MS-100 Manage identity synchronization by using Azure AD Connect

May 25th, 2019 | Posted by admin in Exchange

Monitor Azure AD Connect Health

Azure AD Connect health monitoring involves the monitoring for Azure AD Connect Sync, On-Premise AD and ADFS.

View health of the configured services like Sync, ADFS & ADDS on the Azure AD in Azure AD health monitoring portal.

Azure AD Connect Health Sync agents on the AD Connect Server monitors the objects Sync from On-Premise to Azure AD. It will highlight the error\status results for

  • Duplicate Attributes
  • Data Mismatch
  • Data Validation Failure
  • Large Attribute
  • Federate Domain Change
  • Existing Admin Role Conflict and few others

Monitoring & Alerting: To get the health alerts or Sync errors as email, configure the notification settings.

We can navigate to the below path to install the Azure AD Connect Health Agent

To verify the AD Connect Health Agent status, we can run the below command from administrative PowerShell.

Test-AzureADConnectHealthConnectivity -Role ADFS | ADDS | Sync

Go through all the available settings in your environment

Manage Azure AD Connect synchronization

Running the Azure AD Connect Configuration wizard helps to manage below task in AD Connect. You need to know what we can do with the below tasks.

We need to know the Sync Scheduler option to manage the Synchronization Type, Sync Interval etc.

Below management task can be done based on requirement.

  • Enabling Device Write back: If we want to manage any application on boarded through ADFS by configuring a Relying Party Trues and if we have a requirement to allow the application only from managed devices (Conditional Access), then we can enable Device Write Back.

Navigate to Azure AD Connect Configuration -> Device Options

  • Enabling Group Write back: enabling this option will write the Office 365 groups back to On-Premise AD and On-Premise Exchange mailbox can see those group in GAL to send and receive emails.

Navigate to Azure AD Connect Configuration -> Group Writeback

  • Preventing Accidental Deletions: By default, AD Connect will stop the deletion if the count is more than 500. We can get the current configuration using Get-ADSyncExportDeletionThreshold and configure the threshold using Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500


  • Configuring Run Profiles: Run profiles actually do the Synchronization, we need to run profiles involved in the Synchronization
    • Full Import
    • Full Synchronization
    • Delta Import
    • Delta Synchronization
    • Export

Configure object filters

Filtering helps to control which objects appear in Azure Active Directory (Azure AD) from your on-premises directory.

We can select the properties of the connector to change the Group based / Domain based / OU based filters.

Filtering can be applied based on Group, Domain, OU and Attributes.

Attribute filtering based on attributes to require to Synchronize. Apply inbound filtering from Active Directory to the metaverse, and outbound filtering from the metaverse to Azure AD. Microsoft recommend that you apply inbound filtering because that is the easiest to maintain. You should only use outbound filtering if it is required to join objects from more than one forest

Configure password sync

Azure AD Connect synchronizes a hash, of the hash, of a user’s password from an on-premise Active Directory instance to a cloud-based Azure AD instance.

To use password hash synchronization

  • Open Azure AD Connect.
  • Configure directory synchronization
  • Enable password hash synchronization.

We can configure federated SSO and change the authentication method as Cloud authentication if any outage with ADFS infrastructure.

Implement multi-forest AD Connect scenarios

If an organization is having multi forest, then they can use Azure AD Connect to synchronize the objects from different forest to Azure AD.

Azure AD Connect installation wizard offers several options to consolidate users who are represented in multiple forests. The goal is that a user is represented only once in Azure AD

The default configuration in Azure AD Connect sync assumes:

  • Each user has only one enabled account, and the forest where this account is located is used to authenticate the user. This assumption is for password hash sync, pass-through authentication and federation. UserPrincipalName and sourceAnchor/immutableID come from this forest.
  • Each user has only one mailbox.
  • The forest that hosts the mailbox for a user has the best data quality for attributes visible in the Exchange Global Address List (GAL). If there is no mailbox for the user, any forest can be used to contribute these attribute values.
  • If you have a linked mailbox, there is also an account in a different forest used for sign-in.

Tips: Multi forest with Multi AD connect deployment to synchronize the objects to single Azure AD tenant not supported.

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Leave a Reply