Wednesday, February 25, 2015

Creating an AAD Sychronization Rule

Here’s a quick snippet showing how to create a synchronization rule for AAD Sync.

### Remove the existing rules with this name

Get-ADSyncRule | Where-Object Name -eq FooRule | Remove-ADSyncRule


### Create the Sync Rule

$ruleProperties = @{

    Name             = 'FooRule'

    Direction        = 'Inbound'

    Connector        = (Get-ADSyncConnector -Name | Select -Expand Identifier)

    SourceObjectType = 'user'

    TargetObjectType = 'person'

    Precedence       = 42

    LinkType         = 'Join'

    OutVariable      = 'SyncRule'

    Identifier       = ([guid]::NewGuid())


New-ADSyncRule @ruleProperties


### Create Join Rules for the Sync Rule

Add-ADSyncJoinConditionGroup -SynchronizationRule $SyncRule[0] -JoinConditions @(

    New-ADSyncJoinCondition -CSAttribute givenName -MVAttribute givenName

    New-ADSyncJoinCondition -CSAttribute sn -MVAttribute sn


Add-ADSyncJoinConditionGroup -SynchronizationRule $SyncRule[0] -JoinConditions @(

    New-ADSyncJoinCondition -CSAttribute sAMAccountName -MVAttribute sAMAccountName

    New-ADSyncJoinCondition -CSAttribute sn -MVAttribute sn



### Add the Sync Rule to the Sync Engine configuration

$SyncRule | Add-ADSyncRule -Verbose


The only confusing thing here for me was the difference between the use of the ‘New-‘ verb and the ‘Add-‘ verb.  In the sample above New-ADSyncRule creates the object in memory but does not commit it to the running synchronization configuration.  The object is not committed to the running synchronization configuration until you use Add-ADSyncRule.

In the example above I use a PowerShell featured called ‘Splatting’ because the command takes a lot of parameters.  In these cases the script looks a lot cleaner if you organize the parameters into a hash table.  Makes it way nicer to diff for source control too.

The Identifier parameter is sneaky cool; you are allowed to specify it.  If you do not specify it then you get a new GUID.  If you do specify it then you can determine the GUID of the new synchronization rule.  This is super handy if you are tracking synchronization rules in something like source control and/or PowerShell Desired State Configuration.

That’s it for now.  Happy sync’ing!

No comments: