Integrating your on-premises Active Directory Domain Services (AD) (and syncing) with Azure AD is done using the Synchronization Service Manager GUI or via PowerShell.
There are two ways to use Azure AD on-prem – pass through authentication (sends the authentication request directly to Azure AD) or directory synchronization that syncs password hashes between on-prem AD and Azure AD. In this blog post, we’re going to cover how to get the Azure Active Directory Connect software set up to sync password hashes.
We’ll cover how to get a recurring sync running and also how to use Azure AD Connect to force a password hash synchronization.
In a nutshell, to force Azure AD to sync with PowerShell requires the following steps:
- Install Azure Active Directory Connect
- Import the ADSync PowerShell module
- Run the
Start-AdSyncSchedulecmdlet with reads a domain controller’s password hashes and syncs with Azure AD.
If you’re more into learning via video, be sure to check out this informative TechSnips video.
Install Azure AD Connect
To sync on-prem Active Directory to an Azure AD tenant, you’ll first need need to download and install the Azure AD connect software. To do that, you’ve got two options. You can either download it from the Azure Portal or by going directly to the software package.
Downloading from the Azure Portal
If you’ve chosen not to download the package from the Microsoft site, you’ll need to get the package from the Azure Portal.
Search for “Azure Active Directory” in the portal. In the Azure Active Directory section, click on Azure AD Connect. Here you will find a Sync Status section with a link to Download Azure AD Connect.
Sync Tools
When you install Azure AD Connect, it will install two primary tools you can use to schedule a sync or force a sync.
- The ADSync PowerShell module
- The Synchronization Service Manager
Using these two tools, you can setup a recurring (scheduled) sync to routinely perform an Azure AD sync. Or, you can use either to force a sync ad-hoc. Both tools perform the same behavior. The only difference is one is via the command-line (PowerShell) and one is a GUI application.
Setting up the ADSync PowerShell Module
When you install Azure AD Connect, it will install a PowerShell module called ADSync. This module contains that allow you to manage the sync process using PowerShell.
Note that in this article, I am using Windows PowerShell 5.1. Your mileage may vary if you’re using an older version.
As with all PowerShell modules, importing the module is straight forward. However, the module is not located in a known Windows PowerShell modules folder. The installation installs the PowerShell module in the C:\Program Files\Microsoft Azure AD Connect Sync\Bin folder.
To import the module, open a PowerShell console and enter the following:
PS51> Import-Module –Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -VerboseTo verify that the module has imported, use Get-Module. You should see the ADSync module listed.
Default Azure AD Sync Schedule
By default, Azure AD Connect creates a scheduled task that runs a delta (syncing only differing objects) sync every 30 minutes. You can find the schedule by opening up Task Scheduler. You should notice a scheduled task under Microsoft –> Windows called Azure AD Sync Scheduler.
You can change this schedule, but, bear in mind that 30 minutes is the lowest interval supported. The goal is to set the synchronization interval so that it happens often enough to pick up changes. If the synchronization is too short, you run the risk of saturating your network.
The scheduler handles two tasks:
- Synchronization cycle – The process to import, sync, and export changes.
- Maintenance tasks – Renews keys and certificates for password resets and the Device Registration Service (DRS). It also purges old entries in the operations log.
The scheduler itself is always running but it can be configured to only run one or none of these tasks.
Forcing an Azure AD Connect Sync
There may be times where you would need to force synchronization of your objects. For example, if you need to have your own synchronization cycle process, you can disable this task in the scheduler but still run the maintenance task.
To use Azure Active Directory Connect to force a password sync and other information, you can either use the Synchronization Service Manager or PowerShell.
Forcing a Sync with the Synchronization Service Manager
On a server with Azure AD Connect installed, navigate to the Start menu and select AD Connect, then Synchronization Service.
At first glance it looks overwhelming, but you are only concerned with the Connectors tab and the right hand selection pane. Looking at the right hand pane, you can see options to stop (Stop) and start (Run) the sync.
Note that when a synchronization cycle is running, you cannot make configuration changes. Stopping the current cycle is not harmful and pending changes are processed with the next run.
Getting Sync Status with PowerShell
Before you force a sync, it is a good idea to get the status of the current sync cycle. If you force sync during a currently running sync, you could be setting yourself up for some issues later on.
To see the current settings, open up a PowerShell console on the server Azure Active Directory Connect is installed on and run Get-ADSyncScheduler. You’ll see a few properties each providing useful information.
Get-AdSyncSchedulerThere is quite a bit of information to parse through. Let us go through line by line:
AllowedSyncCycleInterval– This is the shortest time between synchronization. By default it is set at 30 minutes, the shortest time allowed.CurrentlyEffectiveSyncCycleInterval– The schedule currently in effect. It has the same value asCustomizedSyncInterval(if set) if it is not more frequent thanAllowedSyncInterval. If you use a build before 1.1.281 and you changeCustomizedSyncCycleInterval, this change takes effect after the next synchronization cycle. From build 1.1.281 the change takes effect immediately.CustomizedSyncCycleInterval– This is set if you want to run the scheduler to run at a frequency other than the default 30 minutes.NextSyncCyclePolicyType– This parameter defines the next run what the next run should process. If the next run is full synchronization, it will display initially.NextSyncCycleStartTimeInUTC– This is the time the scheduler starts the next sync cycle.PurgeRunHistoryInterval– Set how long the operation logs are kept. The default is to keep the logs for 7 days.SyncCycleEnabled– Indicates if the scheduler is running the import, sync, and export processes as part of its operation.MaintenanceEnabled– Maintenance enabled updates the certificates/keys and purges the operations log.StagingModeEnabled– If enabled, it suppresses the exports from running. synchronization.SchedulerSuspended– Set to temporarily block the scheduler from running.
Forcing an Sync with PowerShell
Find leaked & unsafe passwords in your Active Directory by checking against the NCSC Password list.
You have a couple of options when forcing a synchronization. You can either force a full sync or a delta sync. A full sync checks all objects across AD. A delta sync only checks and syncs changes since the last run.
To start a full sync, you can use the Start-AdSyncSyncCycle cmdlet. Use the PolicyType parameter to choose either Full or Delta depending on the sync you’d like to initiate. Either method will force an AD sync for Office 365, user identity accounts and all other attributes.
PS51> Start-ADSyncSyncCycle -PolicyType Full
PS51> Start-ADSyncSyncCycle -PolicyType DeltaStopping a Sync
If you’d like to stop a sync in process, you can also use the Stop-ADSyncSyncCycle cmdlet.
PS51> Stop-ADSyncSyncCycleSummary
Whether you choose to use the GUI or PowerShell, you should now know various ways to use the Azure Active Directory Connect tool to schedule or force a sync with your on-prem Active Directory environment with Azure AD.
