ser vers with the same name in the Azure AD Connect Health por tal?
When you remove an agent from a server, the server is not automatically removed from the Azure AD Connect
Health portal. If you manually remove an agent from a server or remove the server itself, you need to manually
delete the server entry from the Azure AD Connect Health portal.
You might reimage a server or create a new server with the same details (such as machine name). If you did not
remove the already registered server from the Azure AD Connect Health portal, and you installed the agent on
the new server, you might see two entries with the same name.
In this case, manually delete the entry that belongs to the older server. The data for this server should be out of
date.
Operations questions
Q: Do I need to enable auditing on the web application proxy ser vers?
No, auditing does not need to be enabled on the web application proxy servers.
Q: How do Azure AD Connect Health Aler ts get resolved?
Azure AD Connect Health alerts get resolved on a success condition. Azure AD Connect Health Agents detect and
report the success conditions to the service periodically. For a few alerts, the suppression is time-based. In other
words, if the same error condition is not observed within 72 hours from alert generation, the alert is
automatically resolved.
Q: I am getting aler ted that "Test Authentication Request (Synthetic Transaction) failed to obtain a
token." How do I troubleshoot the issue?
Azure AD Connect Health for AD FS generates this alert when the Health Agent installed on an AD FS server fails
to obtain a token as part of a synthetic transaction initiated by the Health Agent. The Health agent uses the local
system context and attempts to get a token for a self relying party. This is a catch-all test to ensure that AD FS is
in a state of issuing tokens.
Most often this test fails because the Health Agent is unable to resolve the AD FS farm name. This can happen if
the AD FS servers are behind a network load balancers and the request gets initiated from a node that's behind
the load balancer (as opposed to a regular client that is in front of the load balancer). This can be fixed by
updating the "hosts" file located under "C:\Windows\System32\drivers\etc" to include the IP address of the AD
FS server or a loopback IP address (127.0.0.1) for the AD FS farm name (such as sts.contoso.com). Adding the
host file will short-circuit the network call, thus allowing the Health Agent to get the token.
Q: I got an email indicating my machines are NOT patched for the recent ransomware attacks. Why
did I receive this email?
Azure AD Connect Health service scanned all the machines it monitors to ensure the required patches were
installed. The email was sent to the tenant administrators if at least one machine did not have the critical patches.
The following logic was used to make this determination.
1. Find all the hotfixes installed on the machine.
2. Check if at least one of the HotFixes from the defined list is present.
3. If Yes, the machine is protected. If Not, the machine is at risk for the attack.
You can use the following PowerShell script to perform this check manually. It implements the above logic.
Function CheckForMS17-010 ()
{
$hotfixes = "KB3205409", "KB3210720", "KB3210721", "KB3212646", "KB3213986", "KB4012212", "KB4012213",
"KB4012214", "KB4012215", "KB4012216", "KB4012217", "KB4012218", "KB4012220", "KB4012598", "KB4012606",
"KB4013198", "KB4013389", "KB4013429", "KB4015217", "KB4015438", "KB4015546", "KB4015547", "KB4015548",
"KB4015549", "KB4015550", "KB4015551", "KB4015552", "KB4015553", "KB4015554", "KB4016635", "KB4019213",
"KB4019214", "KB4019215", "KB4019216", "KB4019263", "KB4019264", "KB4019472", "KB4015221", "KB4019474",
"KB4015219", "KB4019473"
#checks the computer it's run on if any of the listed hotfixes are present
$hotfix = Get-HotFix -ComputerName $env:computername | Where-Object {$hotfixes -contains $_.HotfixID} |
Select-Object -property "HotFixID"
CheckForMS17-010
Q: Why does the PowerShell cmdlet Get-MsolDirSyncProvisioningError show less sync errors in the
result?
Get-MsolDirSyncProvisioningError will only return DirSync provisioning errors. Besides that, Connect Health
portal also shows other sync error types such as export errors. This is consistent with Azure AD Connect delta
result. Read more about Azure AD Connect Sync errors.
Q: Why are my ADFS audits not being generated?
Please use PowerShell cmdlet Get-AdfsProperties -AuditLevel to ensure audit logs is not in disabled state. Read
more about ADFS audit logs. Notice if there are advanced audit settings pushed to the ADFS server, any changes
with auditpol.exe will be overwritten (event if Application Generated is not configured). In this case, please set the
local security policy to log Application Generated failures and success.
Q: When will the agent cer tificate be automatic renewed before expiration? The agent certification will
be automatic renewed 6 months before its expiration date. If it is not renewed, please ensure the network
connection of the agent is stable. Restart the agent services or update to the latest version may also solve the
issue.
Related links
Azure AD Connect Health
Azure AD Connect Health Agent installation
Azure AD Connect Health operations
Using Azure AD Connect Health with AD FS
Using Azure AD Connect Health for sync
Using Azure AD Connect Health with AD DS
Azure AD Connect Health version history
Hybrid identity considerations for the Azure
Government cloud
9/7/2020 • 2 minutes to read • Edit Online
This article describes considerations for integrating a hybrid environment with the Microsoft Azure Government
cloud. This information is provided as a reference for administrators and architects who work with the Azure
Government cloud.
NOTE
To integrate an on-premises Microsoft Azure Active Directory (Azure AD) environment with the Azure Government cloud,
you need to upgrade to the latest release of Azure AD Connect.
For a full list of United States government Department of Defense endpoints, refer to the documentation.
NOTE
The following guidance also applies to installing the Azure AD Application Proxy connector for Azure Government
environments.
*.msappproxy.us The agent uses these URLs to communicate with the Azure
*.servicebus.usgovcloudapi.net AD cloud service.
login.windows.us The agent uses these URLs during the registration process.
secure.aadcdn.microsoftonline-p.com
*.microsoftonline.us
*.microsoftonline-p.us
*.msauth.net
*.msauthimages.net
*.msecnd.net
*.msftauth.net
*.msftauthimages.net
*.phonefactor.net
enterpriseregistration.windows.net
management.azure.com
policykeyservice.dc.ad.msft.net
ctldl.windowsupdate.us:80
AADConnectAuthAgentSetup.exe ENVIRONMENTNAME="AzureUSGovernment"
AADApplicationProxyConnectorInstaller.exe ENVIRONMENTNAME="AzureUSGovernment"
Single sign-on
Set up your Azure AD Connect server
If you usePass-through Authenticationas your sign-on method, no additional prerequisite check is required. If you
usepassword hash synchronizationas your sign-on method and there is a firewall between Azure AD Connect and
Azure AD, ensure that:
You use Azure AD Connect version 1.1.644.0 or later.
If your firewall or proxy allows DNS blocked or safe programs, add the connections to
the*.msappproxy.usURLs over port 443.
If not, allow access to theAzure datacenter IP ranges, which are updated weekly. This prerequisite applies
only when you enable the feature. It isn't required for actual user sign-ons.
Roll out Seamless Single Sign-On
You can gradually roll out Azure AD Seamless Single Sign-On to your users by using the following instructions.
You start by adding the Azure AD URL https://autologon.microsoft.us to all or selected users' Intranet zone
settings by using Group Policy in Active Directory.
You also need to enable the intranet zone policy setting Allow updates to status bar via script through
Group Policy .
Browser considerations
Mozilla Firefox (all platforms)
Mozilla Firefox doesn't automatically use Kerberos authentication. Each user must manually add the Azure AD URL
to their Firefox settings by following these steps:
1. Run Firefox and enterabout:config in the address bar. Dismiss any notifications that you might see.
2. Search for thenetwork .negotiate-auth.trusted-uris preference. This preference lists the sites trusted by
Firefox for Kerberos authentication.
3. Right-click the preference name and then selectModify .
4. Enter https://autologon.microsoft.us in the box.
5. SelectOK and then reopen the browser.
Microsoft Edge based on Chromium (all platforms)
If you have overridden the AuthNegotiateDelegateAllowlist or AuthServerAllowlist policy settings in your
environment, ensure that you add the Azure AD URL https://autologon.microsoft.us to them.
Google Chrome (all platforms)
If you have overridden the AuthNegotiateDelegateWhitelist or AuthServerWhitelist policy settings in your
environment, ensure that you add the Azure AD URL https://autologon.microsoft.us to them.
Next steps
Pass-through Authentication
Single Sign-On
User privacy and Azure AD Connect
9/7/2020 • 2 minutes to read • Edit Online
NOTE
This article provides steps for how to delete personal data from the device or service and can be used to support your
obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.
NOTE
This article deals with Azure AD Connect and user privacy. For information on Azure AD Connect Health and user privacy see
the article here.
IMPORTANT
Do not delete the PersistedState.xml file. This file contains no user information and maintains the state of the previous
installation.
You can either review and delete these files using Windows Explorer or you can use a script like the following to
perform the necessary actions:
3. In Task Scheduler, right click on Task Schedule Librar y and click on Create Basic task …
4. Enter the name for the new task and click Next .
5. Select Daily for the task trigger and click on Next .
6. Set the recurrence to 2 days and click Next .
7. Select Star t a program as the action and click on Next .
8. Type PowerShell in the box for the Program/script, and in box labeled Add arguments (optional) , enter
the full path to the script that you created earlier, then click Next .
9. The next screen shows a summary of the task you are about to create. Verify the values and click Finish to
create the task.
Next steps
Review the Microsoft Privacy policy on Trust Center
Azure AD Connect Health and User Privacy
User privacy and Azure AD Connect Health
9/7/2020 • 5 minutes to read • Edit Online
NOTE
This article provides steps for how to delete personal data from the device or service and can be used to support your
obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.
NOTE
This article deals with Azure AD Connect Health and user privacy. For information on Azure AD Connect and user privacy see
the article here.
IMPORTANT
You need either Azure AD Global Administrator privileges or the Contributor role in Azure RBAC to delete monitored servers
from Azure AD Connect Health.
Removing a server or service instance from Azure AD Connect Health is not a reversible action.
What to expect?
If you stop data collection and monitoring for an individual monitored server or an instance of a monitored
service, note the following:
When you delete an instance of a monitored service, the instance is removed from the Azure AD Connect
Health monitoring service list in the portal.
When you delete a monitored server or an instance of a monitored service, the Health Agent is NOT uninstalled
or removed from your servers. The Health Agent is configured not to send data to Azure AD Connect Health.
You need to manually uninstall the Health Agent on previously monitored servers.
If you have not uninstalled the Health Agent before performing this step, you may see error events on the
server(s) related to the Health Agent.
All data belonging to the instance of the monitored service is deleted as per the Microsoft Azure Data Retention
Policy.
Disable data collection and monitoring for an instance of a monitored service
See how to remove a service instance from Azure AD Connect Health.
Disable data collection and monitoring for a monitored server
See how to remove a server from Azure AD Connect Health.
Disable data collection and monitoring for all monitored services in Azure AD Connect Health
Azure AD Connect Health also provides the option to stop data collection of all registered services in the tenant.
We recommend careful consideration and full acknowledgement of all global admins before taking the action.
Once the process begins, Connect Health service will stop receiving, processing, and reporting any data of all your
services. Existing data in Connect Health service will be retained for no more than 30 days. If you want to stop data
collection of specific server, please follow steps at deletion of specific servers. To stop tenant-wise data collection,
follow the following steps to stop data collection and delete all services of the tenant.
1. Click on General Settings under configuration in the main blade.
2. Click on Stop Data Collection button on the top of the blade. The other options of tenant configuration
settings will be disabled once the process starts.
3. Ensure the list of onboarded services which are affected by stopping data collections.
4. Enter the exact tenant name to enable the Delete action button
5. Click on Delete to trigger the deletion of all services. Connect Health will stop receiving, processing,
reporting any data sent from your onboarded services. The entire process of can take up to 24 hours.
Notice that this step is not reversible.
6. After the process is completed, you will not see any registered services in Connect Health any more.
Re-enable data collection and monitoring in Azure AD Connect Health
To re-enable monitoring in Azure AD Connect Health for a previously deleted monitored service, you must
uninstall and reinstall the health agent on all the servers.
Re -enable data collection and monitoring for all monitored services
Tenant-wise data collection can be resumed in Azure AD Connect Health. We recommend careful consideration
and full acknowledgement of all global admins before taking the action.
IMPORTANT
The following steps will be available after 24 hours of disable action. After enabling of data collection, the presented insight
and monitoring data in Connect Health will not show any legacy data collected before.
Next steps
Review the Microsoft Privacy policy on Trust Center
Azure AD Connect and User Privacy
Azure AD Connect in Microsoft Cloud Germany -
Public Preview
2/12/2019 • 2 minutes to read • Edit Online
Introduction
Azure AD Connect provides synchronization between your on-premises Active Directory and Azure Active
Directory. Currently, many of the scenarios in Microsoft Cloud Germany must be done by the operator. When using
Microsoft Cloud Germany, you must be aware of the following information:
The following URLs must be opened on a proxy server for synchronization to occur successfully:
*.microsoftonline.de
*.windows.net
Certificate Revocation Lists
When you sign in to your Azure AD directory, you must use an account in the onmicrosoft.de domain.
Download
You can download Azure AD Connect from the Azure AD Connect blade within the portal. Use the instructions
below to locate the Azure AD Connect blade.
The Azure AD Connect Blade
Once you've signed in to the Azure portal:
1. Go to Browse
2. Select Azure Active Directory
3. Then select Azure AD Connect
You'll see these details:
The following table describes the features shown in the blade.
T IT L E DESC RIP T IO N
Installation
To install Azure AD Connect, you can use the documentation here.
Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Office 365. This is a
great time to upgrade to Azure AD Connect from Windows Azure Active Directory Sync (DirSync) or Azure AD Sync
as these tools are now deprecated and are no longer supported as of April 13, 2017.
The two identity synchronization tools that are deprecated were offered for single forest customers (DirSync) and
for multi-forest and other advanced customers (Azure AD Sync). These older tools have been replaced with a single
solution that is available for all scenarios: Azure AD Connect. It offers new functionality, feature enhancements, and
support for new scenarios. To be able to continue to synchronize your on-premises identity data to Azure AD and
Office 365, we strongly recommend that you upgrade to Azure AD Connect. Microsoft does not guarantee these
older versions to work after December 31, 2017.
The last release of DirSync was released in July 2014 and the last release of Azure AD Sync was released in May
2015.
Deprecation schedule
DAT E C O M M EN T
April 13, 2016 Windows Azure Active Directory Sync (“DirSync”) and
Microsoft Azure Active Directory Sync (“Azure AD Sync”) are
announced as deprecated.
April 13, 2017 Support ends. Customers will no longer be able to open a
support case without upgrading to Azure AD Connect first.
SO L UT IO N SC EN A RIO
Upgrade from DirSync If you have an existing DirSync server already running.
SO L UT IO N SC EN A RIO
Upgrade from Azure AD Sync If you are moving from Azure AD Sync.
If you want to see how to do an in-place upgrade from DirSync to Azure AD Connect, then see this Channel 9 video:
FAQ
Q: I have received an email notification from the Azure Team and/or a message from the Office 365
message center, but I am using Connect.
The notification was also sent to customers using Azure AD Connect with a build number 1.0.*.0 (using a pre-1.1
release). Microsoft recommends customers to stay current with Azure AD Connect releases. The automatic upgrade
feature introduced in 1.1 makes it easy to always have a recent version of Azure AD Connect installed.
Q: Will DirSync/Azure AD Sync stop working on April 13, 2017?
DirSync/Azure AD Sync will continue to work on April 13, 2017. However, Azure AD may no longer accept
communications from DirSync/Azure AD Sync after December 31, 2017.
Q: Which DirSync versions can I upgrade from?
It is supported to upgrade from any DirSync release currently being used.
Q: What about the Azure AD Connector for FIM/MIM?
The Azure AD Connector for FIM/MIM has not been announced as deprecated. It is at feature freeze ; no new
functionality is added and it receives no bug fixes. Microsoft recommends customers using it to plan to move from
it to Azure AD Connect. It is strongly recommended to not start any new deployments using it. This Connector will
be announced deprecated in the future.
Additional Resources
Integrating your on-premises identities with Azure Active Directory
Azure AD Connect sync: Attributes synchronized to
Azure Active Directory
9/7/2020 • 13 minutes to read • Edit Online
This topic lists the attributes that are synchronized by Azure AD Connect sync.
The attributes are grouped by the related Azure AD app.
Attributes to synchronize
A common question is what is the list of minimum attributes to synchronize. The default and recommended
approach is to keep the default attributes so a full GAL (Global Address List) can be constructed in the cloud and to
get all features in Office 365 workloads. In some cases, there are some attributes that your organization does not
want synchronized to the cloud since these attributes contain sensitive or PII (Personally identifiable information)
data, like in this example:
In this case, start with the list of attributes in this topic and identify those attributes that would contain sensitive or
PII data and cannot be synchronized. Then deselect those attributes during installation using Azure AD app and
attribute filtering.
WARNING
When deselecting attributes, you should be cautious and only deselect those attributes absolutely not possible to
synchronize. Unselecting other attributes might have a negative impact on features.
cn X
displayName X
samAccountName X
Exchange Online
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
assistant X X
authOrig X X X
c X X
cn X X
co X X
company X X
countryCode X X
department X X
description X
displayName X X X
dLMemRejectPerms X X X
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
dLMemSubmitPerms X X X
extensionAttribute1 X X X
extensionAttribute10 X X X
extensionAttribute11 X X X
extensionAttribute12 X X X
extensionAttribute13 X X X
extensionAttribute14 X X X
extensionAttribute15 X X X
extensionAttribute2 X X X
extensionAttribute3 X X X
extensionAttribute4 X X X
extensionAttribute5 X X X
extensionAttribute6 X X X
extensionAttribute7 X X X
extensionAttribute8 X X X
extensionAttribute9 X X X
facsimiletelephonenu X X
mber
givenName X X
homePhone X X
Initials X X
l X X
legacyExchangeDN X X X
mailNickname X X X
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
managedBy X
manager X X
member X
mobile X X
msDS- X X X
HABSeniorityIndex
msDS- X X X
PhoneticDisplayName
msExchArchiveGUID X
msExchArchiveName X
msExchAssistantName X X
msExchAuditAdmin X
msExchAuditDelegate X
msExchAuditDelegate X
Admin
msExchAuditOwner X
msExchBlockedSender X X
sHash
msExchBypassAudit X
msExchCoManagedBy X
Link
msExchDelegateListLi X
nk
msExchELCExpirySusp X
ensionEnd
msExchELCExpirySusp X
ensionStart
msExchELCMailboxFla X
gs
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
msExchEnableModera X X
tion
msExchHideFromAddr X X X
essLists
msExchImmutableID X
msExchLitigationHold X X X
Date
msExchLitigationHold X X X
Owner
msExchMailboxAuditE X
nable
msExchMailboxAuditL X
ogAgeLimit
msExchMailboxGuid X
msExchModeratedByL X X X
ink
msExchModerationFla X X X
gs
msExchRecipientDispla X X X
yType
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
msExchRecipientType X X X
Details
msExchRemoteRecipie X
ntType
msExchRequireAuthTo X X X
SendTo
msExchResourceCapac X
ity
msExchResourceDispla X
y
msExchResourceMeta X
Data
msExchResourceSearc X
hProperties
msExchRetentionCom X X X
ment
msExchRetentionURL X X X
msExchSafeRecipients X X
Hash
msExchSafeSendersHa X X
sh
msExchSenderHintTra X X X
nslations
msExchTeamMailboxE X
xpiration
msExchTeamMailboxO X
wners
msExchTeamMailboxS X
harePointUrl
msExchUserHoldPolici X
es
msOrg- X
IsOrganizational
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
oOFReplyToOriginator X
otherFacsimileTelepho X X
ne
otherHomePhone X X
otherTelephone X X
pager X X
physicalDeliveryOffice X X
Name
postalCode X X
proxyAddresses X X X
publicDelegates X X X
reportToOriginator X
reportToOwner X
sn X X
st X X
streetAddress X X
targetAddress X X
telephoneAssistant X X
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
telephoneNumber X X
title X X
unauthOrig X X X
userCertificate X X
userSMIMECertificate X X
s
wWWHomePage X X
SharePoint Online
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
authOrig X X X
c X X
cn X X
co X X
company X X
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
countryCode X X
department X X
description X X X
displayName X X X
dLMemRejectPerms X X X
dLMemSubmitPerms X X X
extensionAttribute1 X X X
extensionAttribute10 X X X
extensionAttribute11 X X X
extensionAttribute12 X X X
extensionAttribute13 X X X
extensionAttribute14 X X X
extensionAttribute15 X X X
extensionAttribute2 X X X
extensionAttribute3 X X X
extensionAttribute4 X X X
extensionAttribute5 X X X
extensionAttribute6 X X X
extensionAttribute7 X X X
extensionAttribute8 X X X
extensionAttribute9 X X X
facsimiletelephonenu X X
mber
givenName X X
hideDLMembership X
homephone X X
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
info X X X
initials X X
ipPhone X X
l X X
mail X X X
mailnickname X X X
managedBy X
manager X X
member X
middleName X X
mobile X X
msExchTeamMailboxE X
xpiration
msExchTeamMailboxO X
wners
msExchTeamMailboxS X
harePointLinkedBy
msExchTeamMailboxS X
harePointUrl
oOFReplyToOriginator X
otherFacsimileTelepho X X
ne
otherHomePhone X X
otherIpPhone X X
otherMobile X X
otherPager X X
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
otherTelephone X X
pager X X
physicalDeliveryOffice X X
Name
postalCode X X
preferredLanguage X
proxyAddresses X X X
reportToOriginator X
reportToOwner X
sn X X
st X X
streetAddress X X
targetAddress X X
telephoneAssistant X X
telephoneNumber X X
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
title X X
unauthOrig X X X
url X X
wWWHomePage X X
c X X
cn X X
co X X
company X X
department X X
description X X X
displayName X X X
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
facsimiletelephonenu X X X
mber
givenName X X
homephone X X
ipPhone X X
l X X
mail X X X
mailNickname X X X
managedBy X
manager X X
member X
mobile X X
msExchHideFromAddr X X X
essLists
msRTCSIP- X
ApplicationOptions
msRTCSIP- X X
DeploymentLocator
msRTCSIP-Line X X
msRTCSIP- X X
OptionFlags
msRTCSIP-OwnerUrn X
msRTCSIP- X X
PrimaryUserAddress
msRTCSIP- X X
UserEnabled
otherTelephone X X
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
physicalDeliveryOffice X X
Name
postalCode X X
preferredLanguage X
proxyAddresses X X X
sn X X
st X X
streetAddress X X
telephoneNumber X X
title X X
wWWHomePage X X
Azure RMS
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
cn X X Common name or
alias. Most often the
prefix of [mail] value.
member X
Intune
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
c X X
cn X X
description X X X
displayName X X X
mail X X X
mailnickname X X X
member X
proxyAddresses X X X
Dynamics CRM
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
c X X
cn X X
co X X
company X X
countryCode X X
description X X X
displayName X X X
facsimiletelephonenu X X
mber
givenName X X
l X X
managedBy X
manager X X
member X
mobile X X
AT T RIB UT E N A M E USER C O N TA C T GRO UP C O M M EN T
physicalDeliveryOffice X X
Name
postalCode X X
preferredLanguage X
sn X X
st X X
streetAddress X X
telephoneNumber X X
title X X
cn X X
displayName X X X
employeeID X
givenName X X
mail X X
managedBy X
mailNickName X X X
member X
proxyAddresses X X X
sn X X
Windows 10
A Windows 10 domain-joined computer(device) synchronizes some attributes to Azure AD. For more information
on the scenarios, see Connect domain-joined devices to Azure AD for Windows 10 experiences. These attributes
always synchronize and Windows 10 does not appear as an app you can unselect. A Windows 10 domain-joined
computer is identified by having the attribute userCertificate populated.
AT T RIB UT E N A M E DEVIC E C O M M EN T
accountEnabled X
displayName X
userCertificate X
These attributes for user are in addition to the other apps you have selected.
AT T RIB UT E N A M E USER C O M M EN T
AT T RIB UT E AT T RIB UT E
NAME (ON- NAME
P REM ISES A D) ( C O N N EC T UI) USER C O N TA C T GRO UP C O M M EN T
AT T RIB UT E N A M E P UB L IC F O L DER C O M M EN T
displayName X
mail X
msExchRecipientTypeDetails X
objectGUID X
proxyAddresses X
targetAddress X
Device writeback
Device objects are created in Active Directory. These objects can be devices joined to Azure AD or domain-joined
Windows 10 computers.
AT T RIB UT E N A M E DEVIC E C O M M EN T
altSecurityIdentities X
AT T RIB UT E N A M E DEVIC E C O M M EN T
displayName X
dn X
msDS-CloudAnchor X
msDS-DeviceID X
msDS-DeviceObjectVersion X
msDS-DeviceOSType X
msDS-DeviceOSVersion X
msDS-DevicePhysicalIDs X
msDS-IsCompliant X
msDS-IsEnabled X
msDS-IsManaged X
msDS-RegisteredOwner X
Notes
When using an Alternate ID, the on-premises attribute userPrincipalName is synchronized with the Azure AD
attribute onPremisesUserPrincipalName. The Alternate ID attribute, for example mail, is synchronized with the
Azure AD attribute userPrincipalName.
In the lists above, the object type User also applies to the object type iNetOrgPerson .
Next steps
Learn more about the Azure AD Connect sync configuration.
Learn more about Integrating your on-premises identities with Azure Active Directory.
Azure AD Connect sync: Functions Reference
9/7/2020 • 26 minutes to read • Edit Online
In Azure AD Connect, functions are used to manipulate an attribute value during synchronization.
The Syntax of the functions is expressed using the following format:
<output type> FunctionName(<input type> <position name>, ..)
If a function is overloaded and accepts multiple syntaxes, all valid syntaxes are listed.
The functions are strongly typed and they verify that the type passed in matches the documented type.
If the type does not match, an error is thrown.
The types are expressed with the following syntax:
bin – Binary
bool – Boolean
dt – UTC Date/Time
enum – Enumeration of known constants
exp – Expression, which is expected to evaluate to a Boolean
mvbin – Multi-Valued Binary
mvstr – Multi-Valued String
mvref – Multi-Valued Reference
num – Numeric
ref – Reference
str – String
var – A variant of (almost) any other type
void – doesn’t return a value
The functions with the types mvbin , mvstr , and mvref can only work on multi-valued attributes. Functions with
bin , str , and ref work on both single-valued and multi-valued attributes.
Functions Reference
Cer tificate
CertExtensionOids
CertFormat
CertFriendlyName
CertHashString
CertIssuer
CertIssuerDN
CertIssuerOid
CertKeyAlgorithm
CertKeyAlgorithmParams
CertNameInfo
CertNotAfter
CertNotBefore
CertPublicKeyOid
CertPublicKeyParametersOid
CertSerialNumber
CertSignatureAlgorithmOid
CertSubject
CertSubjectNameDN
CertSubjectNameOid
CertThumbprint
CertVersion
IsCert
Conversion
CBool
CDate
CGuid
ConvertFromBase64
ConvertToBase64
ConvertFromUTF8Hex
ConvertToUTF8Hex
CNum
CRef
CStr
StringFromGuid
StringFromSid
Date / Time
DateAdd
DateFromNum
FormatDateTime
Now
NumFromDate
Director y
DNComponent
DNComponentRev
EscapeDNComponent
Evaluation
IsBitSet
IsDate
IsEmpty
IsGuid
IsNull
IsNullOrEmpty
IsNumeric
IsPresent
IsString
Math
BitAnd
BitOr
RandomNum
Multi*valued
Contains
Count
Item
ItemOrNull
Join
RemoveDuplicates
Split
Program Flow
Error
IIF
Select
Switch
Where
With
Text
GUID
InStr
InStrRev
LCase
Left
Len
LTrim
Mid
PadLeft
PadRight
PCase
Replace
ReplaceChars
Right
RTrim
Trim
UCase
Word
BitAnd
Description:
The BitAnd function sets specified bits on a value.
Syntax:
num BitAnd(num value1, num value2)
BitOr
Description:
The BitOr function sets specified bits on a value.
Syntax:
num BitOr(num value1, num value2)
CBool
Description:
The CBool function returns a Boolean based on the evaluated expression
Syntax:
bool CBool(exp Expression)
Remarks:
If the expression evaluates to a non-zero value, then CBool returns True, else it returns False.
Example:
CBool([attrib1] = [attrib2])
CDate
Description:
The CDate function returns a UTC DateTime from a string. DateTime is not a native attribute type in Sync but is
used by some functions.
Syntax:
dt CDate(str value)
CertExtensionOids
Description:
Returns the Oid values of all the critical extensions of a certificate object.
Syntax:
mvstr CertExtensionOids(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertFormat
Description:
Returns the name of the format of this X.509v3 certificate.
Syntax:
str CertFormat(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertFriendlyName
Description:
Returns the associated alias for a certificate.
Syntax:
str CertFriendlyName(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertHashString
Description:
Returns the SHA1 hash value for the X.509v3 certificate as a hexadecimal string.
Syntax:
str CertHashString(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertIssuer
Description:
Returns the name of the certificate authority that issued the X.509v3 certificate.
Syntax:
str CertIssuer(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertIssuerDN
Description:
Returns the distinguished name of the certificate issuer.
Syntax:
str CertIssuerDN(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertIssuerOid
Description:
Returns the Oid of the certificate issuer.
Syntax:
str CertIssuerOid(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertKeyAlgorithm
Description:
Returns the key algorithm information for this X.509v3 certificate as a string.
Syntax:
str CertKeyAlgorithm(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertKeyAlgorithmParams
Description:
Returns the key algorithm parameters for the X.509v3 certificate as a hexadecimal string.
Syntax:
str CertKeyAlgorithm(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertNameInfo
Description:
Returns the subject and issuer names from a certificate.
Syntax:
str CertNameInfo(binary certificateRawData, str x509NameType, bool includesIssuerName)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
X509NameType: The X509NameType value for the subject.
includesIssuerName: true to include the issuer name; otherwise, false.
CertNotAfter
Description:
Returns the date in local time after which a certificate is no longer valid.
Syntax:
dt CertNotAfter(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertNotBefore
Description:
Returns the date in local time on which a certificate becomes valid.
Syntax:
dt CertNotBefore(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertPublicKeyOid
Description:
Returns the Oid of the public key for the X.509v3 certificate.
Syntax:
str CertKeyAlgorithm(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertPublicKeyParametersOid
Description:
Returns the Oid of the public key parameters for the X.509v3 certificate.
Syntax:
str CertPublicKeyParametersOid(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertSerialNumber
Description:
Returns the serial number of the X.509v3 certificate.
Syntax:
str CertSerialNumber(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertSignatureAlgorithmOid
Description:
Returns the Oid of the algorithm used to create the signature of a certificate.
Syntax:
str CertSignatureAlgorithmOid(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertSubject
Description:
Gets the subject distinguished name from a certificate.
Syntax:
str CertSubject(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertSubjectNameDN
Description:
Returns the subject distinguished name from a certificate.
Syntax:
str CertSubjectNameDN(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertSubjectNameOid
Description:
Returns the Oid of the subject name from a certificate.
Syntax:
str CertSubjectNameOid(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertThumbprint
Description:
Returns the thumbprint of a certificate.
Syntax:
str CertThumbprint(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CertVersion
Description:
Returns the X.509 format version of a certificate.
Syntax:
str CertThumbprint(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
CGuid
Description:
The CGuid function converts the string representation of a GUID to its binary representation.
Syntax:
bin CGuid(str GUID)
ConvertFromBase64
Description:
The ConvertFromBase64 function converts the specified base64 encoded value to a regular string.
Syntax:
str ConvertFromBase64(str source) - assumes Unicode for encoding
str ConvertFromBase64(str source, enum Encoding)
ConvertFromUTF8Hex
Description:
The ConvertFromUTF8Hex function converts the specified UTF8 Hex encoded value to a string.
Syntax:
str ConvertFromUTF8Hex(str source)
ConvertToBase64
Description:
The ConvertToBase64 function converts a string to a Unicode base64 string.
Converts the value of an array of integers to its equivalent string representation that is encoded with base-64
digits.
Syntax:
str ConvertToBase64(str source)
Example:
ConvertToBase64("Hello world!")
Returns "SABlAGwAbABvACAAdwBvAHIAbABkACEA"
ConvertToUTF8Hex
Description:
The ConvertToUTF8Hex function converts a string to a UTF8 Hex encoded value.
Syntax:
str ConvertToUTF8Hex(str source)
Remarks:
The output format of this function is used by Azure Active Directory as DN attribute format.
Example:
ConvertToUTF8Hex("Hello world!")
Returns 48656C6C6F20776F726C6421
Count
Description:
The Count function returns the number of elements in a multi-valued attribute
Syntax:
num Count(mvstr attribute)
CNum
Description:
The CNum function takes a string and returns a numeric data type.
Syntax:
num CNum(str value)
CRef
Description:
Converts a string to a reference attribute
Syntax:
ref CRef(str value)
Example:
CRef("CN=LC Services,CN=Microsoft,CN=lcspool01,CN=Pools,CN=RTC Service," & %Forest.LDAP%)
CStr
Description:
The CStr function converts to a string data type.
Syntax:
str CStr(num value)
str CStr(ref value)
str CStr(bool value)
DateAdd
Description:
Returns a Date containing a date to which a specified time interval has been added.
Syntax:
dt DateAdd(str interval, num value, dt date)
interval: String expression that is the interval of time you want to add. The string must have one of the
following values:
yyyy Year
q Quarter
m Month
y Day of year
d Day
w Weekday
ww Week
h Hour
n Minute
s Second
value: The number of units you want to add. It can be positive (to get dates in the future) or negative (to get
dates in the past).
date: DateTime representing date to which the interval is added.
Example:
DateAdd("m", 3, CDate("2001-01-01"))
Adds 3 months and returns a DateTime representing "2001-04-01".
DateFromNum
Description:
The DateFromNum function converts a value in AD’s date format to a DateTime type.
Syntax:
dt DateFromNum(num value)
Example:
DateFromNum([lastLogonTimestamp])
DateFromNum(129699324000000000)
Returns a DateTime representing 2012-01-01 23:00:00
DNComponent
Description:
The DNComponent function returns the value of a specified DN component going from left.
Syntax:
str DNComponent(ref dn, num ComponentNumber)
DNComponentRev
Description:
The DNComponentRev function returns the value of a specified DN component going from right (the end).
Syntax:
str DNComponentRev(ref dn, num ComponentNumber)
str DNComponentRev(ref dn, num ComponentNumber, enum Options)
Error
Description:
The Error function is used to return a custom error.
Syntax:
void Error(str ErrorMessage)
Example:
IIF(IsPresent([accountName]),[accountName],Error("AccountName is required"))
If the attribute accountName is not present, throw an error on the object.
EscapeDNComponent
Description:
The EscapeDNComponent function takes one component of a DN and escapes it so it can be represented in LDAP.
Syntax:
str EscapeDNComponent(str value)
Example:
EscapeDNComponent("cn=" & [displayName]) & "," & %ForestLDAP%)
Makes sure the object can be created in an LDAP directory even if the displayName attribute has characters that
must be escaped in LDAP.
FormatDateTime
Description:
The FormatDateTime function is used to format a DateTime to a string with a specified format
Syntax:
str FormatDateTime(dt value, str format)
Guid
Description:
The function Guid generates a new random GUID
Syntax:
str Guid()
IIF
Description:
The IIF function returns one of a set of possible values based on a specified condition.
Syntax:
var IIF(exp condition, var valueIfTrue, var valueIfFalse)
InStr
Description:
The InStr function finds the first occurrence of a substring in a string
Syntax:
num InStr(str stringcheck, str stringmatch)
num InStr(str stringcheck, str stringmatch, num start)
num InStr(str stringcheck, str stringmatch, num start , enum compare)
stringcheck: string to be searched
stringmatch: string to be found
start: starting position to find the substring
compare: vbTextCompare or vbBinaryCompare
Remarks:
Returns the position where the substring was found or 0 if not found.
Example:
InStr("The quick brown fox","quick")
Evalues to 5
InStr("repEated","e",3,vbBinaryCompare)
Evaluates to 7
InStrRev
Description:
The InStrRev function finds the last occurrence of a substring in a string
Syntax:
num InstrRev(str stringcheck, str stringmatch)
num InstrRev(str stringcheck, str stringmatch, num start)
num InstrRev(str stringcheck, str stringmatch, num start, enum compare)
IsBitSet
Description:
The function IsBitSet Tests if a bit is set or not
Syntax:
bool IsBitSet(num value, num flag)
value: a numeric value that is evaluated.flag: a numeric value that has the bit to be evaluated
Example:
IsBitSet(&HF,4)
Returns True because bit "4" is set in the hexadecimal value "F"
IsDate
Description:
If the expression can be evaluates as a DateTime type, then the IsDate function evaluates to True.
Syntax:
bool IsDate(var Expression)
Remarks:
Used to determine if CDate() can be successful.
IsCert
Description:
Returns true if the raw data can be serialized into .NET X509Certificate2 certificate object.
Syntax:
bool CertThumbprint(binary certificateRawData)
certificateRawData: Byte array representation of an X.509 certificate. The byte array can be binary (DER)
encoded or Base64-encoded X.509 data.
IsEmpty
Description:
If the attribute is present in the CS or MV but evaluates to an empty string, then the IsEmpty function evaluates to
True.
Syntax:
bool IsEmpty(var Expression)
IsGuid
Description:
If the string could be converted to a GUID, then the IsGuid function evaluated to true.
Syntax:
bool IsGuid(str GUID)
Remarks:
A GUID is defined as a string following one of these patterns: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx or {xxxxxxxx-
xxxx-xxxx-xxxx-xxxxxxxxxxxx}
Used to determine if CGuid() can be successful.
Example:
IIF(IsGuid([strAttribute]),CGuid([strAttribute]),NULL)
If the StrAttribute has a GUID format, return a binary representation, otherwise return a Null.
IsNull
Description:
If the expression evaluates to Null, then the IsNull function returns true.
Syntax:
bool IsNull(var Expression)
Remarks:
For an attribute, a Null is expressed by the absence of the attribute.
Example:
IsNull([displayName])
Returns True if the attribute is not present in the CS or MV.
IsNullOrEmpty
Description:
If the expression is null or an empty string, then the IsNullOrEmpty function returns true.
Syntax:
bool IsNullOrEmpty(var Expression)
Remarks:
For an attribute, this would evaluate to True if the attribute is absent or is present but is an empty string.
The inverse of this function is named IsPresent.
Example:
IsNullOrEmpty([displayName])
Returns True if the attribute is not present or is an empty string in the CS or MV.
IsNumeric
Description:
The IsNumeric function returns a Boolean value indicating whether an expression can be evaluated as a number
type.
Syntax:
bool IsNumeric(var Expression)
Remarks:
Used to determine if CNum() can be successful to parse the expression.
IsString
Description:
If the expression can be evaluated to a string type, then the IsString function evaluates to True.
Syntax:
bool IsString(var expression)
Remarks:
Used to determine if CStr() can be successful to parse the expression.
IsPresent
Description:
If the expression evaluates to a string that is not Null and is not empty, then the IsPresent function returns true.
Syntax:
bool IsPresent(var expression)
Remarks:
The inverse of this function is named IsNullOrEmpty.
Example:
Switch(IsPresent([directManager]),[directManager], IsPresent([skiplevelManager]),[skiplevelManager],
IsPresent([director]),[director])
Item
Description:
The Item function returns one item from a multi-valued string/attribute.
Syntax:
var Item(mvstr attribute, num index)
attribute: multi-valued attribute
index: index to an item in the multi-valued string.
Remarks:
The Item function is useful together with the Contains function since the latter function returns the index to an
item in the multi-valued attribute.
Throws an error if index is out of bounds.
Example:
Mid(Item([proxyAddresses],Contains([proxyAddresses], "SMTP:")),6)
Returns the primary email address.
ItemOrNull
Description:
The ItemOrNull function returns one item from a multi-valued string/attribute.
Syntax:
var ItemOrNull(mvstr attribute, num index)
Join
Description:
The Join function takes a multi-valued string and returns a single-valued string with specified separator inserted
between each item.
Syntax:
str Join(mvstr attribute)
str Join(mvstr attribute, str Delimiter)
LCase
Description:
The LCase function converts all characters in a string to lower case.
Syntax:
str LCase(str value)
Example:
LCase("TeSt")
Returns "test".
Left
Description:
The Left function returns a specified number of characters from the left of a string.
Syntax:
str Left(str string, num NumChars)
Len
Description:
The Len function returns number of characters in a string.
Syntax:
num Len(str value)
Example:
Len("John Doe")
Returns 8
LTrim
Description:
The LTrim function removes leading white spaces from a string.
Syntax:
str LTrim(str value)
Example:
LTrim(" Test ")
Returns "Test "
Mid
Description:
The Mid function returns a specified number of characters from a specified position in a string.
Syntax:
str Mid(str string, num start, num NumChars)
Now
Description:
The Now function returns a DateTime specifying the current date and time, according to your computer's system
date and time.
Syntax:
dt Now()
NumFromDate
Description:
The NumFromDate function returns a date in AD’s date format.
Syntax:
num NumFromDate(dt value)
Example:
NumFromDate(CDate("2012-01-01 23:00:00"))
Returns 129699324000000000
PadLeft
Description:
The PadLeft function left-pads a string to a specified length using a provided padding character.
Syntax:
str PadLeft(str string, num length, str padCharacter)
PadRight
Description:
The PadRight function right-pads a string to a specified length using a provided padding character.
Syntax:
str PadRight(str string, num length, str padCharacter)
PCase
Description:
The PCase function converts the first character of each space delimited word in a string to upper case, and all
other characters are converted to lower case.
Syntax:
String PCase(string)
Remarks:
This function does not currently provide proper casing to convert a word that is entirely uppercase, such as an
acronym.
Example:
PCase("TEsT")
Returns "Test".
PCase(LCase("TEST"))
Returns "Test"
RandomNum
Description:
The RandomNum function returns a random number between a specified interval.
Syntax:
num RandomNum(num start, num end)
start: a number identifying the lower limit of the random value to generate
end: a number identifying the upper limit of the random value to generate
Example:
Random(100,999)
Can return 734.
RemoveDuplicates
Description:
The RemoveDuplicates function takes a multi-valued string and make sure each value is unique.
Syntax:
mvstr RemoveDuplicates(mvstr attribute)
Example:
RemoveDuplicates([proxyAddresses])
Returns a sanitized proxyAddress attribute where all duplicate values have been removed.
Replace
Description:
The Replace function replaces all occurrences of a string to another string.
Syntax:
str Replace(str string, str OldValue, str NewValue)
ReplaceChars
Description:
The ReplaceChars function replaces all occurrences of characters found in the ReplacePattern string.
Syntax:
str ReplaceChars(str string, str ReplacePattern)
ReplaceChars("Räksmörgås",%ReplaceString%)
Returns Raksmorgas
ReplaceChars("O’Neil",%ReplaceString%)
Returns "ONeil", the single tick is defined to be removed.
Right
Description:
The Right function returns a specified number of characters from the right (end) of a string.
Syntax:
str Right(str string, num NumChars)
RTrim
Description:
The RTrim function removes trailing white spaces from a string.
Syntax:
str RTrim(str value)
Example:
RTrim(" Test ")
Returns " Test".
Select
Description:
Process all values in a multi-valued attribute (or output of an expression) based on function specified.
Syntax:
mvattr Select(variable item, mvattr attribute, func function)
mvattr Select(variable item, exp expression, func function)
Split
Description:
The Split function takes a string separated with a delimiter and makes it a multi-valued string.
Syntax:
mvstr Split(str value, str delimiter)
mvstr Split(str value, str delimiter, num limit)
StringFromGuid
Description:
The StringFromGuid function takes a binary GUID and converts it to a string
Syntax:
str StringFromGuid(bin GUID)
StringFromSid
Description:
The StringFromSid function converts a byte array containing a security identifier to a string.
Syntax:
str StringFromSid(bin ObjectSID)
Switch
Description:
The Switch function is used to return a single value based on evaluated conditions.
Syntax:
var Switch(exp expr1, var value1[, exp expr2, var value … [, exp expr, var valueN]])
Trim
Description:
The Trim function removes leading and trailing white spaces from a string.
Syntax:
str Trim(str value)
Example:
Trim(" Test ")
Returns "Test".
Trim([proxyAddresses])
Removes leading and trailing spaces for each value in the proxyAddress attribute.
UCase
Description:
The UCase function converts all characters in a string to upper case.
Syntax:
str UCase(str string)
Example:
UCase("TeSt")
Returns "TEST".
Where
Description:
Returns a subset of values from a multi-valued attribute (or output of an expression) based on specific condition.
Syntax:
mvattr Where(variable item, mvattr attribute, exp condition)
mvattr Where(variable item, exp expression, exp condition)
With
Description:
The With function provides a way to simplify a complex expression by using a variable to represent a
subexpression which appears one or more times in the complex expression.
Syntax: With(var variable, exp subExpression, exp complexExpression)
Word
Description:
The Word function returns a word contained within a string, based on parameters describing the delimiters to use
and the word number to return.
Syntax:
str Word(str string, num WordNumber, str delimiters)
Additional Resources
Understanding Declarative Provisioning Expressions
Azure AD Connect Sync: Customizing Synchronization options
Integrating your on-premises identities with Azure Active Directory
Azure AD federation compatibility list
9/7/2020 • 2 minutes to read • Edit Online
Azure Active Directory provides single-sign on and enhanced application access security for Office 365 and other
Microsoft Online services for hybrid and cloud-only implementations without requiring any third party solution.
Office 365, like most of Microsoft’s Online services, is integrated with Azure Active Directory for directory
services, authentication, and authorization. Azure Active Directory also provides single sign-on to thousands of
SaaS applications and on-premises web applications. See the Azure Active Directory application gallery for
supported SaaS applications.
IDP Validation
If your organization uses a third-party federation solution, you can configure single sign-on for your on-
premises Active Directory users with Microsoft Online services, such as Office 365, provided the third-party
federation solution is compatible with Azure Active Directory. For questions regarding compatibility, please
contact your identity provider. If you would like to see a list of identity providers who have previously been
tested for compatibility with Azure AD, by Microsoft, click here.
NOTE
Microsoft no longer provides validation testing to independent identity providers for compatibility with Azure Active
Directory. If you would like to test your product for interoperability please refer to these guidelines.
Next Steps
Integrate your on-premises directories with Azure Active Directory
Azure AD Connect and federation
TLS 1.2 enforcement for Azure AD Connect
3/4/2020 • 2 minutes to read • Edit Online
Transport Layer Security (TLS) protocol version 1.2 is a cryptography protocol that is designed to provide secure
communications. The TLS protocol aims primarily to provide privacy and data integrity. TLS has gone through
many iterations with version 1.2 being defined in RFC 5246. Azure Active Directory Connect version 1.2.65.0 and
later now fully support using only TLS 1.2 for communications with Azure. This document will provide information
on how to force your Azure AD Connect server to use only TLS 1.2.
IMPORTANT
After you have updated the registry, you must restart the Windows server for the changes to take affect.
Next steps
Integrating your on-premises identities with Azure Active Directory
Azure AD Connect: ADSyncConfig PowerShell
Reference
9/7/2020 • 19 minutes to read • Edit Online
The following documentation provides reference information for the ADSyncConfig.psm1 PowerShell Module that
is included with Azure AD Connect.
Get-ADSyncADConnectorAccount
SYNOPSIS
Gets the account name and domain that is configured in each AD Connector
SYNTAX
Get-ADSyncADConnectorAccount
DESCRIPTION
This function uses the 'Get-ADSyncConnector' cmdlet that is present in AAD Connect to retrieve from Connectivity
Parameters a table showing the AD Connector(s) account.
EXAMPLES
EXAMPLE 1
Get-ADSyncADConnectorAccount
Get-ADSyncObjectsWithInheritanceDisabled
SYNOPSIS
Gets AD objects with permission inheritance disabled
SYNTAX
DESCRIPTION
Searches in AD starting from the SearchBase parameter and returns all objects, filtered by ObjectClass parameter,
that have the ACL Inheritance currently disabled.
EXAMPLES
EXAMPLE 1
Find objects with disabled inheritance in 'Contoso' domain (by default returns 'organizationalUnit' objects only)
EXAMPLE 2
Find 'user' objects with disabled inheritance in 'Contoso' domain
Get-ADSyncObjectsWithInheritanceDisabled -SearchBase 'Contoso' -ObjectClass 'user'
EXAMPLE 3
Find all types of objects with disabled inheritance in a OU
PARAMETERS
-SearchBase
The SearchBase for the LDAP query that can be an AD Domain DistinguishedName or a FQDN
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ObjectClass
The class of the objects to search that can be '*' (for any object class), 'user', 'group', 'container', etc. By default, this
function will search for 'organizationalUnit' object class.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: OrganizationalUnit
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Set-ADSyncBasicReadPermissions
SYNOPSIS
Initialize your Active Directory forest and domain for basic read permissions.
SYNTAX
UserDomain
DistinguishedName
Set-ADSyncBasicReadPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [-SkipAdminSdHolders]
[-WhatIf] [-Confirm] [<CommonParameters>]
DESCRIPTION
The Set-ADSyncBasicReadPermissions Function will give required permissions to the AD synchronization account,
which include the following: 1. Read Property access on all attributes for all descendant computer objects 2. Read
Property access on all attributes for all descendant device objects 3. Read Property access on all attributes for all
descendant foreignsecurityprincipal objects 5. Read Property access on all attributes for all descendant user objects
6. Read Property access on all attributes for all descendant inetorgperson objects 7. Read Property access on all
attributes for all descendant group objects 8. Read Property access on all attributes for all descendant contact
objects
These permissions are applied to all domains in the forest. Optionally you can provide a DistinguishedName in
ADobjectDN parameter to set these permissions on that AD Object only (including inheritance to sub objects).
EXAMPLES
EXAMPLE 1
EXAMPLE 2
EXAMPLE 3
EXAMPLE 4
PARAMETERS
-ADConnectorAccountName
The Name of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in
the directory.
Type: String
Parameter Sets: UserDomain
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADConnectorAccountDomain
The Domain of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in
the directory.
Type: String
Parameter Sets: UserDomain
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADConnectorAccountDN
The DistinguishedName of the Active Directory account that is or will be used by Azure AD Connect Sync to
manage objects in the directory.
Type: String
Parameter Sets: DistinguishedName
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADobjectDN
DistinguishedName of the target AD object to set permissions (optional)
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-SkipAdminSdHolders
Optional parameter to indicate if AdminSDHolder container should not be updated with these permissions
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Set-ADSyncExchangeHybridPermissions
SYNOPSIS
Initialize your Active Directory forest and domain for Exchange Hybrid feature.
SYNTAX
UserDomain
DistinguishedName
DESCRIPTION
The Set-ADSyncExchangeHybridPermissions Function will give required permissions to the AD synchronization
account, which include the following: 1. Read/Write Property access on all attributes for all descendant user objects
2. Read/Write Property access on all attributes for all descendant inetorgperson objects 3. Read/Write Property
access on all attributes for all descendant group objects 4. Read/Write Property access on all attributes for all
descendant contact objects
These permissions are applied to all domains in the forest. Optionally you can provide a DistinguishedName in
ADobjectDN parameter to set these permissions on that AD Object only (including inheritance to sub objects).
EXAMPLES
EXAMPLE 1
EXAMPLE 2
EXAMPLE 3
EXAMPLE 4
PARAMETERS
-ADConnectorAccountName
The Name of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in
the directory.
Type: String
Parameter Sets: UserDomain
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADConnectorAccountDomain
The Domain of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in
the directory.
Type: String
Parameter Sets: UserDomain
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADConnectorAccountDN
The DistinguishedName of the Active Directory account that is or will be used by Azure AD Connect Sync to
manage objects in the directory.
Type: String
Parameter Sets: DistinguishedName
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADobjectDN
DistinguishedName of the target AD object to set permissions (optional)
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-SkipAdminSdHolders
Optional parameter to indicate if AdminSDHolder container should not be updated with these permissions
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Set-ADSyncExchangeMailPublicFolderPermissions
SYNOPSIS
Initialize your Active Directory forest and domain for Exchange Mail Public Folder feature.
SYNTAX
UserDomain
DistinguishedName
DESCRIPTION
The Set-ADSyncExchangeMailPublicFolderPermissions Function will give required permissions to the AD
synchronization account, which include the following: 1. Read Property access on all attributes for all descendant
publicfolder objects
These permissions are applied to all domains in the forest. Optionally you can provide a DistinguishedName in
ADobjectDN parameter to set these permissions on that AD Object only (including inheritance to sub objects).
EXAMPLES
EXAMPLE 1
EXAMPLE 2
Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN
'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com'
EXAMPLE 3
Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN
'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com' -SkipAdminSdHolders
EXAMPLE 4
PARAMETERS
-ADConnectorAccountName
The Name of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in
the directory.
Type: String
Parameter Sets: UserDomain
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADConnectorAccountDomain
The Domain of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in
the directory.
Type: String
Parameter Sets: UserDomain
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADConnectorAccountDN
The DistinguishedName of the Active Directory account that is or will be used by Azure AD Connect Sync to
manage objects in the directory.
Type: String
Parameter Sets: DistinguishedName
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADobjectDN
DistinguishedName of the target AD object to set permissions (optional)
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-SkipAdminSdHolders
Optional parameter to indicate if AdminSDHolder container should not be updated with these permissions
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Set-ADSyncMsDsConsistencyGuidPermissions
SYNOPSIS
Initialize your Active Directory forest and domain for mS-DS-ConsistencyGuid feature.
SYNTAX
UserDomain
DistinguishedName
DESCRIPTION
The Set-ADSyncMsDsConsistencyGuidPermissions Function will give required permissions to the AD
synchronization account, which include the following: 1. Read/Write Property access on mS-DS-ConsistencyGuid
attribute for all descendant user objects
These permissions are applied to all domains in the forest. Optionally you can provide a DistinguishedName in
ADobjectDN parameter to set these permissions on that AD Object only (including inheritance to sub objects).
EXAMPLES
EXAMPLE 1
EXAMPLE 2
EXAMPLE 3
EXAMPLE 4
PARAMETERS
-ADConnectorAccountName
The Name of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in
the directory.
Type: String
Parameter Sets: UserDomain
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADConnectorAccountDomain
The Domain of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in
the directory.
Type: String
Parameter Sets: UserDomain
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADConnectorAccountDN
The DistinguishedName of the Active Directory account that is or will be used by Azure AD Connect Sync to
manage objects in the directory.
Type: String
Parameter Sets: DistinguishedName
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADobjectDN
DistinguishedName of the target AD object to set permissions (optional)
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-SkipAdminSdHolders
Optional parameter to indicate if AdminSDHolder container should not be updated with these permissions
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Set-ADSyncPasswordHashSyncPermissions
SYNOPSIS
Initialize your Active Directory forest and domain for password hash synchronization.
SYNTAX
UserDomain
DistinguishedName
DESCRIPTION
The Set-ADSyncPasswordHashSyncPermissions Function will give required permissions to the AD synchronization
account, which include the following: 1. Replicating Directory Changes 2. Replicating Directory Changes All
These permissions are given to all domains in the forest.
EXAMPLES
EXAMPLE 1
EXAMPLE 2
Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN 'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com'
PARAMETERS
-ADConnectorAccountName
The Name of the Active Directory account that will be used by Azure AD Connect Sync to manage objects in the
directory.
Type: String
Parameter Sets: UserDomain
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADConnectorAccountDomain
The Domain of the Active Directory account that will be used by Azure AD Connect Sync to manage objects in the
directory.
Type: String
Parameter Sets: UserDomain
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADConnectorAccountDN
The DistinguishedName of the Active Directory account that will be used by Azure AD Connect Sync to manage
objects in the directory.
Type: String
Parameter Sets: DistinguishedName
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Set-ADSyncPasswordWritebackPermissions
SYNOPSIS
Initialize your Active Directory forest and domain for password write-back from Azure AD.
SYNTAX
UserDomain
DistinguishedName
DESCRIPTION
The Set-ADSyncPasswordWritebackPermissions Function will give required permissions to the AD synchronization
account, which include the following: 1. Reset Password on descendant user objects 2. Write Property access on
lockoutTime attribute for all descendant user objects 3. Write Property access on pwdLastSet attribute for all
descendant user objects
These permissions are applied to all domains in the forest. Optionally you can provide a DistinguishedName in
ADobjectDN parameter to set these permissions on that AD Object only (including inheritance to sub objects).
EXAMPLES
EXAMPLE 1
EXAMPLE 2
EXAMPLE 3
Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN 'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com' -
SkipAdminSdHolders
EXAMPLE 4
PARAMETERS
-ADConnectorAccountName
The Name of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in
the directory.
Type: String
Parameter Sets: UserDomain
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADConnectorAccountDomain
The Domain of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in
the directory.
Type: String
Parameter Sets: UserDomain
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADConnectorAccountDN
The DistinguishedName of the Active Directory account that is or will be used by Azure AD Connect Sync to
manage objects in the directory.
Type: String
Parameter Sets: DistinguishedName
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADobjectDN
DistinguishedName of the target AD object to set permissions (optional)
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-SkipAdminSdHolders
Optional parameter to indicate if AdminSDHolder container should not be updated with these permissions
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Set-ADSyncRestrictedPermissions
SYNOPSIS
Tighten permissions on an AD object that is not otherwise included in any AD protected security group. A typical
example is the AD Connect account (MSOL) created by AAD Connect automatically. This account has replicate
permissions on all domains, however can be easily compromised as it is not protected.
SYNTAX
DESCRIPTION
The Set-ADSyncRestrictedPermissions Function will tighten permissions oo the account provided. Tightening
permissions involves the following steps:
1. Disable inheritance on the specified object
2. Remove all ACEs on the specific object, except ACEs specific to SELF. We want to keep the default
permissions intact when it comes to SELF.
3. Assign these specific permissions:
EXAMPLES
EXAMPLE 1
PARAMETERS
-ADConnectorAccountDN
DistinguishedName of the Active Directory account whose permissions need to be tightened. This is typically the
MSOL_nnnnnnnnnn account or a custom domain account that is configured in your AD Connector.
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Credential
Administrator credential that has the necessary privileges to restrict the permissions on the
ADConnectorAccountDN account. This is typically the Enterprise or Domain administrator. Use the fully qualified
domain name of the administrator account to avoid account lookup failures. Example: CONTOSO\admin
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-DisableCredentialValidation
When DisableCredentialValidation is used, the function will not check if the credentials provided in -Credential are
valid in AD and if the account provided has the necessary privileges to restrict the permissions on the
ADConnectorAccountDN account.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Set-ADSyncUnifiedGroupWritebackPermissions
SYNOPSIS
Initialize your Active Directory forest and domain for Group writeback from Azure AD.
SYNTAX
UserDomain
DistinguishedName
DESCRIPTION
The Set-ADSyncUnifiedGroupWritebackPermissions Function will give required permissions to the AD
synchronization account, which include the following: 1. Generic Read/Write, Delete, Delete Tree and Create\Delete
Child for all group Object types and SubObjects
These permissions are applied to all domains in the forest. Optionally you can provide a DistinguishedName in
ADobjectDN parameter to set these permissions on that AD Object only (including inheritance to sub objects). In
this case, ADobjectDN will be the Distinguished Name of the Container that you desire to link with the
GroupWriteback feature.
EXAMPLES
EXAMPLE 1
EXAMPLE 2
EXAMPLE 3
Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN 'CN=ADConnector,OU=AzureAD,DC=Contoso,DC=com'
-SkipAdminSdHolders
EXAMPLE 4
PARAMETERS
-ADConnectorAccountName
The Name of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in
the directory.
Type: String
Parameter Sets: UserDomain
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADConnectorAccountDomain
The Domain of the Active Directory account that is or will be used by Azure AD Connect Sync to manage objects in
the directory.
Type: String
Parameter Sets: UserDomain
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADConnectorAccountDN
The DistinguishedName of the Active Directory account that is or will be used by Azure AD Connect Sync to
manage objects in the directory.
Type: String
Parameter Sets: DistinguishedName
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ADobjectDN
DistinguishedName of the target AD object to set permissions (optional)
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-SkipAdminSdHolders
Optional parameter to indicate if AdminSDHolder container should not be updated with these permissions
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Show-ADSyncADObjectPermissions
SYNOPSIS
Shows permissions of a specified AD object.
SYNTAX
DESCRIPTION
This function returns all the AD permissions currently set for a given AD object provided in the parameter -
ADobjectDN. The ADobjectDN must be provided in a DistinguishedName format.
EXAMPLES
EXAMPLE 1
PARAMETERS
-ADobjectDN
{{Fill ADobjectDN Description}}
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Azure AD Connect: ADSyncTools PowerShell
Reference
9/7/2020 • 13 minutes to read • Edit Online
The following documentation provides reference information for the ADSyncTools.psm1 PowerShell Module that is
included with Azure AD Connect.
3. Hit enter.
4. To verify the module was installed, enter or copy and paste the following"
Get-module AdSyncTools
Clear-ADSyncToolsConsistencyGuid
SYNOPSIS
Clear the mS-Ds-ConsistencyGuid from AD User
SYNTAX
DESCRIPTION
Clear the value in mS-Ds-ConsistencyGuid for the target AD user
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-User
Target User in AD to set
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Confirm-ADSyncToolsADModuleLoaded
SYNOPSIS
{{Fill in the Synopsis}}
SYNTAX
Confirm-ADSyncToolsADModuleLoaded
DESCRIPTION
{{Fill in the Description}}
EXAMPLES
Example 1
Connect-AdSyncDatabase
SYNOPSIS
{{Fill in the Synopsis}}
SYNTAX
DESCRIPTION
{{Fill in the Description}}
EXAMPLES
Example 1
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Instance
{{Fill Instance Description}}
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Password
{{Fill Password Description}}
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 4
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Server
{{Fill Server Description}}
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-UserName
{{Fill UserName Description}}
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Export-ADSyncToolsConsistencyGuidMigration
SYNOPSIS
Export ConsistencyGuid Report
SYNTAX
DESCRIPTION
Generates a ConsistencyGuid report based on an import CSV file from Import-ADSyncToolsImmutableIdMigration
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-AlternativeLoginId
Use Alternative Login ID (mail)
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-UserPrincipalName
UserPrincipalName
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
-ImmutableIdGUID
ImmutableIdGUID
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
-Output
Output filename for CSV and LOG files
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Get-ADSyncSQLBrowserInstances
SYNOPSIS
{{Fill in the Synopsis}}
SYNTAX
DESCRIPTION
{{Fill in the Description}}
EXAMPLES
Example 1
PS C:\> {{ Add example code here }}
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Get-ADSyncToolsADuser
SYNOPSIS
Get user from AD
SYNTAX
DESCRIPTION
Returns an AD object TO DO: Multi forest support
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-User
Target User in AD to set ConsistencyGuid
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Get-ADSyncToolsConsistencyGuid
SYNOPSIS
Get the mS-Ds-ConsistencyGuid from AD User
SYNTAX
DESCRIPTION
Returns the value in mS-Ds-ConsistencyGuid attribute of the target AD user in GUID format
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-User
Target User in AD to set
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Get-ADSyncToolsObjectGuid
SYNOPSIS
Get the ObjectGuid from AD User
SYNTAX
DESCRIPTION
Returns the value in ObjectGUID attribute of the target AD user in GUID format
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-User
Target User in AD to set
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Get-ADSyncToolsRunHistory
SYNOPSIS
Get AAD Connect Run History
SYNTAX
DESCRIPTION
Function that returns the AAD Connect Run History in XML format
EXAMPLES
EXAMPLE 1
Get-ADSyncToolsRunHistory
EXAMPLE 2
Get-ADSyncToolsRunHistory -Days 1
PARAMETERS
-Days
{{Fill Days Description}}
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: 3
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Get-ADSyncToolsSourceAnchorChanged
SYNOPSIS
Get users with SourceAnchor changed errors
SYNTAX
DESCRIPTION
Function queries AAD Connect Run History and exports all the users reporting the Error: "SourceAnchor attribute
has changed."
EXAMPLES
EXAMPLE 1
#Required Parameters
$sourcePath = Read-Host -Prompt "Enter your log file path with file name" #"<Source_Path>" $outputPath = Read-
Host -Prompt "Enter your out file path with file name" #"<Out_Path>"
Get-ADSyncToolsUsersSourceAnchorChanged -sourcePath $sourcePath -outputPath $outputPath
EXAMPLE 2
PARAMETERS
-sourcePath
{{Fill sourcePath Description}}
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-outputPath
{{Fill outputPath Description}}
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Import-ADSyncToolsImmutableIdMigration
SYNOPSIS
Import ImmutableID from AAD
SYNTAX
DESCRIPTION
Generates a file with all Azure AD Synchronized users containing the ImmutableID value in GUID format
Requirements: MSOnline PowerShell Module
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-Output
Output CSV file
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-IncludeSyncUsersFromRecycleBin
Get Synchronized Users from Azure AD Recycle Bin
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Invoke-AdSyncDatabaseQuery
SYNOPSIS
{{Fill in the Synopsis}}
SYNTAX
DESCRIPTION
{{Fill in the Description}}
EXAMPLES
Example 1
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-SqlConnection
{{Fill SqlConnection Description}}
Type: SqlConnection
Parameter Sets: (All)
Aliases:
Required: True
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Remove-ADSyncToolsExpiredCertificates
SYNOPSIS
Script to Remove Expired Certificates from UserCertificate Attribute
SYNTAX
DESCRIPTION
This script takes all the objects from a target Organizational Unit in your Active Directory domain - filtered by
Object Class (User/Computer) and deletes all expired certificates present in the UserCertificate attribute. By default
(BackupOnly mode) it will only backup expired certificates to a file and not do any changes in AD. If you use -
BackupOnly $false then any Expired Certificate present in UserCertificate attribute for these objects will be
removed from AD after being copied to file. Each certificate will be backed up to a separated filename:
ObjectClass_ObjectGUID_CertThumprint.cer The script will also create a log file in CSV format showing all the users
with certificates that either are valid or expired including the actual action taken (Skipped/Exported/Deleted).
EXAMPLES
EXAMPLE 1
Check all users in target OU - Expired Certificates will be copied to separated files and no certificates will
be removed
Delete Expired Certs from all Computer objects in target OU - Expired Certificates will be copied to files and
removed from AD
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-BackupOnly
BackupOnly will not delete any certificates from AD
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: True
Accept pipeline input: False
Accept wildcard characters: False
-ObjectClass
Object Class filter
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Repair-ADSyncToolsAutoUpgradeState
SYNOPSIS
Short description
SYNTAX
Repair-ADSyncToolsAutoUpgradeState
DESCRIPTION
Long description
EXAMPLES
EXAMPLE 1
Example of how to use this cmdlet
EXAMPLE 2
Resolve-ADSyncHostAddress
SYNOPSIS
{{Fill in the Synopsis}}
SYNTAX
DESCRIPTION
{{Fill in the Description}}
EXAMPLES
Example 1
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Restore-ADSyncToolsExpiredCertificates
SYNOPSIS
(TO DO) Restores AD UserCertificate attribute from a certificate file
SYNTAX
Restore-ADSyncToolsExpiredCertificates
DESCRIPTION
Long description
EXAMPLES
EXAMPLE 1
EXAMPLE 2
Set-ADSyncToolsConsistencyGuid
SYNOPSIS
Set mS-Ds-ConsistencyGuid on AD User
SYNTAX
DESCRIPTION
Set a value in mS-Ds-ConsistencyGuid attribute for the target AD user
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-User
Target User in AD to set ConsistencyGuid
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
-Value
ImmutableId (Byte array, GUID, GUID string or Base64 string)
Type: Object
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Test-ADSyncNetworkPort
SYNOPSIS
{{Fill in the Synopsis}}
SYNTAX
DESCRIPTION
{{Fill in the Description}}
EXAMPLES
Example 1
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-port
{{Fill port Description}}
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Trace-ADSyncToolsADImport
SYNOPSIS
Creates a trace file from and AD Import Step
SYNTAX
DESCRIPTION
Traces all ldap queries of an AAD Connect AD Import run from a given AD watermark checkpoint (partition cookie).
Creates a trace file '.\ADimportTrace_yyyyMMddHHmmss.log' on the current folder.
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-ADConnectorXML
{{Fill ADConnectorXML Description}}
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-dc
XML file of AD Connector Export
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: DC1.domain.contoso.com
Accept pipeline input: False
Accept wildcard characters: False
-rootDN
Target Domain Controller
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: DC=Domain,DC=Contoso,DC=com
Accept pipeline input: False
Accept wildcard characters: False
-filter
Forest Root DN
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 4
Default value: (&(objectClass=*))
Accept pipeline input: False
Accept wildcard characters: False
-SkipCredentials
Types of AD objects to trace > * = all object types
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-ADwatermark
If already running as Domain Administrator there's no need to provide AD credentials. Manual input of watermark,
instead of XML file e.g. $ADwatermark = "TVNEUwMAAAAXyK9ir1zSAQAAAAAAAAAA(...)"
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 5
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Trace-ADSyncToolsLdapQuery
SYNOPSIS
Short description
SYNTAX
DESCRIPTION
Long description
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-Context
Param1 help description
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Server
Param2 help description
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: Localhost
Accept pipeline input: False
Accept wildcard characters: False
-Port
Param2 help description
Type: Int32
Parameter Sets: (All)
Aliases:
Required: True
Position: 3
Default value: 389
Accept pipeline input: False
Accept wildcard characters: False
-Filter
Param2 help description
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 4
Default value: (objectClass=*)
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Update-ADSyncToolsConsistencyGuidMigration
SYNOPSIS
Updates users with the new ConsistencyGuid (ImmutableId)
SYNTAX
DESCRIPTION
Updates users with the new ConsistencyGuid (ImmutableId) value taken from the ConsistencyGuid Report This
function supports the WhatIf switch Note: ConsistencyGuid Report must be imported with Tab Demiliter
EXAMPLES
EXAMPLE 1
Import-Csv .\AllSyncUsersTEST-Report.csv -Delimiter "`t"| Update-ADSyncToolsConsistencyGuidMigration -Output
.\AllSyncUsersTEST-Result2 -WhatIf
EXAMPLE 2
PARAMETERS
-DistinguishedName
DistinguishedName
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: False
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
-ImmutableIdGUID
ImmutableIdGUID
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
-Action
Action
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 3
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
-Output
Output filename for LOG files
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 4
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Azure AD Connect: ADConnectivityTools PowerShell
Reference
9/7/2020 • 10 minutes to read • Edit Online
The following documentation provides reference information for the ADConnectivityTools.psm1 PowerShell
Module that is included with Azure AD Connect.
Confirm-DnsConnectivity
SYNOPSIS
Detects local Dns issues.
SYNTAX
DESCRIPTION
Runs local Dns connectivity tests. In order to configure the Active Directory connector, user must have both name
resolutionthe for the forest they is attempting to connect to as well as in the domain controllers associated to this
forest.
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-Forest
Specifies the name of the forest to test against.
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-DCs
Specify DCs to test against.
Type: Array
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ReturnResultAsPSObject
Returns the result of this diagnosis in the form of a PSObject. Not necessary during manual interaction with this
tool.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Confirm-ForestExists
SYNOPSIS
Determines if a specified forest exists.
SYNTAX
DESCRIPTION
Queries a DNS server for the IP addresses associated with a forest.
EXAMPLES
EXAMPLE 1
PARAMETERS
-Forest
Specifies the name of the forest to test against.
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Confirm-FunctionalLevel
SYNOPSIS
Verifies AD forest functional level.
SYNTAX
SamAccount
ForestFQDN
DESCRIPTION
Verifies that the AD forest functional level is equal or more than a given MinAdForestVersion
(WindowsServer2003). Account (Domain\Username) and Password may be requested.
EXAMPLES
EXAMPLE 1
EXAMPLE 2
EXAMPLE 3
PARAMETERS
-Forest
Target forest. Default value is the Forest of the currently logged in user.
Type: String
Parameter Sets: SamAccount
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ForestFQDN
Target ForestFQDN Object.
Type: Forest
Parameter Sets: ForestFQDN
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-RunWithCurrentlyLoggedInUserCredentials
The function will use the credentials of the user that is currently logged in the computer, rather than requesting
custom credentials from the user.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Confirm-NetworkConnectivity
SYNOPSIS
Detects local network connectivity issues.
SYNTAX
DESCRIPTION
Runs local network connectivity tests.
For the local networking tests, AAD Connect must be able to communicate with the named domain controllers on
ports 53 (DNS), 88 (Kerberos) and 389 (LDAP) Most organizations run DNS on their DCs, which is why this test is
currently integrated. Port 53 should be skipped if another DNS server has been specified.
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-DCs
Specify DCs to test against.
Type: Array
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-SkipDnsPort
If the user is not using DNS services provided by the AD Site / Logon DC, then they may want to skip checking
port 53. The user must still be able to resolve _.ldap._tcp.<forestfqdn> in order for the Active Directory Connector
configuration to succeed.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-ReturnResultAsPSObject
Returns the result of this diagnosis in the form of a PSObject. Not necessary during manual interaction with this
tool.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Confirm-TargetsAreReachable
SYNOPSIS
Determines if a specified forest and its associated Domain Controllers are reachable.
SYNTAX
DESCRIPTION
Runs "ping" tests (whether a computer can reach a destination computer through the network and/or the internet)
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-Forest
Specifies the name of the forest to test against.
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-DCs
Specify DCs to test against.
Type: Array
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Confirm-ValidDomains
SYNOPSIS
Validate that the domains in the obtained Forest FQDN are reachable
SYNTAX
SamAccount
ForestFQDN
DESCRIPTION
Validate that all of the domains in the obtained Forest FQDN are reachable by attempting to retrieve DomainGuid
and DomainDN. Account (Domain\Username) and Password may be requested.
EXAMPLES
EXAMPLE 1
EXAMPLE 2
EXAMPLE 3
PARAMETERS
-Forest
Target forest.
Type: String
Parameter Sets: SamAccount
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ForestFQDN
Target ForestFQDN Object.
Type: Forest
Parameter Sets: ForestFQDN
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-RunWithCurrentlyLoggedInUserCredentials
The function will use the credentials of the user that is currently logged in the computer, rather than requesting
custom credentials from the user.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Confirm-ValidEnterpriseAdminCredentials
SYNOPSIS
Verifies if a user has Enterprise Admin credentials.
SYNTAX
DESCRIPTION
Searches if provided user has Enterprise Admin credentials. Account (Domain\Username) and Password may be
requested.
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-RunWithCurrentlyLoggedInUserCredentials
The function will use the credentials of the user that is currently logged in the computer, rather than requesting
custom credentials from the user.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Get-DomainFQDNData
SYNOPSIS
Retrieves a DomainFQDN out of an account and password combination.
SYNTAX
DESCRIPTION
Attempts to obtain a domainFQDN object out of provided credentials. If the domainFQDN is valid, a
DomainFQDNName or RootDomainName will be returned, depending on the user's choice. Account
(Domain\Username) and Password may be requested.
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-DomainFQDNDataType
Desired kind of data that will be retrieved. Currently limited to "DomainFQDNName" or "RootDomainName".
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-RunWithCurrentlyLoggedInUserCredentials
The function will use the credentials of the user that is currently logged in the computer, rather than requesting
custom credentials from the user.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-ReturnExceptionOnError
Auxiliary parameter used by Start-NetworkConnectivityDiagnosisTools function
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Get-ForestFQDN
SYNOPSIS
Retrieves a ForestFQDN out of an account and password combination.
SYNTAX
DESCRIPTION
Attempts to obtain a ForestFQDN out of the provided credentials. Account (Domain\Username) and Password may
be requested.
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-Forest
Target forest.Default value is the Domain of the currently logged in user.
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-RunWithCurrentlyLoggedInUserCredentials
The function will use the credentials of the user that is currently logged in the computer, rather than requesting
custom credentials from the user.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Start-ConnectivityValidation
SYNOPSIS
Main function.
SYNTAX
DESCRIPTION
Runs all the available mechanisms that verify AD credentials are valid.
EXAMPLES
EXAMPLE 1
PARAMETERS
-Forest
Target forest.
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-AutoCreateConnectorAccount
For Custom-installations: Flag that is $True if the user chose "Create new AD account" on the AD Forest Account
window of AADConnect's wizard. $False if the user chose "Use existing AD account". For Express-installations: The
value of this variable must be $True for Express-installations.
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-UserName
Parameter that pre-populates the Username field when user's credentials are requested.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Start-NetworkConnectivityDiagnosisTools
SYNOPSIS
Main function for network connectivity tests.
SYNTAX
DESCRIPTION
Runs local network connectivity tests.
EXAMPLES
EXAMPLE 1
EXAMPLE 2
PARAMETERS
-Forest
Specifies forest name to test against.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Credentials
The user name and password of the user that is running the test. It requires the same level of permissions that is
required to run the Azure AD Connect Wizard.
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-LogFileLocation
Specifies a the location of a log file that will contain the output of this function.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-DCs
Specify DCs to test against.
Type: Array
Parameter Sets: (All)
Aliases:
Required: False
Position: 4
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-DisplayInformativeMessage
Flag that allows displaying a message about the purpose of this function.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-ReturnResultAsPSObject
Returns the result of this diagnosis in the form of a PSObject. Not necessary to specify during manual interaction
with this tool.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-ValidCredentials
Indicates if the credentials the user typed are valid. Not necessary to specify during manual interaction with this
tool.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -
InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Azure AD Connect - msExchUserHoldPolicies and
cloudMsExchUserHoldPolicies
9/7/2020 • 2 minutes to read • Edit Online
The following reference document describes these attributes used by Exchange and the proper way to edit the
default sync rules.
M ETAVERSE
AT T RIB UT E AT T RIB UT E N A M E F LO W T Y P E A Z URE A D AT T RIB UT E SY N C RUL E
M ETAVERSE
AT T RIB UT E AT T RIB UT E N A M E F LO W T Y P E A Z URE A D AT T RIB UT E SY N C RUL E
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Understanding Azure AD Connect 1.4.xx.x and device
disappearance
10/30/2019 • 2 minutes to read • Edit Online
With version 1.4.xx.x of Azure AD Connect, some customers may see some or all of their Windows devices
disappear from Azure AD. This is not a cause for concern, as these device identities are not used by Azure AD
during Conditional Access authorization. This change won't delete any Windows devices that were correctly
registered with Azure AD for Hybrid Azure AD Join.
If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the
customer allow the deletions to go through. How To: allow deletes to flow when they exceed the deletion threshold
Background
Windows devices registered as Hybrid Azure AD Joined are represented in Azure AD as device objects. These
device objects can be used for Conditional Access. Windows 10 devices are synced to the cloud via Azure AD
Connect, down level Windows devices are registered directly using either AD FS or seamless single sign-on.
Windows 10 devices
Only Windows 10 devices with a specific userCertificate attribute value configured by Hybrid Azure AD Join are
supposed to be synced to the cloud by Azure AD Connect. In previous versions of Azure AD Connect this
requirement was not rigorously enforced, resulting in unnecessary device objects in Azure AD. Such devices in
Azure AD always stayed in the “pending” state because these devices were not intended to be registered with Azure
AD.
This version of Azure AD Connect will only sync Windows 10 devices that are correctly configured to be Hybrid
Azure AD Joined. Windows 10 device objects without the Azure AD join specific userCertificate will be removed
from Azure AD.
How can I verify which devices are deleted with this update?
To verify which devices are deleted, you can use this PowerShell script:
https://gallery.technet.microsoft.com/scriptcenter/Export-Hybrid-Azure-AD-f8e51436
This script generates a report about certificates stored in Active Directory Computer objects, specifically, certificates
issued by the Hybrid Azure AD join feature. It checks the certificates present in the UserCertificate property of a
Computer object in AD and, for each non-expired certificate present, validates if the certificate was issued for the
Hybrid Azure AD join feature (i.e. Subject Name matches CN={ObjectGUID}). Before, Azure AD Connect would
synchronize to Azure AD any Computer that contained at least one valid certificate but starting on Azure AD
Connect version 1.4, the synchronization engine can identify Hybrid Azure AD join certificates and will ‘cloudfilter’
the computer object from synchronizing to Azure AD unless there’s a valid Hybrid Azure AD join certificate. Azure
AD Devices that were already synchronized to AD but do not have a valid Hybrid Azure AD join certificate will be
deleted (CloudFiltered=TRUE) by the sync engine.
Next Steps
Azure AD Connect Version history
Azure AD Connect: Version release history archive
9/7/2020 • 71 minutes to read • Edit Online
The Azure Active Directory (Azure AD) team regularly updates Azure AD Connect with new features and
functionality. Not all additions are applicable to all audiences.
NOTE
This article contains version reference information about all archived versions of Azure AD - 1.3.20.0 and older. For current
releases, see the Azure AD Connect Version release history
1.3.20.0
Release status
04/24/2019: Released for download
New features and improvements
Add support for Domain Refresh
Exchange Mail Public Folders feature goes GA
Improve wizard error handling for service failures
Added warning link on Synchronization Service Manager UI in the connector properties page.
The Unified Groups Writeback feature is now GA
Improved SSPR error message when the DC is missing an LDAP control
Added diagnostics for DCOM registry errors during install
Improved tracing of PHS RPC errors
Allow EA creds from a child domain
Allow database name to be entered during install (default name ADSync)
Upgrade to ADAL 3.19.8 to pick up a WS-Trust fix for Ping and add support for new Azure instances
Modify Group Sync Rules to flow samAccountName, DomainNetbios and DomainFQDN to cloud - needed for
claims
Modified Default Sync Rule Handling – read more here.
Added a new agent running as a windows service. This agent, named “Admin Agent”, enables deeper remote
diagnostics of the Azure AD Connect server to help Microsoft Engineers troubleshoot when you open a support
case. This agent is not installed and enabled by default. For more information on how to install and enable the
agent see What is the Azure AD Connect Admin Agent?.
Updated the End User License Agreement (EULA)
Added auto upgrade support for deployments that use AD FS as their login type. This also removed the
requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process.
Added an Azure AD trust management task that provides two options: analyze/update trust and reset trust.
Changed the AD FS Azure AD Relying Party trust behavior so that it always uses the -SupportMultipleDomain
switch (includes trust and Azure AD domain updates).
Changed the install new AD FS farm behavior so that it requires a .pfx certificate by removing the option of
using a pre-installed certificate.
Updated the install new AD FS farm workflow so that it only allows deploying 1 AD FS and 1 WAP server. All
additional servers will be done after initial installation.
Fixed issues
Fix the SQL reconnect logic for ADSync service
Fix to allow clean Install using an empty SQL AOA DB
Fix PS Permissions script to refine GWB permissions
Fix VSS Errors with LocalDB
Fix misleading error message when object type is not in scope
Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly
conflict with Azure AD Connect.
Fixed PHS bug on Staging Server when Connector Credentials are updated in the Synchronization Service
Manager UI.
Fixed some memory leaks
Miscellaneous Autoupgrade fixes
Miscellaneous fixes to Export and Unconfirmed Import Processing
Fixed a bug with handling a backslash in Domain and OU filtering
Fixed an issue where ADSync service takes more than 2 minutes to stop and causes a problem at upgrade time.
1.2.70.0
Release status
12/18/2018: Released for download
Fixed issues
This build updates the non-standard connectors (for example, Generic LDAP Connector and Generic SQL
Connector) shipped with Azure AD Connect. For more information on applicable connectors, see version 1.1.911.0
in Connector Version Release History.
1.2.69.0
Release status
12/11/2018: Released for download
Fixed issues
This hotfix build allows the user to select a target domain, within the specified forest, for the RegisteredDevices
container when enabling device writeback. In the previous versions that contain the new Device Options
functionality (1.1.819.0 – 1.2.68.0), the RegisteredDevices container location was limited to the forest root and did
not allow child domains. This limitation only manifested itself on new deployments – in-place upgrades were
unaffected.
If any build containing the updated Device Options functionality was deployed to a new server and device
writeback was enabled, you will need to manually specify the location of the container if you do not want it in the
forest root. To do this, you need to disable device writeback and re-enable it which will allow you to specify the
container location on the “Writeback forest” page.
1.2.68.0
Release status
11/30/2018: Released for download
Fixed issues
This hotfix build fixes a conflict where an authentication error might occur due to the independent presence of the
MSOnline PowerShell Gallery module on the synchronization server.
1.2.67.0
Release status
11/19/2018: Released for download
Fixed issues
This hotfix build fixes a regression in the previous build where Password Writeback fails when using an ADDS
Domain Controller on Windows Server 2008/R2.
1.2.65.0
Release status
10/25/2018: released for download
New features and improvements
Changed the functionality of attribute write-back to ensure hosted voice-mail is working as expected. Under
certain scenarios, Azure AD was overwriting the msExchUcVoicemailSettings attribute during write-back with a
null value. Azure AD will now no longer clear the on-premises value of this attribute if the cloud value is not set.
Added diagnostics in the Azure AD Connect wizard to investigate and identify Connectivity issues to Azure AD.
These same diagnostics can also be run directly through PowerShell using the Test-
AdSyncAzureServiceConnectivity Cmdlet.
Added diagnostics in the Azure AD Connect wizard to investigate and identify Connectivity issues to AD. These
same diagnostics can also be run directly through PowerShell using the Start-ConnectivityValidation function in
the ADConnectivityTools PowerShell module. For more information see What is the ADConnectivityTool
PowerShell Module?
Added an AD schema version pre-check for Hybrid Azure Active Directory Join and device write-back
Changed the Directory Extension page attribute search to be non-case sensitive.
Added full support for TLS 1.2. This release supports all other protocols being disabled and only TLS 1.2 being
enabled on the machine where Azure AD Connect is installed. For more information see TLS 1.2 enforcement
for Azure AD Connect
Fixed issues
Fixed a bug where Azure AD Connect Upgrade would fail if SQL Always On was being used.
Fixed a bug to correctly parse OU names that contain a forward slash.
Fixed an issue where Pass-Through Authentication would be disabled for a clean install in staging mode.
Fixed a bug that prevented the PowerShell module to be loaded when running the Troubleshooting tools
Fixed a bug that would block customers from using numeric values in the first character of a host name.
Fixed a bug where Azure AD Connect would allow invalid partitions and container selection
Fixed the “Invalid Password” error message when Desktop SSO is enabled.
Various Bug fixes for AD FS Trust Management
When configuring Device Writeback - fixed the schema check to look for the msDs-DeviceContainer object class
(introduced on WS2012 R2)
1.1.882.0
9/7/2018: released for download, will not be release for auto upgrade
Fixed issues
Azure AD Connect Upgrade fails if SQL Always On Availability is configured for the ADSync DB. This hotfix
addresses this issue and allows Upgrade to succeed.
1.1.880.0
Release status
8/21/2018: Released for download and auto upgrade.
New features and improvements
The Ping Federate integration in Azure AD Connect is now available for General Availability. Learn more about
how to federated Azure AD with Ping Federate
Azure AD Connect now creates the backup of Azure AD trust in AD FS every time an update is made and stores
it in a separate file for easy restore if required. Learn more about the new functionality and Azure AD trust
management in Azure AD Connect.
New troubleshooting tooling helps troubleshoot changing primary email address and hiding account from
global address list
Azure AD Connect was updated to include the latest SQL Server 2012 Native Client
When you switch user sign-in to Password Hash Synchronization or Pass-through Authentication in the
"Change user sign-in" task, the Seamless Single Sign-On checkbox is enabled by default.
Added support for Windows Server Essentials 2019
The Azure AD Connect Health agent was updated to the latest version 3.1.7.0
During an upgrade, if the installer detects changes to the default sync rules, the admin is prompted with a
warning before overwriting the modified rules. This will allow the user to take corrective actions and resume
later. Old Behavior: If there was any modified out-of-box rule then manual upgrade was overwriting those rules
without giving any warning to the user and sync scheduler was disabled without informing user. New Behavior:
User will be prompted with warning before overwriting the modified out-of-box sync rules. User will have
choice to stop the upgrade process and resume later after taking corrective action.
Provide a better handling of a FIPS compliance issue, providing an error message for MD5 hash generation in a
FIPS compliant environment and a link to documentation that provides a work around for this issue.
UI update to improve federation tasks in the wizard, which are now under a separate sub group for federation.
All federation additional tasks are now grouped under a single sub-menu for ease of use.
A new revamped ADSyncConfig Posh Module (AdSyncConfig.psm1) with new AD Permissions functions moved
from the old ADSyncPrep.psm1 (which may be deprecated shortly)
Fixed issues
Fixed a bug where the Azure AD Connect server would show high CPU usage after upgrading to .NET 4.7.2
Fixed a bug that would intermittently produce an error message for an auto-resolved SQL deadlock issue
Fixed several accessibility issues for the Sync Rules Editor and the Sync Service Manager
Fixed a bug where Azure AD Connect can not get registry setting information
Fixed a bug that created issues when the user goes forward/back in the wizard
Fixed a bug to prevent an error happening due to incorrect multi-thread handing in the wizard
When Group Sync Filtering page encounters an LDAP error when resolving security groups, Azure AD Connect
now returns the exception with full fidelity. The root cause for the referral exception is still unknown and will be
addressed by a different bug.
Fixed a bug where permissions for STK and NGC keys (ms-DS-KeyCredentialLink attribute on User/Device
objects for WHfB) were not correctly set.
Fixed a bug where 'Set-ADSyncRestrictedPermissions’ was not called correctly
Adding support for permission granting on Group Writeback in Azure ADConnect's installation wizard
When changing sign in method from Password Hash Sync to AD FS, Password Hash Sync was not disabled.
Added verification for IPv6 addresses in AD FS configuration
Updated the notification message to inform that an existing configuration exists.
Device writeback fails to detect container in untrusted forest. This has been updated to provide a better error
message and a link to the appropriate documentation
Deselecting an OU and then synchronization/writeback corresponding to that OU gives a generic sync error.
This has been changed to create a more understandable error message.
1.1.819.0
Release status
5/14/2018: Released for auto upgrade and download.
New features and improvements
New features and improvements
This release includes the public preview of the integration of PingFederate in Azure AD Connect. With this
release, customers can easily, and reliably configure their Azure Active Directory environment to leverage
PingFederate as their federation provider. To learn more about how to use this new feature, please visit our
online documentation.
Updated the Azure AD Connect Wizard Troubleshooting Utility, where it now analyzes more error scenario’s,
such as Linked Mailboxes and AD Dynamic Groups. Read more about the troubleshooting utility here.
Device Writeback configuration is now managed solely within the Azure AD Connect Wizard.
A new PowerShell Module called ADSyncTools.psm1 is added that can be used to troubleshoot SQL Connectivity
issues and various other troubleshooting utilities. Read more about the ADSyncTools module here.
A new additional task “Configure device options” has been added. You can use the task to configure the
following two operations:
Hybrid Azure AD join : If your environment has an on-premises AD footprint and you also want
benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD
joined devices. These are devices that are both, joined to your on-premises Active Directory and your
Azure Active Directory.
Device writeback : Device writeback is used to enable Conditional Access based on devices to AD FS
(2012 R2 or higher) protected devices
NOTE
The option to enable device writeback from Customize synchronization options will be greyed out.
The PowerShell module for ADPrep is deprecated with this release.
Fixed issues
This release updates the SQL Server Express installation to SQL Server 2012 SP4, which, among others,
provides fixes for several security vulnerabilities. Please see here for more information about SQL Server 2012
SP4.
Sync Rule Processing: outbound Join sync rules with no Join Condition should be de-applied if the parent sync
rule is no longer applicable
Several accessibility fixes have been applied to the Synchronization Service Manager UI and the Sync Rules
Editor
Azure AD Connect Wizard: Error creating AD Connector account when Azure AD Connect is in a workgroup
Azure AD Connect Wizard: On the Azure AD Sign-in page display the verification checkbox whenever there is
any mismatch in AD domains and Azure AD Verified domains
Auto-upgrade PowerShell fix to set auto upgrade state correctly in certain cases after auto upgrade attempted.
Azure AD Connect Wizard: Updated telemetry to capture previously missing information
Azure AD Connect Wizard: The following changes have been made when you use the Change user sign-in
task to switch from AD FS to Pass-through Authentication:
The Pass-through Authentication Agent is installed on the Azure AD Connect server and the Pass-through
Authentication feature is enabled, before we convert domain(s) from federated to managed.
Users are no longer converted from federated to managed. Only domain(s) are converted.
Azure AD Connect Wizard: AD FS Multi Domain Regex is not correct when user UPN has ' special character
Regex update to support special characters
Azure AD Connect Wizard: Remove spurious "Configure source anchor attribute" message when no change
Azure AD Connect Wizard: AD FS support for the dual federation scenario
Azure AD Connect Wizard: AD FS Claims are not updated for added domain when converting a managed
domain to federated
Azure AD Connect Wizard: During detection of installed packages, we find stale Dirsync/Azure AD Sync/Azure
AD Connect related products. We will now attempt to uninstall the stale products.
Azure AD Connect Wizard: Correct Error Message Mapping when installation of passthrough authentication
agent fails
Azure AD Connect Wizard: Removed "Configuration" container from Domain OU Filtering page
Sync Engine install: remove unnecessary legacy logic that occasionally failed from Sync Engine install msi
Azure AD Connect Wizard: Fix popup help text on Optional Features page for Password Hash Sync
Sync Engine runtime: Fix the scenario where a CS object has an imported delete and Sync Rules attempt to re-
provision the object.
Sync Engine runtime: Add help link for Online connectivity troubleshooting guide to the event log for an Import
Error
Sync Engine runtime: Reduced memory usage of Sync Scheduler when enumerating Connectors
Azure AD Connect Wizard: Fix an issue resolving a custom Sync Service Account which has no AD Read
privileges
Azure AD Connect Wizard: Improve logging of Domain and OU filtering selections
Azure AD Connect Wizard: AD FS Add default claims to federation trust created for MFA scenario
Azure AD Connect Wizard: AD FS Deploy WAP: Adding server fails to use new certificate
Azure AD Connect Wizard: DSSO exception when onPremCredentials aren't initialized for a domain
Preferentially flow the AD distinguishedName attribute from the Active User object.
Fixed a cosmetic bug were the Precedence of the first OOB Sync Rule was set to 99 instead of 100
1.1.751.0
Status 4/12/2018: Released for download only
NOTE
This release is a hotfix for Azure AD Connect
1.1.750.0
Status 3/22/2018: Released for auto-upgrade and download.
NOTE
When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Azure AD
connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Azure AD
Connect environment, make sure that you have taken the necessary steps to support this or hold off on upgrading until you
have found a convenient moment to do so.
NOTE
“AutoUpgrade functionality was incorrectly disabled for some tenants who deployed builds later than 1.1.524.0. To ensure
that your Azure AD Connect instance is still eligible for AutoUpgrade, run the following PowerShell cmdlet: “Set-
ADSyncAutoUpgrade -AutoupGradeState Enabled”
Azure AD Connect
Fixed issues
Set-ADSyncAutoUpgrade cmdlet would previously block Autoupgrade if auto-upgrade state is set to
Suspended. This functionality has now changed so it does not block AutoUpgrade of future builds.
Changed the User Sign-in page option "Password Synchronization" to "Password Hash Synchronization".
Azure AD Connect synchronizes password hashes, not passwords, so this aligns with what is actually occurring.
For more information see Implement password hash synchronization with Azure AD Connect sync
1.1.749.0
Status: Released to select customers
NOTE
When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Azure AD
connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Azure AD
Connect environment, please make sure that you have taken the necessary steps to support this or hold off on upgrading
until you have found a convenient moment to do so.
Azure AD Connect
Fixed issues
Fix timing window on background tasks for Partition Filtering page when switching to next page.
Fixed a bug that caused Access violation during the ConfigDB custom action.
Fixed a bug to recover from SQL connection timeout.
Fixed a bug where certificates with SAN wildcards failed a prerequisite check.
Fixed a bug which causes miiserver.exe to crash during an Azure AD connector export.
Fixed a bug which bad password attempt logged on DC when running the Azure AD Connect wizard to
change configuration.
New features and improvements
Adding Privacy Settings for the General Data Protection Regulation (GDPR). For more information see the article
here.
NOTE
This article provides steps for how to delete personal data from the device or service and can be used to support your
obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.
application telemetry - admin can switch this class of data on/off at will
Azure AD Health data - admin must visit the health portal to control their health settings. Once the service
policy has been changed, the agents will read and enforce it.
Added device write-back configuration actions and a progress bar for page initialization
Improved General Diagnostics with HTML report and full data collection in a ZIP-Text / HTML Report
Improved the reliability of auto upgrade and added additional telemetry to ensure the health of the server
can be determined
Restrict permissions available to privileged accounts on AD Connector account
For new installations, the wizard will restrict the permissions that privileged accounts have on the MSOL
account after creating the MSOL account.
The changes will take care of following:
1. Express Installations
2. Custom Installations with Auto-Create account
3. Changed the installer so it doesn't require SA privilege on clean install of Azure AD Connect
Added a new utility to troubleshoot synchronization issues for a specific object. It is available under
'Troubleshoot Object Synchronization' option of Azure AD Connect Wizard Troubleshoot Additional Task.
Currently, the utility checks for the following:
UserPrincipalName mismatch between synchronized user object and the user account in Azure AD
Tenant.
If the object is filtered from synchronization due to domain filtering
If the object is filtered from synchronization due to organizational unit (OU) filtering
Added a new utility to synchronize the current password hash stored in the on-premises Active Directory for
a specific user account.
The utility does not require a password change. It is available under 'Troubleshoot Password Hash Synchronization'
option of Azure AD Connect Wizard Troubleshoot Additional Task.
1.1.654.0
Status: December 12th, 2017
NOTE
This release is a security related hotfix for Azure AD Connect
Azure AD Connect
An improvement has been added to Azure AD Connect version 1.1.654.0 (and after) to ensure that the
recommended permission changes described under section Lock down access to the AD DS account are
automatically applied when Azure AD Connect creates the AD DS account.
When setting up Azure AD Connect, the installing administrator can either provide an existing AD DS account,
or let Azure AD Connect automatically create the account. The permission changes are automatically applied to
the AD DS account that is created by Azure AD Connect during setup. They are not applied to existing AD DS
account provided by the installing administrator.
For customers who have upgraded from an older version of Azure AD Connect to 1.1.654.0 (or after), the
permission changes will not be retroactively applied to existing AD DS accounts created prior to the upgrade.
They will only be applied to new AD DS accounts created after the upgrade. This occurs when you are adding
new AD forests to be synchronized to Azure AD.
NOTE
This release only removes the vulnerability for new installations of Azure AD Connect where the service account is created by
the installation process. For existing installations, or in cases where you provide the account yourself, you should ensure that
this vulnerability does not exist.
Where
$ObjectDN = The Active Directory account whose permissions need to be tightened.
$Credential = Administrator credential that has the necessary privileges to restrict the permissions on the
$ObjectDN account. These privileges are typically held by the Enterprise or Domain administrator. Use the fully
qualified domain name of the administrator account to avoid account lookup failures. Example:
contoso.com\admin.
NOTE
$credential.UserName should be in FQDN\username format. Example: contoso.com\admin
Ex a m p l e :
1.1.649.0
Status: October 27 2017
NOTE
This build is not available to customers through the Azure AD Connect Auto Upgrade feature.
Azure AD Connect
Fixed issue
Fixed a version compatibility issue between Azure AD Connect and Azure AD Connect Health Agent (for sync).
This issue affects customers who are performing Azure AD Connect in-place upgrade to version 1.1.647.0, but
currently has Health Agent version 3.0.127.0. After the upgrade, the Health Agent can no longer send health
data about Azure AD Connect Synchronization Service to Azure AD Health Service. With this fix, Health Agent
version 3.0.129.0 is installed during Azure AD Connect in-place upgrade. Health Agent version 3.0.129.0 does
not have compatibility issue with Azure AD Connect version 1.1.649.0.
1.1.647.0
Status: October 19 2017
IMPORTANT
There is a known compatibility issue between Azure AD Connect version 1.1.647.0 and Azure AD Connect Health Agent (for
sync) version 3.0.127.0. This issue prevents the Health Agent from sending health data about the Azure AD Connect
Synchronization Service (including object synchronization errors and run history data) to Azure AD Health Service. Before
manually upgrading your Azure AD Connect deployment to version 1.1.647.0, please verify the current version of Azure AD
Connect Health Agent installed on your Azure AD Connect server. You can do so by going to Control Panel → Add Remove
Programs and look for application Microsoft Azure AD Connect Health Agent for Sync. If its version is 3.0.127.0, it is
recommended that you wait for the next Azure AD Connect version to be available before upgrade. If the Health Agent
version isn't 3.0.127.0, it is fine to proceed with the manual, in-place upgrade. Note that this issue does not affect swing
upgrade or customers who are performing new installation of Azure AD Connect.
Azure AD Connect
Fixed issues
Fixed an issue with the Change user sign-in task in Azure AD Connect wizard:
The issue occurs when you have an existing Azure AD Connect deployment with Password
Synchronization enabled , and you are trying to set the user sign-in method as Pass-through
Authentication. Before the change is applied, the wizard incorrectly shows the "Disable Password
Synchronization" prompt. However, Password Synchronization remains enabled after the change is
applied. With this fix, the wizard no longer shows the prompt.
By design, the wizard does not disable Password Synchronization when you update the user sign-in
method using the Change user sign-in task. This is to avoid disruption to customers who want to
keep Password Synchronization, even though they are enabling Pass-through Authentication or
federation as their primary user sign-in method.
If you wish to disable Password Synchronization after updating the user sign-in method, you must
execute the Customize Synchronization Configuration task in the wizard. When you navigate to the
Optional features page, uncheck the Password Synchronization option.
Note that the same issue also occurs if you try to enable/disable Seamless Single Sign-On.
Specifically, you have an existing Azure AD Connect deployment with Password Synchronization
enabled and the user sign-in method is already configured as Pass-through Authentication. Using the
Change user sign-in task, you try to check/uncheck the Enable Seamless Single Sign-On option while
the user sign-in method remains configured as "Pass-through Authentication". Before the change is
applied, the wizard incorrectly shows the "Disable Password Synchronization" prompt. However,
Password Synchronization remains enabled after the change is applied. With this fix, the wizard no
longer shows the prompt.
Fixed an issue with the Change user sign-in task in Azure AD Connect wizard:
The issue occurs when you have an existing Azure AD Connect deployment with Password
Synchronization disabled , and you are trying to set the user sign-in method as Pass-through
Authentication. When the change is applied, the wizard enables both Pass-through Authentication
and Password Synchronization. With this fix, the wizard no longer enables Password Synchronization.
Previously, Password Synchronization was a pre-requisite for enabling Pass-through Authentication.
When you set the user sign-in method as Pass-through Authentication, the wizard would enable both
Pass-through Authentication and Password Synchronization. Recently, Password Synchronization was
removed as a pre-requisite. As part of Azure AD Connect version 1.1.557.0, a change was made to
Azure AD Connect to not enable Password Synchronization when you set the user sign-in method as
Pass-through Authentication. However, the change was only applied to Azure AD Connect installation.
With this fix, the same change is also applied to the Change user sign-in task.
Note that the same issue also occurs if you try to enable/disable Seamless Single Sign-On.
Specifically, you have an existing Azure AD Connect deployment with Password Synchronization
disabled and the user sign-in method is already configured as Pass-through Authentication. Using the
Change user sign-in task, you try to check/uncheck the Enable Seamless Single Sign-On option while
the user sign-in method remains configured as "Pass-through Authentication". When the change is
applied, the wizard enables Password Synchronization. With this fix, the wizard no longer enables
Password Synchronization.
Fixed an issue that caused Azure AD Connect upgrade to fail with error "Unable to upgrade the
Synchronization Service". Further, the Synchronization Service can no longer start with event error "The
service was unable to start because the version of the database is newer than the version of the binaries
installed". The issue occurs when the administrator performing the upgrade does not have sysadmin
privilege to the SQL server that is being used by Azure AD Connect. With this fix, Azure AD Connect only
requires the administrator to have db_owner privilege to the ADSync database during upgrade.
Fixed an Azure AD Connect Upgrade issue that affected customers who have enabled Seamless Single Sign-
On. After Azure AD Connect is upgraded, Seamless Single Sign-On incorrectly appears as disabled in Azure
AD Connect wizard, even though the feature remains enabled and fully functional. With this fix, the feature
now appears correctly as enabled in the wizard.
Fixed an issue that caused Azure AD Connect wizard to always show the “Configure Source Anchor” prompt
on the Ready to Configure page, even if no changes related to Source Anchor were made.
When performing manual in-place upgrade of Azure AD Connect, the customer is required to provide the
Global Administrator credentials of the corresponding Azure AD tenant. Previously, upgrade could proceed
even though the Global Administrator's credentials belonged to a different Azure AD tenant. While upgrade
appears to complete successfully, certain configurations are not correctly persisted with the upgrade. With
this change, the wizard prevents the upgrade from proceeding if the credentials provided do not match the
Azure AD tenant.
Removed redundant logic that unnecessarily restarted Azure AD Connect Health service at the beginning of
a manual upgrade.
New features and improvements
Added logic to simplify the steps required to set up Azure AD Connect with Microsoft Germany Cloud.
Previously, you are required to update specific registry keys on the Azure AD Connect server for it to work
correctly with Microsoft Germany Cloud, as described in this article. Now, Azure AD Connect can automatically
detect if your tenant is in Microsoft Germany Cloud based on the global administrator credentials provided
during setup.
Azure AD Connect Sync
NOTE
Note: The Synchronization Service has a WMI interface that lets you develop your own custom scheduler. This interface is
now deprecated and will be removed from future versions of Azure AD Connect shipped after June 30, 2018. Customers who
want to customize synchronization schedule should use the built-in scheduler.
Fixed issues
When Azure AD Connect wizard creates the AD Connector account required to synchronize changes from
on-premises Active Directory, it does not correctly assign the account the permission required to read
PublicFolder objects. This issue affects both Express installation and Custom installation. This change fixes
the issue.
Fixed an issue that caused the Azure AD Connect Wizard troubleshooting page to not render correctly for
administrators running from Windows Server 2016.
New features and improvements
When troubleshooting Password Synchronization using the Azure AD Connect wizard troubleshooting page,
the troubleshooting page now returns domain-specific status.
Previously, if you tried to enable Password Hash Synchronization, Azure AD Connect does not verify whether
the AD Connector account has required permissions to synchronize password hashes from on-premises AD.
Now, Azure AD Connect wizard will verify and warn you if the AD Connector account does not have
sufficient permissions.
AD FS Management
Fixed issue
Fixed an issue related to the use of ms-DS-ConsistencyGuid as Source Anchor feature. This issue affects
customers who have configured Federation with AD FS as the user sign-in method. When you execute
Configure Source Anchor task in the wizard, Azure AD Connect switches to using *ms-DS-ConsistencyGuid as
source attribute for immutableId. As part of this change, Azure AD Connect attempts to update the claim rules
for ImmutableId in AD FS. However, this step failed because Azure AD Connect did not have the administrator
credentials required to configure AD FS. With this fix, Azure AD Connect now prompts you to enter the
administrator credentials for AD FS when you execute the Configure Source Anchor task.
1.1.614.0
Status: September 05 2017
Azure AD Connect
Known issues
There is a known issue that is causing Azure AD Connect upgrade to fail with error "Unable to upgrade the
Synchronization Service". Further, the Synchronization Service can no longer start with event error "The
service was unable to start because the version of the database is newer than the version of the binaries
installed". The issue occurs when the administrator performing the upgrade does not have sysadmin
privilege to the SQL server that is being used by Azure AD Connect. Dbo permissions are not sufficient.
There is a known issue with Azure AD Connect Upgrade that is affecting customers who have enabled
Seamless Single Sign-On. After Azure AD Connect is upgraded, the feature appears as disabled in the
wizard, even though the feature remains enabled. A fix for this issue will be provided in future release.
Customers who are concerned about this display issue can manually fix it by enabling Seamless Single Sign-
On in the wizard.
Fixed issues
Fixed an issue that prevented Azure AD Connect from updating the claims rules in on-premises AD FS while
enabling the ms-DS-ConsistencyGuid as Source Anchor feature. The issue occurs if you try to enable the feature
for an existing Azure AD Connect deployment that has AD FS configured as the sign-in method. The issue
occurs because the wizard does not prompt for ADFS credentials before trying to update the claims rules in AD
FS.
Fixed an issue that caused Azure AD Connect to fail installation if the on-premises AD forest has NTLM disabled.
The issue is due to Azure AD Connect wizard not providing fully qualified credentials when creating the security
contexts required for Kerberos authentication. This causes Kerberos authentication to fail and Azure AD Connect
wizard to fall back to using NTLM.
Azure AD Connect Sync
Fixed issues
Fixed an issue where new synchronization rule cannot be created if the Tag attribute isn’t populated.
Fixed an issue that caused Azure AD Connect to connect to on-premises AD for Password Synchronization using
NTLM, even though Kerberos is available. This issue occurs if the on-premises AD topology has one or more
domain controllers that were restored from a backup.
Fixed an issue that caused full synchronization steps to occur unnecessarily after upgrade. In general, running
full synchronization steps is required after upgrade if there are changes to out-of-box synchronization rules. The
issue was due to an error in the change detection logic that incorrectly detected a change when encountering
synchronization rule expression with newline characters. Newline characters are inserted into sync rule
expression to improve readability.
Fixed an issue that can cause the Azure AD Connect server to not work correctly after Automatic Upgrade. This
issue affects Azure AD Connect servers with version 1.1.443.0 (or earlier). For details about the issue, refer to
article Azure AD Connect is not working correctly after an automatic upgrade.
Fixed an issue that can cause Automatic Upgrade to be retried every 5 minutes when errors are encountered.
With the fix, Automatic Upgrade retries with exponential back-off when errors are encountered.
Fixed an issue where password synchronization event 611 is incorrectly shown in Windows Application Event
logs as informational instead of error . Event 611 is generated whenever password synchronization
encounters an issue.
Fixed an issue in the Azure AD Connect wizard that allows Group writeback feature to be enabled without
selecting an OU required for Group writeback.
New features and improvements
Added a Troubleshoot task to Azure AD Connect wizard under Additional Tasks. Customers can leverage this
task to troubleshoot issues related to password synchronization and collect general diagnostics. In the future,
the Troubleshoot task will be extended to include other directory synchronization-related issues.
Azure AD Connect now supports a new installation mode called Use Existing Database . This installation
mode allows customers to install Azure AD Connect that specifies an existing ADSync database. For more
information about this feature, refer to article Use an existing database.
For improved security, Azure AD Connect now defaults to using TLS1.2 to connect to Azure AD for directory
synchronization. Previously, the default was TLS1.0.
When Azure AD Connect Password Synchronization Agent starts up, it tries to connect to Azure AD well-known
endpoint for password synchronization. Upon successful connection, it is redirected to a region-specific
endpoint. Previously, the Password Synchronization Agent caches the region-specific endpoint until it is
restarted. Now, the agent clears the cache and retries with the well-known endpoint if it encounters connection
issue with the region-specific endpoint. This change ensures that password synchronization can failover to a
different region-specific endpoint when the cached region-specific endpoint is no longer available.
To synchronize changes from an on-premises AD forest, an AD DS account is required. You can either (i) create
the AD DS account yourself and provide its credential to Azure AD Connect, or (ii) provide an Enterprise Admin's
credentials and let Azure AD Connect create the AD DS account for you. Previously, (i) is the default option in the
Azure AD Connect wizard. Now, (ii) is the default option.
Azure AD Connect Health
New features and improvements
Added support for Microsoft Azure Government Cloud and Microsoft Cloud Germany.
AD FS Management
Fixed issues
The Initialize-ADSyncNGCKeysWriteBack cmdlet in the AD prep PowerShell module was incorrectly applying
ACLs to the device registration container and would therefore only inherit existing permissions. This was
updated so that the sync service account has the correct permissions.
New features and improvements
The Azure AD Connect Verify ADFS Login task was updated so that it verifies logins against Microsoft Online
and not just token retrieval from ADFS.
When setting up a new ADFS farm using Azure AD Connect, the page asking for ADFS credentials was moved
so that it now occurs before the user is asked to provide ADFS and WAP servers. This allows Azure AD Connect
to check that the account specified has the correct permissions.
During Azure AD Connect upgrade, we will no longer fail an upgrade if the ADFS Azure AD Trust fails to update.
If that happens, the user will be shown an appropriate warning message and should proceed to reset the trust
via the Azure AD Connect additional task.
Seamless Single Sign-On
Fixed issues
Fixed an issue that caused Azure AD Connect wizard to return an error if you try to enable Seamless Single
Sign-On. The error message is “Configuration of Microsoft Azure AD Connect Authentication Agent failed.” This
issue affects existing customers who had manually upgraded the preview version of the Authentication Agents
for Pass-through Authentication based on the steps described in this article.
1.1.561.0
Status: July 23 2017
Azure AD Connect
Fixed issue
Fixed an issue that caused the out-of-box synchronization rule “Out to AD - User ImmutableId” to be
removed:
The issue occurs when Azure AD Connect is upgraded, or when the task option Update
Synchronization Configuration in the Azure AD Connect wizard is used to update Azure AD Connect
synchronization configuration.
This synchronization rule is applicable to customers who have enabled the ms-DS-ConsistencyGuid
as Source Anchor feature. This feature was introduced in version 1.1.524.0 and after. When the
synchronization rule is removed, Azure AD Connect can no longer populate on-premises AD ms-DS-
ConsistencyGuid attribute with the ObjectGuid attribute value. It does not prevent new users from
being provisioned into Azure AD.
The fix ensures that the synchronization rule will no longer be removed during upgrade, or during
configuration change, as long as the feature is enabled. For existing customers who have been
affected by this issue, the fix also ensures that the synchronization rule is added back after upgrading
to this version of Azure AD Connect.
Fixed an issue that causes out-of-box synchronization rules to have precedence value that is less than 100:
In general, precedence values 0 - 99 are reserved for custom synchronization rules. During upgrade,
the precedence values for out-of-box synchronization rules are updated to accommodate sync rule
changes. Due to this issue, out-of-box synchronization rules may be assigned precedence value that is
less than 100.
The fix prevents the issue from occurring during upgrade. However, it does not restore the
precedence values for existing customers who have been affected by the issue. A separate fix will be
provided in the future to help with the restoration.
Fixed an issue where the Domain and OU Filtering screen in the Azure AD Connect wizard is showing Sync
all domains and OUs option as selected, even though OU-based filtering is enabled.
Fixed an issue that caused the Configure Directory Partitions screen in the Synchronization Service Manager
to return an error if the Refresh button is clicked. The error message is “An error was encountered while
refreshing domains: Unable to cast object of type ‘System.Collections.ArrayList’ to type
‘Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject.”
The error occurs when new AD domain has been added to an existing AD forest and you are trying to
update Azure AD Connect using the Refresh button.
New features and improvements
Automatic Upgrade feature has been expanded to support customers with the following configurations:
You have enabled the device writeback feature.
You have enabled the group writeback feature.
The installation is not an Express settings or a DirSync upgrade.
You have more than 100,000 objects in the metaverse.
You are connecting to more than one forest. Express setup only connects to one forest.
The AD Connector account is not the default MSOL_ account anymore.
The server is set to be in staging mode.
You have enabled the user writeback feature.
NOTE
The scope expansion of the Automatic Upgrade feature affects customers with Azure AD Connect build 1.1.105.0 and
after. If you do not want your Azure AD Connect server to be automatically upgraded, you must run following cmdlet
on your Azure AD Connect server: Set-ADSyncAutoUpgrade -AutoUpgradeState disabled . For more information
about enabling/disabling Automatic Upgrade, refer to article Azure AD Connect: Automatic upgrade.
1.1.558.0
Status: Will not be released. Changes in this build are included in version 1.1.561.0.
Azure AD Connect
Fixed issue
Fixed an issue that caused the out-of-box synchronization rule “Out to AD - User ImmutableId” to be
removed when OU-based filtering configuration is updated. This synchronization rule is required for the ms-
DS-ConsistencyGuid as Source Anchor feature.
Fixed an issue where the Domain and OU Filtering screen in the Azure AD Connect wizard is showing Sync
all domains and OUs option as selected, even though OU-based filtering is enabled.
Fixed an issue that caused the Configure Directory Partitions screen in the Synchronization Service Manager
to return an error if the Refresh button is clicked. The error message is “An error was encountered while
refreshing domains: Unable to cast object of type ‘System.Collections.ArrayList’ to type
‘Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject.”
The error occurs when new AD domain has been added to an existing AD forest and you are trying to
update Azure AD Connect using the Refresh button.
New features and improvements
Automatic Upgrade feature has been expanded to support customers with the following configurations:
You have enabled the device writeback feature.
You have enabled the group writeback feature.
The installation is not an Express settings or a DirSync upgrade.
You have more than 100,000 objects in the metaverse.
You are connecting to more than one forest. Express setup only connects to one forest.
The AD Connector account is not the default MSOL_ account anymore.
The server is set to be in staging mode.
You have enabled the user writeback feature.
NOTE
The scope expansion of the Automatic Upgrade feature affects customers with Azure AD Connect build 1.1.105.0 and
after. If you do not want your Azure AD Connect server to be automatically upgraded, you must run following cmdlet
on your Azure AD Connect server: Set-ADSyncAutoUpgrade -AutoUpgradeState disabled . For more information
about enabling/disabling Automatic Upgrade, refer to article Azure AD Connect: Automatic upgrade.
1.1.557.0
Status: July 2017
NOTE
This build is not available to customers through the Azure AD Connect Auto Upgrade feature.
Azure AD Connect
Fixed issue
Fixed an issue with the Initialize-ADSyncDomainJoinedComputerSync cmdlet that caused the verified domain
configured on the existing service connection point object to be changed even if it is still a valid domain. This
issue occurs when your Azure AD tenant has more than one verified domains that can be used for configuring
the service connection point.
New features and improvements
Password writeback is now available for preview with Microsoft Azure Government cloud and Microsoft
Cloud Germany. For more information about Azure AD Connect support for the different service instances,
refer to article Azure AD Connect: Special considerations for instances.
The Initialize-ADSyncDomainJoinedComputerSync cmdlet now has a new optional parameter named
AzureADDomain. This parameter lets you specify which verified domain to be used for configuring the
service connection point.
Pass-through Authentication
New features and improvements
The name of the agent required for Pass-through Authentication has been changed from Microsoft Azure
AD Application Proxy Connector to Microsoft Azure AD Connect Authentication Agent.
Enabling Pass-through Authentication no longer enables Password Hash Synchronization by default.
1.1.553.0
Status: June 2017
IMPORTANT
There are schema and sync rule changes introduced in this build. Azure AD Connect Synchronization Service will trigger Full
Import and Full Synchronization steps after upgrade. Details of the changes are described below. To temporarily defer Full
Import and Full Synchronization steps after upgrade, refer to article How to defer full synchronization after upgrade.
CBool(IIF(IsNullOrEmpty([cloudMSExchRecipientDisplayType]),NULL,BitAnd([cloudMSExchRecipientDisplayType]
,&HFF) = 0))
CBool(
IIF(IsPresent([cloudMSExchRecipientDisplayType]),(
IIF([cloudMSExchRecipientDisplayType]=0,True,(
IIF([cloudMSExchRecipientDisplayType]=2,True,(
IIF([cloudMSExchRecipientDisplayType]=7,True,(
IIF([cloudMSExchRecipientDisplayType]=8,True,(
IIF([cloudMSExchRecipientDisplayType]=10,True,(
IIF([cloudMSExchRecipientDisplayType]=16,True,(
IIF([cloudMSExchRecipientDisplayType]=17,True,(
IIF([cloudMSExchRecipientDisplayType]=18,True,(
IIF([cloudMSExchRecipientDisplayType]=1073741824,True,(
IF([cloudMSExchRecipientDisplayType]=1073741840,True,False)))))))))))))))))))),False))
Added the following set of X509Certificate2-compatible functions for creating synchronization rule
expressions to handle certificate values in the userCertificate attribute:
CertSubject
CertIssuer
CertKeyAlgorithm
CertSubjectNameDN
CertIssuerOid
CertNameInfo
CertSubjectNameOid
CertIssuerDN
IsCert
CertFriendlyName
CertThumbprint
CertExtensionOids
CertFormat
CertNotAfter
CertPublicKeyOid
CertSerialNumber
CertNotBefore
CertPublicKeyParametersOid
CertVersion
CertSignatureAlgorithmOid
Select
CertKeyAlgorithmParams
CertHashString
Where
With
Following schema changes have been introduced to allow customers to create custom synchronization rules
to flow sAMAccountName, domainNetBios, and domainFQDN for Group objects, as well as
distinguishedName for User objects:
Following attributes have been added to MV schema:
Group: AccountName
Group: domainNetBios
Group: domainFQDN
Person: distinguishedName
Following attributes have been added to Azure AD Connector schema:
Group: OnPremisesSamAccountName
Group: NetBiosName
Group: DnsDomainName
User: OnPremisesDistinguishedName
The ADSyncDomainJoinedComputerSync cmdlet script now has a new optional parameter named
AzureEnvironment. The parameter is used to specify which region the corresponding Azure Active Directory
tenant is hosted in. Valid values include:
AzureCloud (default)
AzureChinaCloud
AzureGermanyCloud
USGovernment
Updated Sync Rule Editor to use Join (instead of Provision) as the default value of link type during sync rule
creation.
AD FS management
Issues fixed
Following URLs are new WS-Federation endpoints introduced by Azure AD to improve resiliency against
authentication outage and will be added to on-premises AD FS replying party trust configuration:
https://ests.login.microsoftonline.com/login.srf
https://stamp2.login.microsoftonline.com/login.srf
https://ccs.login.microsoftonline.com/login.srf
https://ccs-sdf.login.microsoftonline.com/login.srf
Fixed an issue that caused AD FS to generate incorrect claim value for IssuerID. The issue occurs if there are
multiple verified domains in the Azure AD tenant and the domain suffix of the userPrincipalName attribute
used to generate the IssuerID claim is at least 3-levels deep (for example, johndoe@us.contoso.com). The
issue is resolved by updating the regex used by the claim rules.
New features and improvements
Previously, the ADFS Certificate Management feature provided by Azure AD Connect can only be used with
ADFS farms managed through Azure AD Connect. Now, you can use the feature with ADFS farms that are not
managed using Azure AD Connect.
1.1.524.0
Released: May 2017
IMPORTANT
There are schema and sync rule changes introduced in this build. Azure AD Connect Synchronization Service will trigger Full
Import and Full Sync steps after upgrade. Details of the changes are described below.
Fixed issues:
Azure AD Connect sync
Fixed an issue that causes Automatic Upgrade to occur on the Azure AD Connect server even if customer has
disabled the feature using the Set-ADSyncAutoUpgrade cmdlet. With this fix, the Automatic Upgrade process on
the server still checks for upgrade periodically, but the downloaded installer honors the Automatic Upgrade
configuration.
During DirSync in-place upgrade, Azure AD Connect creates an Azure AD service account to be used by the
Azure AD connector for synchronizing with Azure AD. After the account is created, Azure AD Connect
authenticates with Azure AD using the account. Sometimes, authentication fails because of transient issues,
which in turn causes DirSync in-place upgrade to fail with error “An error has occurred executing Configure AAD
Sync task: AADSTS50034: To sign into this application, the account must be added to the xxx.onmicrosoft.com
directory.” To improve the resiliency of DirSync upgrade, Azure AD Connect now retries the authentication step.
There was an issue with build 443 that causes DirSync in-place upgrade to succeed but run profiles required for
directory synchronization are not created. Healing logic is included in this build of Azure AD Connect. When
customer upgrades to this build, Azure AD Connect detects missing run profiles and creates them.
Fixed an issue that causes Password Synchronization process to fail to start with Event ID 6900 and error “An
item with the same key has already been added”. This issue occurs if you update OU filtering configuration to
include AD configuration partition. To fix this issue, Password Synchronization process now synchronizes
password changes from AD domain partitions only. Non-domain partitions such as configuration partition are
skipped.
During Express installation, Azure AD Connect creates an on-premises AD DS account to be used by the AD
connector to communicate with on-premises AD. Previously, the account is created with the PASSWD_NOTREQD
flag set on the user-Account-Control attribute and a random password is set on the account. Now, Azure AD
Connect explicitly removes the PASSWD_NOTREQD flag after the password is set on the account.
Fixed an issue that causes DirSync upgrade to fail with error “a deadlock occurred in sql server which trying to
acquire an application lock” when the mailNickname attribute is found in the on-premises AD schema, but is not
bounded to the AD User object class.
Fixed an issue that causes Device writeback feature to automatically be disabled when an administrator is
updating Azure AD Connect sync configuration using Azure AD Connect wizard. This issue is caused by the
wizard performing a pre-requisite check for the existing Device writeback configuration in on-premises AD and
the check fails. The fix is to skip the check if Device writeback is already enabled previously.
To configure OU filtering, you can either use the Azure AD Connect wizard or the Synchronization Service
Manager. Previously, if you use the Azure AD Connect wizard to configure OU filtering, new OUs created
afterwards are included for directory synchronization. If you do not want new OUs to be included, you must
configure OU filtering using the Synchronization Service Manager. Now, you can achieve the same behavior
using Azure AD Connect wizard.
Fixed an issue that causes stored procedures required by Azure AD Connect to be created under the schema of
the installing admin, instead of under the dbo schema.
Fixed an issue that causes the TrackingId attribute returned by Azure AD to be omitted in the Azure AD Connect
Server Event Logs. The issue occurs if Azure AD Connect receives a redirection message from Azure AD and
Azure AD Connect is unable to connect to the endpoint provided. The TrackingId is used by Support Engineers
to correlate with service side logs during troubleshooting.
When Azure AD Connect receives LargeObject error from Azure AD, Azure AD Connect generates an event with
EventID 6941 and message “The provisioned object is too large. Trim the number of attribute values on this
object.” At the same time, Azure AD Connect also generates a misleading event with EventID 6900 and message
“Microsoft.Online.Coexistence.ProvisionRetryException: Unable to communicate with the Windows Azure Active
Directory service.” To minimize confusion, Azure AD Connect no longer generates the latter event when
LargeObject error is received.
Fixed an issue that causes the Synchronization Service Manager to become unresponsive when trying to update
the configuration for Generic LDAP connector.
New features/improvements:
Azure AD Connect sync
Sync Rule Changes – The following sync rule changes have been implemented:
Updated default sync rule set to not export attributes userCer tificate and userSMIMECer tificate if
the attributes have more than 15 values.
AD attributes employeeID and msExchBypassModerationLink are now included in the default sync
rule set.
AD attribute photo has been removed from default sync rule set.
Added preferredDataLocation to the Metaverse schema and Azure AD Connector schema. Customers
who want to update either attributes in Azure AD can implement custom sync rules to do so.
Added userType to the Metaverse schema and Azure AD Connector schema. Customers who want to
update either attributes in Azure AD can implement custom sync rules to do so.
Azure AD Connect now automatically enables the use of ConsistencyGuid attribute as the Source Anchor
attribute for on-premises AD objects. Further, Azure AD Connect populates the ConsistencyGuid attribute
with the objectGuid attribute value if it is empty. This feature is applicable to new deployment only. To find
out more about this feature, refer to article section Azure AD Connect: Design concepts - Using ms-DS-
ConsistencyGuid as sourceAnchor.
New troubleshooting cmdlet Invoke-ADSyncDiagnostics has been added to help diagnose Password Hash
Synchronization related issues. For information about using the cmdlet, refer to article Troubleshoot
password hash synchronization with Azure AD Connect sync.
Azure AD Connect now supports synchronizing Mail-Enabled Public Folder objects from on-premises AD to
Azure AD. You can enable the feature using Azure AD Connect wizard under Optional Features. To find out
more about this feature, refer to article Office 365 Directory Based Edge Blocking support for on-premises
Mail Enabled Public Folders.
Azure AD Connect requires an AD DS account to synchronize from on-premises AD. Previously, if you
installed Azure AD Connect using the Express mode, you could provide the credentials of an Enterprise
Admin account and Azure AD Connect would create the AD DS account required. However, for a custom
installation and adding forests to an existing deployment, you were required to provide the AD DS account
instead. Now, you also have the option to provide the credentials of an Enterprise Admin account during a
custom installation and let Azure AD Connect create the AD DS account required.
Azure AD Connect now supports SQL AOA. You must enable SQL AOA before installing Azure AD Connect.
During installation, Azure AD Connect detects whether the SQL instance provided is enabled for SQL AOA or
not. If SQL AOA is enabled, Azure AD Connect further figures out if SQL AOA is configured to use
synchronous replication or asynchronous replication. When setting up the Availability Group Listener, it is
recommended that you set the RegisterAllProvidersIP property to 0. This recommendation is because Azure
AD Connect currently uses SQL Native Client to connect to SQL and SQL Native Client does not support the
use of MultiSubNetFailover property.
If you are using LocalDB as the database for your Azure AD Connect server and has reached its 10-GB size
limit, the Synchronization Service no longer starts. Previously, you need to perform ShrinkDatabase
operation on the LocalDB to reclaim enough DB space for the Synchronization Service to start. After which,
you can use the Synchronization Service Manager to delete run history to reclaim more DB space. Now, you
can use Start-ADSyncPurgeRunHistory cmdlet to purge run history data from LocalDB to reclaim DB space.
Further, this cmdlet supports an offline mode (by specifying the -offline parameter) which can be used when
the Synchronization Service is not running. Note: The offline mode can only be used if the Synchronization
Service is not running and the database used is LocalDB.
To reduce the amount of storage space required, Azure AD Connect now compresses sync error details
before storing them in LocalDB/SQL databases. When upgrading from an older version of Azure AD
Connect to this version, Azure AD Connect performs a one-time compression on existing sync error details.
Previously, after updating OU filtering configuration, you must manually run Full import to ensure existing
objects are properly included/excluded from directory synchronization. Now, Azure AD Connect
automatically triggers Full import during the next sync cycle. Further, Full import is only be applied to the
AD connectors affected by the update. Note: this improvement is applicable to OU filtering updates made
using the Azure AD Connect wizard only. It is not applicable to OU filtering update made using the
Synchronization Service Manager.
Previously, Group-based filtering supports Users, Groups, and Contact objects only. Now, Group-based
filtering also supports Computer objects.
Previously, you can delete Connector Space data without disabling Azure AD Connect sync scheduler. Now,
the Synchronization Service Manager blocks the deletion of Connector Space data if it detects that the
scheduler is enabled. Further, a warning is returned to inform customers about potential data loss if the
Connector space data is deleted.
Previously, you must disable PowerShell transcription for Azure AD Connect wizard to run correctly. This
issue is partially resolved. You can enable PowerShell transcription if you are using Azure AD Connect wizard
to manage sync configuration. You must disable PowerShell transcription if you are using Azure AD Connect
wizard to manage ADFS configuration.
1.1.486.0
Released: April 2017
Fixed issues:
Fixed the issue where Azure AD Connect will not install successfully on localized version of Windows Server.
1.1.484.0
Released: April 2017
Known issues:
This version of Azure AD Connect will not install successfully if the following conditions are all true:
1. You are performing either DirSync in-place upgrade or fresh installation of Azure AD Connect.
2. You are using a localized version of Windows Server where the name of built-in Administrator group on
the server isn't "Administrators".
3. You are using the default SQL Server 2012 Express LocalDB installed with Azure AD Connect instead of
providing your own full SQL.
Fixed issues:
Azure AD Connect sync
Fixed an issue where the sync scheduler skips the entire sync step if one or more connectors are missing run
profile for that sync step. For example, you manually added a connector using the Synchronization Service
Manager without creating a Delta Import run profile for it. This fix ensures that the sync scheduler continues to
run Delta Import for other connectors.
Fixed an issue where the Synchronization Service immediately stops processing a run profile when it is
encounters an issue with one of the run steps. This fix ensures that the Synchronization Service skips that run
step and continues to process the rest. For example, you have a Delta Import run profile for your AD connector
with multiple run steps (one for each on-premises AD domain). The Synchronization Service will run Delta
Import with the other AD domains even if one of them has network connectivity issues.
Fixed an issue that causes the Azure AD Connector update to be skipped during Automatic Upgrade.
Fixed an issue that causes Azure AD Connect to incorrectly determine whether the server is a domain controller
during setup, which in turn causes DirSync upgrade to fail.
Fixed an issue that causes DirSync in-place upgrade to not create any run profile for the Azure AD Connector.
Fixed an issue where the Synchronization Service Manager user interface becomes unresponsive when trying to
configure Generic LDAP Connector.
AD FS management
Fixed an issue where the Azure AD Connect wizard fails if the AD FS primary node has been moved to another
server.
Desktop SSO
Fixed an issue in the Azure AD Connect wizard where the Sign-In screen does not let you enable Desktop SSO
feature if you chose Password Synchronization as your Sign-In option during new installation.
New features/improvements:
Azure AD Connect sync
Azure AD Connect Sync now supports the use of Virtual Service Account, Managed Service Account and Group
Managed Service Account as its service account. This applies to new installation of Azure AD Connect only.
When installing Azure AD Connect:
By default, Azure AD Connect wizard will create a Virtual Service Account and uses it as its service
account.
If you are installing on a domain controller, Azure AD Connect falls back to previous behavior where it
will create a domain user account and uses it as its service account instead.
You can override the default behavior by providing one of the following:
A Group Managed Service Account
A Managed Service Account
A domain user account
A local user account
Previously, if you upgrade to a new build of Azure AD Connect containing connectors update or sync rule
changes, Azure AD Connect will trigger a full sync cycle. Now, Azure AD Connect selectively triggers Full Import
step only for connectors with update, and Full Synchronization step only for connectors with sync rule changes.
Previously, the Export Deletion Threshold only applies to exports which are triggered through the sync
scheduler. Now, the feature is extended to include exports manually triggered by the customer using the
Synchronization Service Manager.
On your Azure AD tenant, there is a service configuration which indicates whether Password Synchronization
feature is enabled for your tenant or not. Previously, it is easy for the service configuration to be incorrectly
configured by Azure AD Connect when you have an active and a staging server. Now, Azure AD Connect will
attempt to keep the service configuration consistent with your active Azure AD Connect server only.
Azure AD Connect wizard now detects and returns a warning if on-premises AD does not have AD Recycle Bin
enabled.
Previously, Export to Azure AD times out and fails if the combined size of the objects in the batch exceeds
certain threshold. Now, the Synchronization Service will reattempt to resend the objects in separate, smaller
batches if the issue is encountered.
The Synchronization Service Key Management application has been removed from Windows Start Menu.
Management of encryption key will continue to be supported through command-line interface using
miiskmu.exe. For information about managing encryption key, refer to article Abandoning the Azure AD
Connect Sync encryption key.
Previously, if you change the Azure AD Connect sync service account password, the Synchronization Service will
not be able start correctly until you have abandoned the encryption key and reinitialized the Azure AD Connect
sync service account password. Now, this process is no longer required.
Desktop SSO
Azure AD Connect wizard no longer requires port 9090 to be opened on the network when configuring Pass-
through Authentication and Desktop SSO. Only port 443 is required.
1.1.443.0
Released: March 2017
Fixed issues:
Azure AD Connect sync
Fixed an issue which causes Azure AD Connect wizard to fail if the display name of the Azure AD Connector
does not contain the initial onmicrosoft.com domain assigned to the Azure AD tenant.
Fixed an issue which causes Azure AD Connect wizard to fail while making connection to SQL database when
the password of the Sync Service Account contains special characters such as apostrophe, colon and space.
Fixed an issue which causes the error “The image has an anchor that is different than the image” to occur on an
Azure AD Connect server in staging mode, after you have temporarily excluded an on-premises AD object from
syncing and then included it again for syncing.
Fixed an issue which causes the error “The object located by DN is a phantom” to occur on an Azure AD Connect
server in staging mode, after you have temporarily excluded an on-premises AD object from syncing and then
included it again for syncing.
AD FS management
Fixed an issue where Azure AD Connect wizard does not update AD FS configuration and set the right claims on
the relying party trust after Alternate Login ID is configured.
Fixed an issue where Azure AD Connect wizard is unable to correctly handle AD FS servers whose service
accounts are configured using userPrincipalName format instead of sAMAccountName format.
Pass-through Authentication
Fixed an issue which causes Azure AD Connect wizard to fail if Pass Through Authentication is selected but
registration of its connector fails.
Fixed an issue which causes Azure AD Connect wizard to bypass validation checks on sign-in method selected
when Desktop SSO feature is enabled.
Password Reset
Fixed an issue which may cause the Azure Azure AD Connect server to not attempt to re-connect if the
connection was killed by a firewall or proxy.
New features/improvements:
Azure AD Connect sync
Get-ADSyncScheduler cmdlet now returns a new Boolean property named SyncCycleInProgress. If the returned
value is true, it means that there is a scheduled synchronization cycle in progress.
Destination folder for storing Azure AD Connect installation and setup logs has been moved from
%localappdata%\AADConnect to %programdata%\AADConnect to improve accessibility to the log files.
AD FS management
Added support for updating AD FS Farm TLS/SSL Certificate.
Added support for managing AD FS 2016.
You can now specify existing gMSA (Group Managed Service Account) during AD FS installation.
You can now configure SHA-256 as the signature hash algorithm for Azure AD relying party trust.
Password Reset
Introduced improvements to allow the product to function in environments with more stringent firewall rules.
Improved connection reliability to Azure Service Bus.
1.1.380.0
Released: December 2016
Fixed issue:
Fixed the issue where the issuerid claim rule for Active Directory Federation Services (AD FS) is missing in this
build.
NOTE
This build is not available to customers through the Azure AD Connect Auto Upgrade feature.
1.1.371.0
Released: December 2016
Known issue:
The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating
multiple domains with Azure Active Directory (Azure AD). If you are using Azure AD Connect to manage your
on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD
FS configuration. You can work around the issue by adding the issuerid claim rule after the installation/upgrade.
For details on adding the issuerid claim rule, refer to this article on Multiple domain support for federating with
Azure AD.
Fixed issue:
If Port 9090 is not opened for the outbound connection, the Azure AD Connect installation or upgrade fails.
NOTE
This build is not available to customers through the Azure AD Connect Auto Upgrade feature.
1.1.370.0
Released: December 2016
Known issues:
The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating
multiple domains with Azure AD. If you are using Azure AD Connect to manage your on-premises AD FS
deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration.
You can work around the issue by adding the issuerid claim rule after installation/upgrade. For details on adding
issuerid claim rule, refer to this article on Multiple domain support for federating with Azure AD.
Port 9090 must be open outbound to complete installation.
New features:
Pass-through Authentication (Preview).
NOTE
This build is not available to customers through the Azure AD Connect Auto Upgrade feature.
1.1.343.0
Released: November 2016
Known issue:
The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating
multiple domains with Azure AD. If you are using Azure AD Connect to manage your on-premises AD FS
deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration.
You can work around the issue by adding the issuerid claim rule after installation/upgrade. For details on adding
issuerid claim rule, refer to this article on Multiple domain support for federating with Azure AD.
Fixed issues:
Sometimes, installing Azure AD Connect fails because it is unable to create a local service account whose
password meets the level of complexity specified by the organization's password policy.
Fixed an issue where join rules are not reevaluated when an object in the connector space simultaneously
becomes out-of-scope for one join rule and become in-scope for another. This can happen if you have two or
more join rules whose join conditions are mutually exclusive.
Fixed an issue where inbound synchronization rules (from Azure AD), which do not contain join rules, are not
processed if they have lower precedence values than those containing join rules.
Improvements:
Added support for installing Azure AD Connect on Windows Server 2016 Standard or higher.
Added support for using SQL Server 2016 as the remote database for Azure AD Connect.
1.1.281.0
Released: August 2016
Fixed issues:
Changes to sync interval do not take place until after the next sync cycle is complete.
Azure AD Connect wizard does not accept an Azure AD account whose username starts with an underscore (_).
Azure AD Connect wizard fails to authenticate the Azure AD account if the account password contains too many
special characters. Error message "Unable to validate credentials. An unexpected error has occurred." is
returned.
Uninstalling staging server disables password synchronization in Azure AD tenant and causes password
synchronization to fail with active server.
Password synchronization fails in uncommon cases when there is no password hash stored on the user.
When Azure AD Connect server is enabled for staging mode, password writeback is not temporarily disabled.
Azure AD Connect wizard does not show the actual password synchronization and password writeback
configuration when server is in staging mode. It always shows them as disabled.
Configuration changes to password synchronization and password writeback are not persisted by Azure AD
Connect wizard when server is in staging mode.
Improvements:
Updated the Start-ADSyncSyncCycle cmdlet to indicate whether it is able to successfully start a new sync cycle
or not.
Added the Stop-ADSyncSyncCycle cmdlet to terminate sync cycle and operation, which are currently in
progress.
Updated the Stop-ADSyncScheduler cmdlet to terminate sync cycle and operation, which are currently in
progress.
When configuring Directory extensions in Azure AD Connect wizard, the Azure AD attribute of type "Teletex
string" can now be selected.
1.1.189.0
Released: June 2016
Fixed issues and improvements:
Azure AD Connect can now be installed on a FIPS-compliant server.
For password synchronization, see Password hash sync and FIPS.
Fixed an issue where a NetBIOS name could not be resolved to the FQDN in the Active Directory Connector.
1.1.180.0
Released: May 2016
New features:
Warns and helps you verify domains if you didn’t do it before running Azure AD Connect.
Added support for Microsoft Cloud Germany.
Added support for the latest Microsoft Azure Government cloud infrastructure with new URL requirements.
Fixed issues and improvements:
Added filtering to the Sync Rule Editor to make it easy to find sync rules.
Improved performance when deleting a connector space.
Fixed an issue when the same object was both deleted and added in the same run (called delete/add).
A disabled sync rule no longer re-enables included objects and attributes on upgrade or directory schema
refresh.
1.1.130.0
Released: April 2016
New features:
Added support for multi-valued attributes to Directory extensions.
Added support for more configuration variations for automatic upgrade to be considered eligible for upgrade.
Added some cmdlets for custom scheduler.
1.1.119.0
Released: March 2016
Fixed issues:
Made sure Express installation cannot be used on Windows Server 2008 (pre-R2) because password sync is not
supported on this operating system.
Upgrade from DirSync with a custom filter configuration did not work as expected.
When upgrading to a newer release and there are no changes to the configuration, a full
import/synchronization should not be scheduled.
1.1.110.0
Released: February 2016
Fixed issues:
Upgrade from earlier releases does not work if the installation is not in the default C:\Program Files folder.
If you install and clear Star t the synchronization process at the end of the installation wizard, running the
installation wizard a second time will not enable the scheduler.
The scheduler doesn't work as expected on servers where the US-en date/time format is not used. It will also
block Get-ADSyncScheduler to return correct times.
If you installed an earlier release of Azure AD Connect with AD FS as the sign-in option and upgrade, you cannot
run the installation wizard again.
1.1.105.0
Released: February 2016
New features:
Automatic upgrade feature for Express settings customers.
Support for the global admin by using Azure Multi-Factor Authentication and Privileged Identity Management
in the installation wizard.
You need to allow your proxy to also allow traffic to https://secure.aadcdn.microsoftonline-p.com if you
use Multi-Factor Authentication.
You need to add https://secure.aadcdn.microsoftonline-p.com to your trusted sites list for Multi-Factor
Authentication to properly work.
Allow changing the user's sign-in method after initial installation.
Allow Domain and OU filtering in the installation wizard. This also allows connecting to forests where not all
domains are available.
Scheduler is built in to the sync engine.
Features promoted from preview to GA:
Device writeback.
Directory extensions.
New preview features:
The new default sync cycle interval is 30 minutes. Used to be three hours for all earlier releases. Adds support to
change the scheduler behavior.
Fixed issues:
The verify DNS domains page didn't always recognize the domains.
Prompts for domain admin credentials when configuring AD FS.
The on-premises AD accounts are not recognized by the installation wizard if located in a domain with a
different DNS tree than the root domain.
1.0.9131.0
Released: December 2015
Fixed issues:
Password sync might not work when you change passwords in Active Directory Domain Services (AD DS), but
works when you do set a password.
When you have a proxy server, authentication to Azure AD might fail during installation, or if an upgrade is
canceled on the configuration page.
Updating from a previous release of Azure AD Connect with a full SQL Server instance fails if you are not a SQL
Server system administrator (SA).
Updating from a previous release of Azure AD Connect with a remote SQL Server shows the “Unable to access
the ADSync SQL database” error.
1.0.9125.0
Released: November 2015
New features:
Can reconfigure AD FS to Azure AD trust.
Can refresh the Active Directory schema and regenerate sync rules.
Can disable a sync rule.
Can define "AuthoritativeNull" as a new literal in a sync rule.
New preview features:
Azure AD Connect Health for sync.
Support for Azure AD Domain Services password synchronization.
New suppor ted scenario:
Supports multiple on-premises Exchange organizations. For more information, see Hybrid deployments with
multiple Active Directory forests.
Fixed issues:
Password synchronization issues:
An object moved from out-of-scope to in-scope will not have its password synchronized. This includes
both OU and attribute filtering.
Selecting a new OU to include in sync does not require a full password sync.
When a disabled user is enabled the password does not sync.
The password retry queue is infinite and the previous limit of 5,000 objects to be retired has been
removed.
Not able to connect to Active Directory with Windows Server 2016 forest-functional level.
Not able to change the group that is used for group filtering after the initial installation.
No longer creates a new user profile on the Azure AD Connect server for every user doing a password change
with password writeback enabled.
Not able to use Long Integer values in sync rules scopes.
The check box "device writeback" remains disabled if there are unreachable domain controllers.
1.0.8667.0
Released: August 2015
New features:
The Azure AD Connect installation wizard is now localized to all Windows Server languages.
Added support for account unlock when using Azure AD password management.
Fixed issues:
Azure AD Connect installation wizard crashes if another user continues installation rather than the person who
first started the installation.
If a previous uninstallation of Azure AD Connect fails to uninstall Azure AD Connect sync cleanly, it is not
possible to reinstall.
Cannot install Azure AD Connect using Express installation if the user is not in the root domain of the forest or if
a non-English version of Active Directory is used.
If the FQDN of the Active Directory user account cannot be resolved, a misleading error message “Failed to
commit the schema” is shown.
If the account used on the Active Directory Connector is changed outside the wizard, the wizard fails on
subsequent runs.
Azure AD Connect sometimes fails to install on a domain controller.
Cannot enable and disable “Staging mode” if extension attributes have been added.
Password writeback fails in some configurations because of a bad password on the Active Directory Connector.
DirSync cannot be upgraded if a distinguished name (DN) is used in attribute filtering.
Excessive CPU usage when using password reset.
Removed preview features:
The preview feature User writeback was temporarily removed based on feedback from our preview customers.
It will be added again later after we have addressed the provided feedback.
1.0.8641.0
Released: June 2015
Initial release of Azure AD Connect.
Changed name from Azure AD Sync to Azure AD Connect.
New features:
Express settings installation
Can configure AD FS
Can upgrade from DirSync
Prevent accidental deletes
Introduced staging mode
New preview features:
User writeback
Device writeback
Directory extensions
1.0.494.0501
Released: May 2015
New Requirement:
Azure AD Sync now requires the .NET Framework version 4.5.1 to be installed.
Fixed issues:
Password writeback from Azure AD is failing with an Azure Service Bus connectivity error.
1.0.491.0413
Released: April 2015
Fixed issues and improvements:
The Active Directory Connector does not process deletes correctly if the recycle bin is enabled and there are
multiple domains in the forest.
The performance of import operations has been improved for the Azure Active Directory Connector.
When a group has exceeded the membership limit (by default, the limit is set to 50,000 objects), the group was
deleted in Azure Active Directory. With the new behavior, the group is not deleted, an error is thrown, and new
membership changes are not exported.
A new object cannot be provisioned if a staged delete with the same DN is already present in the connector
space.
Some objects are marked for synchronization during a delta sync even though there's no change staged on the
object.
Forcing a password sync also removes the preferred DC list.
CSExportAnalyzer has problems with some objects states.
New features:
A join can now connect to “ANY” object type in the MV.
1.0.485.0222
Released: February 2015
Improvements:
Improved import performance.
Fixed issues:
Password Sync honors the cloudFiltered attribute that is used by attribute filtering. Filtered objects are no longer
in scope for password synchronization.
In rare situations where the topology had many domain controllers, password sync doesn’t work.
“Stopped-server” when importing from the Azure AD Connector after device management has been enabled in
Azure AD/Intune.
Joining Foreign Security Principals (FSPs) from multiple domains in same forest causes an ambiguous-join
error.
1.0.475.1202
Released: December 2014
New features:
Password synchronization with attribute-based filtering is now supported. For more information, see Password
synchronization with filtering.
The ms-DS-ExternalDirectoryObjectID attribute is written back to Active Directory. This feature adds support for
Office 365 applications. It uses OAuth2 to access online and on-premises mailboxes in a Hybrid Exchange
Deployment.
Fixed upgrade issues:
A newer version of the sign-in assistant is available on the server.
A custom installation path was used to install Azure AD Sync.
An invalid custom join criterion blocks the upgrade.
Other fixes:
Fixed the templates for Office Pro Plus.
Fixed installation issues caused by user names that start with a dash.
Fixed losing the sourceAnchor setting when running the installation wizard a second time.
Fixed ETW tracing for password synchronization.
1.0.470.1023
Released: October 2014
New features:
Password synchronization from multiple on-premises Active Directory to Azure AD.
Localized installation UI to all Windows Server languages.
Upgrading from AADSync 1.0 GA
If you already have Azure AD Sync installed, there is one additional step you have to take in case you have changed
any of the out-of-box synchronization rules. After you have upgraded to the 1.0.470.1023 release, the
synchronization rules you have modified are duplicated. For each modified sync rule, do the following:
1. Locate the sync rule you have modified and take a note of the changes.
2. Delete the sync rule.
3. Locate the new sync rule that is created by Azure AD Sync and then reapply the changes.
Permissions for the Active Director y account
The Active Directory account must be granted additional permissions to be able to read the password hashes from
Active Directory. The permissions to grant are named “Replicating Directory Changes” and “Replicating Directory
Changes All.” Both permissions are required to be able to read the password hashes.
1.0.419.0911
Released: September 2014
Initial release of Azure AD Sync.
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.