Azure AD Synchronization using PowerShell
In Part 3 of this article series, we learned about different filtering options available to us and how we can use them to fulfill the requirements. In this article we will learn on how we can manually force a synchronization using PowerShell and how we can change the default synchronization time of Azure AD Sync.
Let’s get started with Part 4 of this series.
Azure AD Full Synchronization
We’ve a utility called DirectorySyncClientCmd.exe which executes the sequence of actions to synchronize on prem identities with office 365.
To run a full synchronization browse to “C:\Program Files\Microsoft Azure AD Sync\Bin” from windows powershell and run the cmdlet .\DirectorySyncClientCmd.exe Initial as shown below. “Initial”will perform a full synchronization.
It’s recommended that you perform a full synchronization after making a major change in your Azure AD Sync configuration like enabling password synchronization for user.
Azure AD Delta Synchronization
To perform the delta synchronization with Office 365, we need the same executable to perform delta synchronization of users from on prem to office 365. By default Azure AD Sync tool performs delta sync after every 3 hours. Later in this article we’ll learn on how we can change the default sync time of the tool. To perform the delta synchronization we use the .\DirectorySyncClientCmd.exe executable with Delta keyword as shown below.
Azure AD Password Synchronization
Password Sync was one of those features which helped a lot of enterprises to manage their users password policies and change management from local active directory. Password Synchronization enables users to log into their Office 365 and other Microsoft online services like Intune, CRM etc using the same password as they use to log into their on-premises infrastructure. It is important to note that this feature does not provide a Single Sign-On solution because there is no token sharing in the Password Sync process. This feature is also referred as Same Sign-On.
Active Directory Domain Services that are configured for FIPS are not compatible with the Password Sync feature. During Password Synchronization Plain text version of a user’s password is neither exposed to the password sync tool nor to Azure AD or any of the associated services. Azure AD Sync tool synchronize the user’s password in the form of hash.
When you’ve password synchronization enabled then password complexity policy and password expiry policy on office 365 will no longer be valid and on prem policies will be applicable.
To perform a Password Synchronization, We need to run the Password Synchronization with Office 365 using Azure AD Sync. You can download this script from Technet.
More details on password synchronization can be found on Technet.
Verifying Manual Synchronization
To verify the Full and Delta Synchronization, Log in to Office 365 Portal and Browse to users –> Active Users and check the last sync time. You can also check the MIISClient for last sync time and status of sync.
To verify the password synchronization is completed successfully, Go to Event Viewer –> Application Logs and look for Event ID 656 and 657 as shown below.
If you want to read the other Parts in this series, then please go to:
Riaz is a technology evangelist with over 8 years of extensive experience with expertise on Identity Management, Exchange Server, Office 365 and a bit of System Center. Riaz is currently working as Lead Consultant. His technical experience is followed by 8 years consulting positions advising both internal and external (local & International) stakeholders/customers on strategic technology selection and adoption along with delivery of solutions across a range of business units. He is a regional lead speaker for Microsoft Office 365 and also speaks in community forums.
No Comments