EMS Partners: A closer look at Azure Active Directory Connect

Edward Walton, Cloud Solutions Architect, Enterprise Mobility and Security

Welcome to part 2 of our series for Enterprise Mobility and Security Partners about Microsoft Azure Active Directory Connect. The introductory post by my colleague Travis Guinn provided an overview of Azure Active Directory Connect, when to use it, how to configure it, and technical concepts and resources for deployment. In this post, I'll provide a closer look at Azure AD Connect setup, review some advanced configurations, and provide troubleshooting tips.

With both Windows Azure Active Directory Sync (DirSync) and Azure AD Sync reaching end of support on April 13, 2017, now is the time to learn about Azure AD Connect and identify your customers that will need to upgrade. There are several thousand tenants still using DirSync and Azure AD Sync.

On the next Enterprise Mobility + Security Partners call, we’ll discuss Azure AD Connect and migrations from DirSync and Azure AD Sync.

Filtering Active Directory attributes to sync

Most organizations are first exposed to Azure Active Directory (Azure AD) through Office 365, and sometimes through implementation of Microsoft Azure. Azure AD is a robust technology that can perform numerous functions depending on how and where it's used.

There are a number of reasons why an organization may want to sync a subset of Active Directory attributes into Azure AD. Active Directory attribute filtering can be used in conjunction with account filtering, or it can be implemented by itself.

One reason to set up attribute filtering is for a service that is deployed on-premises in a way that might cause problems with your Office 365 tenant. For example, an organization wants to move Lync/Skype into Office 365 but your Lync/Skype deployment includes customizations that may cause problems in Office 365, you can configure attribute filtering to keep your Lync/Skype-related account attributes from being copied into Azure AD.

Large organizations may choose to implement attribute filtering due to security requirements or may have a requirement for least configuration deployment scenarios for implementing items such as  ITIL (Information Technology Infrastructure Library). Organizations may choose to synchronize only the absolute minimum required information with Microsoft. If an organization is not implementing Skype for Business, Active Directory attributes for that do not have to be synchronized.

In the image below, you can see that we've brought these products into a single interface, eliminating the need to switch between products for a granular configuration. The new set of commands lets you manage, monitor, and troubleshoot your deployment.

Azure AD Connect: Your identity bridge

Steps for configuring attribute filtering in Azure AD Connect

1. Open Azure Active Directory Connect and enter the credentials to connect it to Azure Active Directory and the on-premises Active Directory, and select Optional features.

2. In the Optional features screen, check the "Azure AD app and attribute filtering" box, and click Next.


3. Check the box to deselect the applications you don’t need to sync. Now you can choose what Azure AD apps you want.

Azure AD apps schreen

4. You can choose to export the attributes list as a CSV file for auditing.

Azure AD attributes screen

Migration tips, troubleshooting, and Azure Active Directory Connect Health

If you are ready to deploy Azure AD Connect or upgrade from Azure Active Directory Sync, take these recommended for a smoother Azure AD Connect deployment:

  1. Replicate your entire on-premises Active Directory environment via Active Directory Sites and Services before deployment.
  2. Run the IDFix tool against your Active Directory to highlight potential errors or problems in your environment and resolve them before deployment.
  3. Ensure you have only one instance of Azure AD Connect running in your environment, and uninstall duplicate instances.
  4. Don’t filter out attributes when you first migrate or deploy Azure AD Connect.
  5. Don’t deploy Azure AD Connect on a domain controller you have deployed in Microsoft Azure. While may sound like a high availability/disaster recovery deployment, it isn't. Use a second Azure AD Connect deployment in staged mode for disaster recovery and soft high availability.
  6. By default, the person who does the install of Azure AD Connect will have the rights to manage the installed AAD Connect server and sync engine. Add additional administrators to the ADSyncAdmins group. I recommend using a service account to install Azure AD Connect.
  7. Use the event logs on the domain controller where Azure AD Connect is deployed, and become familiar with the Synchronization Service, which provides a deep look into sync errors and allows to you resolve issues such as duplicate accounts between your on-premises Active Directory and Azure Active Directory.Azure AD Connect Synchronization ServiceSynchronization Service Manager Azure AD Connect
  8. Install the latest Active Directory PowerShell module on the domain controller where you installed Azure AD Connect.
  9. Deploy Azure AD Connect Health 24–48 hours after you complete your deployment. If you are using the free version of Azure Active AD Connect Health you won’t receive alerts if you change the default settings to custom in Azure AD Connect.
  10. You can receive alerts if sync errors start to occur in your environment, which is helpful if you are deploying other Azure identity products.


Azure AD Connect

Azure AD Connect Health

Learn more about Azure AD Connect Health

You can install the Health Agent for sync as part of the Microsoft Azure Active Directory Connect download (version 1.0.9125.0 or higher)

To get started with Azure AD Connect Health, use the following steps:

  1. Get Azure AD Premium or start a trial
  2. Download and install Azure AD Connect Health Agents on your identity servers
  3. View the Azure AD Connect Health dashboard

Community call about Azure AD Connect on March 23

Sign up for the March 23 EMS Partner community call, where we’ll take a closer look at Azure AD Connect and resources to help your customers upgrade.

Sign up for the March 23 EMS Partner call

Enterprise Mobility + Security Partner Community