Thursday, June 26, 2014

Use PowerShell to Create a new Sync Rule in AAD Sync

Programmatic access to the sync engine has been a long time coming, so I’m pretty excited to see this stuff working.  Here’s an example for creating a sync rule using PowerShell.

 

### Import the AAD Sync module

Import-Module PowerShellConfig

 

### Create a new sync rule

Initialize-SynchronizationRule -Name foo -Connector 5a7d2cfc-ae5b-417e-8143-3eb5e058b8c5 -Direction Inbound -SourceObjectType user -TargetObjectType person -Precedence 5000 -LinkType Join | New-SynchronizationRule

 

### Create a new sync rule using splatting

$syncRuleParameters = @{

    Name             = 'foo'

    Connector        = '5a7d2cfc-ae5b-417e-8143-3eb5e058b8c5'

    Direction        = 'Inbound'

    SourceObjectType = 'user'

    TargetObjectType = 'person'

    Precedence       = 5000

    LinkType         = 'Join'

}

Initialize-SynchronizationRule @syncRuleParameters | New-SynchronizationRule

 

### Get the sync rule

Get-SynchronizationRule | Where Name -eq foo

 

 

 

The results for the last command should output something like this:

 

Identifier               : 27960beb-5c01-4d07-a23b-27f211cb14fe

Name                     : foo

Version                  : 1

Description              :

ImmutableTag             :

Connector                : 5a7d2cfc-ae5b-417e-8143-3eb5e058b8c5

Direction                : Inbound

SourceObjectType         : user

TargetObjectType         : person

Precedence               : 5000

PrecedenceAfter          : 00000000-0000-0000-0000-000000000000

LinkType                 : Join

JoinFilter               : {}

ScopeFilter              : {}

AttributeFlowMappings    : {}

SoftDeleteExpiryInterval : 00:00:00

SourceNamespaceId        : 5a7d2cfc-ae5b-417e-8143-3eb5e058b8c5

TargetNamespaceId        : cc31d470-9786-447f-8594-40abe13f9f78

 

Note that AAD Sync lets you create the same rule multiple times because the ‘name’ property does not need to be unique since each rules gets its own identifier guid.

Also note that the rule gets created without any join, scope or attribute flows, it is really just the minimum rule so far.

Get Sync Rules with AAD Sync Cmdlets

Poking around the PowerShell module for AAD Sync is pretty neat, and shows some real differences between FIM Sync and AAD Sync.

First step is to just load the module, so far I’ve only tried this on the same computer where AAD Sync is installed.

### Import the AAD Sync module

Import-Module PowerShellConfig

In my last post I already showed how to list the commands in the module.  In this post I look at Sync Rules.  A nice way to view objects in PowerShell is to just use Out-GridView because it allows you to interactively sort and filter.

 

### Look at the sync rules in a nice interactive table

Get-SynchronizationRule | Out-GridView

An object’s properties are only half of the value.  To see what the object will actually do, look at the methods too.

 

### Look at the objects and properties of the Sync Rule objects

Get-SynchronizationRule | Get-Member

 

 

Name                          MemberType

----                          ----------

AddAttributeFlowMapping           Method

AddJoinConditionGroup             Method

AddScopeConditionGroup            Method

CheckImmutableProperties          Method

Clone                             Method

Equals                            Method

GetHashCode                       Method

GetJoinHash                       Method

GetSchema                         Method

GetType                           Method

ReadXml                           Method

RemoveAttributeFlowMapping        Method

RemoveJoinConditionGroup          Method

RemoveScopeConditionGroup         Method

ToString                          Method

Validate                          Method

WriteXml                          Method

WriteXmlAttributeFlowMappings     Method

WriteXmlJoinFilter                Method

WriteXmlScopeFilter               Method

AttributeFlowMappings           Property

Connector                       Property

Description                     Property

Direction                       Property

Identifier                      Property

ImmutableTag                    Property

JoinFilter                      Property

LinkType                        Property

Name                            Property

Precedence                      Property

PrecedenceAfter                 Property

ScopeFilter                     Property

SoftDeleteExpiryInterval        Property

SourceNamespaceId               Property

SourceObjectType                Property

TargetNamespaceId               Property

TargetObjectType                Property

Version                         Property

 

 

There’s some interesting detail in there.  For example, what is that ‘Version’ property?  An optimist might guess that sync rules are internally source controlled by the sync engine such that rule changes could be tracked and rolled back.  Works for drivers on my Windows computer, why not sync rules?  BTW - I tried that, and my optimism wasn’t rewarded yet.  However, my optimism is still pretty high because this is just one cmdlet out of nearly 60, and already this replaces a lot of what I’ve had to write code for in the past.

Finding the Azure AD Sync PowerShell Module

A key goal of Sync vNext is to eliminate the need for guys like me (integrators, consultants, etc).  Hiding the sync engine behind a super-intuitive user interface is one way to accomplish that.  Another way is to add super-awesome PowerShell coverage. 

WTF the AAD Sync Module

Where To Find the module?  The AAD Sync module can be found using the usual commands in PowerShell for discovery (PowerShell is awesome at discovery BTW).

1. Get-Module

this command shows the loaded modules, so just shows that the AAD Sync Module isn’t loaded.

2. Get-Module –ListAvailable

this command shows the modules available to be loaded, and shows the interesting one in this case.  The name doesn’t give it away, and I expect that to change to something more meaningful by the time the product ship.  The path provides a good clue that the module belongs to AAD Sync.

Directory: C:\Program Files\Microsoft Azure AD Sync\Bin

 

 

ModuleType Version  Name           

---------- -------  ----            

Binary     1.0.0.0  PowerShellConfig

 

 

 

3. Import-Module PowerShellConfig –Verb

this command just loads the module

VERBOSE: Loading module from path 'C:\Program Files\Microsoft Azure AD Sync\Bin\powershellconfig\powershellconfig.psd1'.

VERBOSE: Importing cmdlet 'Add-AttributeFlowMapping'.

VERBOSE: Importing cmdlet 'Add-ConfigurationParameter'.

VERBOSE: Importing cmdlet 'Add-ConnectorAnchorConstructionSettings'.

VERBOSE: Importing cmdlet 'Add-ConnectorAttributeInclusion'.

VERBOSE: Importing cmdlet 'Add-ConnectorHierarchyProvisioningMapping'.

VERBOSE: Importing cmdlet 'Add-ConnectorObjectInclusion'.

VERBOSE: Importing cmdlet 'Add-JoinConditionGroup'.

VERBOSE: Importing cmdlet 'Add-RunStep'.

VERBOSE: Importing cmdlet 'Add-ScopeConditionGroup'.

VERBOSE: Importing cmdlet 'Disable-ConnectorPartition'.

VERBOSE: Importing cmdlet 'Disable-ConnectorPartitionHierarchy'.

VERBOSE: Importing cmdlet 'Enable-ConnectorPartition'.

VERBOSE: Importing cmdlet 'Enable-ConnectorPartitionHierarchy'.

VERBOSE: Importing cmdlet 'Export-ServerConfiguration'.

VERBOSE: Importing cmdlet 'Get-ConfigurationParameter'.

VERBOSE: Importing cmdlet 'Get-Connector'.

VERBOSE: Importing cmdlet 'Get-ConnectorHierarchyProvisioningDNComponent'.

VERBOSE: Importing cmdlet 'Get-ConnectorHierarchyProvisioningMapping'.

VERBOSE: Importing cmdlet 'Get-ConnectorHierarchyProvisioningObjectClass'.

VERBOSE: Importing cmdlet 'Get-ConnectorPartition'.

VERBOSE: Importing cmdlet 'Get-ConnectorPartitionHierarchy'.

VERBOSE: Importing cmdlet 'Get-ConnectorTypes'.

VERBOSE: Importing cmdlet 'Get-GlobalSettings'.

VERBOSE: Importing cmdlet 'Get-PasswordHashSyncConfiguration'.

VERBOSE: Importing cmdlet 'Get-RunProfile'.

VERBOSE: Importing cmdlet 'Get-Schema'.

VERBOSE: Importing cmdlet 'Get-SynchronizationRule'.

VERBOSE: Importing cmdlet 'Import-ServerConfiguration'.

VERBOSE: Importing cmdlet 'Initialize-Connector'.

VERBOSE: Importing cmdlet 'Initialize-RunProfile'.

VERBOSE: Importing cmdlet 'Initialize-ScopeCondition'.

VERBOSE: Importing cmdlet 'Initialize-SynchronizationRule'.

VERBOSE: Importing cmdlet 'New-Connector'.

VERBOSE: Importing cmdlet 'New-RunProfile'.

VERBOSE: Importing cmdlet 'New-SynchronizationRule'.

VERBOSE: Importing cmdlet 'Remove-AttributeFlowMapping'.

VERBOSE: Importing cmdlet 'Remove-ConfigurationParameter'.

VERBOSE: Importing cmdlet 'Remove-Connector'.

VERBOSE: Importing cmdlet 'Remove-ConnectorAnchorConstructionSettings'.

VERBOSE: Importing cmdlet 'Remove-ConnectorAttributeInclusion'.

VERBOSE: Importing cmdlet 'Remove-ConnectorHierarchyProvisioningMapping'.

VERBOSE: Importing cmdlet 'Remove-ConnectorObjectInclusion'.

VERBOSE: Importing cmdlet 'Remove-JoinConditionGroup'.

VERBOSE: Importing cmdlet 'Remove-PasswordHashSyncConfiguration'.

VERBOSE: Importing cmdlet 'Remove-RunProfile'.

VERBOSE: Importing cmdlet 'Remove-RunStep'.

VERBOSE: Importing cmdlet 'Remove-ScopeConditionGroup'.

VERBOSE: Importing cmdlet 'Remove-SynchronizationRule'.

VERBOSE: Importing cmdlet 'Set-ConfigurationParameter'.

VERBOSE: Importing cmdlet 'Set-Connector'.

VERBOSE: Importing cmdlet 'Set-GlobalSettings'.

VERBOSE: Importing cmdlet 'Set-MIISADMAConfiguration'.

VERBOSE: Importing cmdlet 'Set-PasswordHashSyncConfiguration'.

VERBOSE: Importing cmdlet 'Set-RunProfile'.

VERBOSE: Importing cmdlet 'Set-Schema'.

VERBOSE: Importing cmdlet 'Set-SynchronizationRule'.

VERBOSE: Importing cmdlet 'Update-ConnectorPartition'.

VERBOSE: Importing cmdlet 'Update-ConnectorSchema'.

 

Wednesday, June 04, 2014

Parallel Execution in Windows PowerShell by Tome Tanasovski

I was fortunate to attend the PowerShell Summit last month and am still decompressing from it.  One of the sessions that was really cool was Tome’s talk on Parallel Execution. Tome did a nice job of explaining the different ways to do parallel execution in PowerShell, but the one that stood out to me was the one using PowerShell RunSpaces.  This approach is really interesting because it is leaner than other approaches, while still using PowerShell (as opposed to custom threading or some other difficult approach).

The code samples for the talk are on Tome’s GitHub repository, and here is a sample using his sample ‘ForEach-Parallel’ function.  The sample just extends Tome’s sample by adding Measure-Command but it illustrates how much faster things could process when done this way.

### Using PowerShell's ForEach-Object: Total Seconds is 21

Measure-Command {(0..20) | ForEach-Object {sleep 1}}

 

### Using Tome's ForEach-Parallel: Total Seconds is 2

Measure-Command {(0..20) | ForEach-Parallel -MaxThreads 20 -ScriptBlock {sleep 1}}