question

MarshallHamilton-8973 avatar image
0 Votes"
MarshallHamilton-8973 asked AndyDavid commented

Azure AD Connect - Azure AD Full Import only sees 28 of 400+ accounts

I'm working with a fresh install of Azure AD Connect, version 1.5.45.0. The service is in staging mode and hasn't performed any initial exports.

I've manually performed a full import/full sync of all connectors. On full import, the Azure AD connector is only getting back 28 out of 400+ users that I know exist in Azure AD. In other words, a full import doesn't appear to be seeing everything that exists in Azure AD, just a small subset of users. The 28 users that do show up on Full Import don't seem any different from the hundreds that aren't coming on the full import.

The 28 accounts that do come back successfully join to on-prem accounts as I would expect.

However, I have hundreds of pending "export adds" to Azure AD for users that are already there. In other words, it feels that if I send the export I will have a bunch of duplicates on my hands.

What could be the problem? It seems to me that the full import isn't working properly since it is only seeing 28 out of 400+ users.

Any advice is appreciated.

azure-ad-connect
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So no filtering or customizations at all?
Anything in common with the 28 that you see imported?

0 Votes 0 ·

No filtering or customizations, we basically used express settings.

Also, I could be wrong, but I believe a filter would only apply on the sync phase, not the import phase.

The 28 that do show up are all "old" with pretty much the same creation dates in July 2015. Anything newer doesn't seem to be importing.

0 Votes 0 ·

Yes, we've been through it. We've also had several support calls with MS Support, reinstalled with them, etc. Their conclusion was unleash the sync, even with all the pending export adds that we know are duplicates. We haven't felt comfortable with that advice.

0 Votes 0 ·

1 Answer

ZollnerD avatar image
3 Votes"
ZollnerD answered

Imports from Azure AD only read objects that are already marked as DirSyncEnabled = True. Objects that are DirSyncEnabled = False (or not set) will not be returned via imports from Azure AD. When you export something that shows as a Pending Export - Add that already has a matching object in AAD, what will actually happen is that AAD Connect will tell the service that it talks to "I have a user with sourceAnchor of X and userPrincipalName/mail/proxyAddresses values of Y/Z, I need it to exist in Azure AD" - at that point, the service that AAD Connect talks to (known as DirSyncWebService or AdminWebService) will take the request, evaluate the state of Azure AD, find that the user objects already exist and will soft match them.

All that to say that the objects showing as "Pending Export - Add" is expected. If the existing objects in the cloud show their source as Azure Active Directory in the Azure AD UI, that means they are NOT DirSyncEnabled = True. In that case, as long as 1) they do not already have a value for ImmutableId in Azure AD, and 2) there is a match on the value for userPrincipalName or mail (possibly proxyAddresses, I'm a bit rusty and can't recall if that is a match criteria as well..), the outcome will be that the AD user and the AAD user soft-match and become linked as one object.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.