A few weeks ago, I wrote a blog post here covering how to deploy Azure Active Directory Connect 1.1. Due to popular demand, today I'm going to circle back and review some of the advanced configurations of AAD Connect as well as some troubleshooting tips to cover you in case you run into a hitch with your AAD Connect deployment.
Since there is a lot to cover, and I have limited space in which to do it, I’m not going to go super deep into each of these topics. Instead I’m going to give you a high-level overview. I’ll try to link to resources where you can get more information on each topic as appropriate, and you can reach out to me via the comments below or on Twitter if you’d like me to answer any specific questions.
Filtering which AD attributes are synced
There are a number of reasons why an organization may want to sync a subset of Active Directory attributes into Azure Active Directory. AD attribute filtering can be used in conjunction with account filtering, or it can be implemented by itself.
The first reason you might want to set up attribute filtering would be in the instance of a service that is deployed on-premises in a way that might cause problems with your Office 365 tenant. If, for instance, your organization wants to move Exchange into Office 365 but you have a deployment of SharePoint that includes customizations that may cause problems in Office 365, you can configure attribute filtering to keep your SharePoint-related account attributes from being copied into Azure AD.
Another reason an organization might choose to implement attribute filtering is security. Organizations may choose to synchronize only the absolute minimum required information with Microsoft, and if your organization is not implementing Skype for Business, you may decide not to synchronize the Active Directory attributes for Skype for Business.
Finally, it’s possible your organization has multiple Office 365 tenants and you want to set up specific Office 365 services in one tenant but not another. While this is certainly going to be a rare corner case, I can imagine that someone is going to want to try this configuration.
Configuring attribute filtering can be done via the Customize synchronization options menu.
On the optional features menu, select the Azure AD app and attribute filtering check box.
From there, you will have the option to choose which applications you synchronize information for.
Or you can specify specific Active Directory attributes you do or do not want to synchronize on the next screen.
I would advise against going so far as to filter out specific attributes unless you are really sure you know what you’re doing.
Filtering which accounts are synced
In larger organizations, it may not be necessary to sync all user accounts into Office 365. Maybe only a subset of users will be migrated into Office 365 or maybe you want to filter out service accounts. Whatever the reason, there are three main options for how to prevent groups of accounts from syncing into Office 365: domain filtering, OU filtering, and attribute filtering.
I’m not going to have space in this blog post to go through the details of all that filtering. There is a series of posts of my site that covers all the details. That information can be found here.
AAD Connect High Availability and Disaster Recovery
The function of AAD connect does not really demand complex HA or DR features. AAD Connect takes user accounts, and maybe passwords, from your on-premises Active Directory and copies them into Azure Active Directory. If your AAD Connect server goes down, you don’t lose any data or very much functionality. There really isn’t any need for a high availability configuration for AAD Connect.
AAD Connect does give you the option to set up a server in staging mode. Staging mode allows you to setup a “spare” AAD Connect server as a hot stand-by. If your primary AAD Connect server goes down with some unrecoverable error, you can activate your stand-by AAD Connect server to take over.
This may not be a productive use of time or resources if you have a default deployment of AAD Connect, as it’s pretty quick and easy to standup a new server. If, however, you’ve made a bunch of customizations or the sort we are talking about in this blog post, it might be wise to pre-stage a second AAD Connect server that you can put into production quickly in the event your primary server becomes unrecoverable.
To configure an AAD Connect server in staging mode after it has been deployed, select Configure staging mode from the additional tasks menu.
Clicking through that wizard is pretty self-explanatory, so I’m not going to take a lot of space here going through it. To convert the server to an active AAD Connect version, just re-run the configure staging mode wizard and uncheck the box to enable staging mode.
AAD Connect auto upgrade
Starting with version 1.1 AAD Connect has an auto upgrade feature. Personally I am a little conflicted about this feature, so at this point I would recommend you exercise caution while using it.
Auto upgrade is only enabled for AAD Connect if you do a default deployment. In fact, you cannot currently enable auto upgrade if you do any form of customization in the setup wizard.
If you do deploy AAD Connect with the default settings, then auto upgrade will be turned on. If you’d like to verify if auto upgrade is turned on, you can use the following PowerShell command on your AAD Connect server
As you can see in the screenshot below, I have auto upgrade turned on for this lab AAD Connect server.
As of this writing, Microsoft is tightly controlling the automatic upgrade rollouts for AAD Connect. If your AAD Connect server is set to auto upgrade, but see you are still a version (or multiple versions) back, fear not — you’ll be upgrade eventually.
Should you want to turn off auto upgrade, you can run the following command:
Troubleshooting account sync issues
After deploying AAD Connect, sometime we will find some accounts are not synchronized into Azure AD. Often these errors can be identified and resolved by the IDFix tool.
IDFix will query your on-premises Active Directory and identify a number of different configuration errors that will prevent user accounts and groups from being synchronized into Office 365. IDFix can also resolve this error by changing conflicting attributes to new values. While this can be a time saver, it is a features that should be used only with extreme caution.
I recommend you run IDFix before deploying AAD Connect. Doing so can highlight any potential problem areas in your Active Directory account configurations, and give you a little extra time to sort them out.
Adding additional sync administrators
By default, only the person who does the install of AAD Connect will have rights to manage the installed AAD Connect server and sync engine. To configure additional administrators, add those accounts to the ADSyncAdmins group.
Assigning Licenses to Users after Synchronization
It’s important to remember that AAD Connect does absolutely nothing to assist with licensing your users once their accounts are copied into Azure AD. You still need to go into the Azure or Office 365 portal and manage the licensing yourself. In large organizations, this can be a considerable undertaking.
This paper explains how Microsoft automates their licensing within their own cloud services. There is a lot of information in that paper that can be very helpful, but it’s not a cut & paste script that gives you a simple solution to use PowerShell to license all your users.
If that is what you’re looking for then this post from fellow MCM/MVP Chris Goosen will get you started on a PowerShell-based automation solution for your Office 365 licensing tasks.
Additional configuration options
There are a couple of additional configuration options that I’m not going to have space here to cover today: using AAD Connect to configure AD FS, and using AAD Connect to support multi-forest configurations. We’ll save those for a future blog post, but feel free to ask questions below or reach out to me on Twitter @MCSMLab.