Wednesday, February 25, 2015

Creating an AAD Sychronization Rule

Here’s a quick snippet showing how to create a synchronization rule for AAD Sync.

### Remove the existing rules with this name

Get-ADSyncRule | Where-Object Name -eq FooRule | Remove-ADSyncRule


### Create the Sync Rule

$ruleProperties = @{

    Name             = 'FooRule'

    Direction        = 'Inbound'

    Connector        = (Get-ADSyncConnector -Name | Select -Expand Identifier)

    SourceObjectType = 'user'

    TargetObjectType = 'person'

    Precedence       = 42

    LinkType         = 'Join'

    OutVariable      = 'SyncRule'

    Identifier       = ([guid]::NewGuid())


New-ADSyncRule @ruleProperties


### Create Join Rules for the Sync Rule

Add-ADSyncJoinConditionGroup -SynchronizationRule $SyncRule[0] -JoinConditions @(

    New-ADSyncJoinCondition -CSAttribute givenName -MVAttribute givenName

    New-ADSyncJoinCondition -CSAttribute sn -MVAttribute sn


Add-ADSyncJoinConditionGroup -SynchronizationRule $SyncRule[0] -JoinConditions @(

    New-ADSyncJoinCondition -CSAttribute sAMAccountName -MVAttribute sAMAccountName

    New-ADSyncJoinCondition -CSAttribute sn -MVAttribute sn



### Add the Sync Rule to the Sync Engine configuration

$SyncRule | Add-ADSyncRule -Verbose


The only confusing thing here for me was the difference between the use of the ‘New-‘ verb and the ‘Add-‘ verb.  In the sample above New-ADSyncRule creates the object in memory but does not commit it to the running synchronization configuration.  The object is not committed to the running synchronization configuration until you use Add-ADSyncRule.

In the example above I use a PowerShell featured called ‘Splatting’ because the command takes a lot of parameters.  In these cases the script looks a lot cleaner if you organize the parameters into a hash table.  Makes it way nicer to diff for source control too.

The Identifier parameter is sneaky cool; you are allowed to specify it.  If you do not specify it then you get a new GUID.  If you do specify it then you can determine the GUID of the new synchronization rule.  This is super handy if you are tracking synchronization rules in something like source control and/or PowerShell Desired State Configuration.

That’s it for now.  Happy sync’ing!

Discovering Commands in the ADSync Module

The new version of the sync engine has a plethora of PowerShell commands, available in the ADSync module.

Lately I’ve been working on automating a deployment of AAD Sync so have been busy looking at these commands.  Pretty awesome to see cmdlet coverage arrive for the sync engine.  Also a really fun way to discover the differences between this version of the sync engine and the FIM Sync engine.

Here’s a few commands to discover those commands:

### Get all the commands in the ADSync module

Get-Command -Module ADSync


CommandType     Name                                               ModuleName        

-----------     ----                                               ----------        

Cmdlet          Add-ADSyncAttributeFlowMapping                     ADSync            

Cmdlet          Add-ADSyncConnector                                ADSync            

Cmdlet          Add-ADSyncConnectorAnchorConstructionSettings      ADSync            

Cmdlet          Add-ADSyncConnectorAttributeInclusion              ADSync            

Cmdlet          Add-ADSyncConnectorHierarchyProvisioningMapping    ADSync            

Cmdlet          Add-ADSyncConnectorObjectInclusion                 ADSync            

Cmdlet          Add-ADSyncGlobalSettingsParameter                  ADSync            

Cmdlet          Add-ADSyncJoinConditionGroup                       ADSync            

Cmdlet          Add-ADSyncRule                                     ADSync            

Cmdlet          Add-ADSyncRunProfile                               ADSync            

Cmdlet          Add-ADSyncRunStep                                  ADSync            

Cmdlet          Add-ADSyncScopeConditionGroup                      ADSync            

Cmdlet          Disable-ADSyncConnectorPartition                   ADSync            

Cmdlet          Disable-ADSyncConnectorPartitionHierarchy          ADSync            

Cmdlet          Enable-ADSyncConnectorPartition                    ADSync            

Cmdlet          Enable-ADSyncConnectorPartitionHierarchy           ADSync            

Cmdlet          Get-ADSyncAADPasswordResetConfiguration            ADSync            

Cmdlet          Get-ADSyncAADPasswordSyncConfiguration             ADSync            

Cmdlet          Get-ADSyncConnector                                ADSync            

Cmdlet          Get-ADSyncConnectorHierarchyProvisioningDNCompo... ADSync            

Cmdlet          Get-ADSyncConnectorHierarchyProvisioningMapping    ADSync            

Cmdlet          Get-ADSyncConnectorHierarchyProvisioningObjectC... ADSync            

Cmdlet          Get-ADSyncConnectorParameter                       ADSync            

Cmdlet          Get-ADSyncConnectorPartition                       ADSync            

Cmdlet          Get-ADSyncConnectorPartitionHierarchy              ADSync            

Cmdlet          Get-ADSyncConnectorTypes                           ADSync            

Cmdlet          Get-ADSyncGlobalSettings                           ADSync            

Cmdlet          Get-ADSyncGlobalSettingsParameter                  ADSync            

Cmdlet          Get-ADSyncRule                                     ADSync            

Cmdlet          Get-ADSyncRunProfile                               ADSync            

Cmdlet          Get-ADSyncSchema                                   ADSync            

Cmdlet          Get-ADSyncServerConfiguration                      ADSync            

Cmdlet          New-ADSyncConnector                                ADSync            

Cmdlet          New-ADSyncJoinCondition                            ADSync            

Cmdlet          New-ADSyncRule                                     ADSync            

Cmdlet          New-ADSyncRunProfile                               ADSync            

Cmdlet          New-ADSyncScopeCondition                           ADSync            

Cmdlet          Remove-ADSyncAADPasswordResetConfiguration         ADSync            

Cmdlet          Remove-ADSyncAADPasswordSyncConfiguration          ADSync            

Cmdlet          Remove-ADSyncAttributeFlowMapping                  ADSync            

Cmdlet          Remove-ADSyncConnector                             ADSync            

Cmdlet          Remove-ADSyncConnectorAnchorConstructionSettings   ADSync            

Cmdlet          Remove-ADSyncConnectorAttributeInclusion           ADSync            

Cmdlet          Remove-ADSyncConnectorHierarchyProvisioningMapping ADSync            

Cmdlet          Remove-ADSyncConnectorObjectInclusion              ADSync            

Cmdlet          Remove-ADSyncGlobalSettingsParameter               ADSync            

Cmdlet          Remove-ADSyncJoinConditionGroup                    ADSync            

Cmdlet          Remove-ADSyncRule                                  ADSync            

Cmdlet          Remove-ADSyncRunProfile                            ADSync            

Cmdlet          Remove-ADSyncRunStep                               ADSync            

Cmdlet          Remove-ADSyncScopeConditionGroup                   ADSync            

Cmdlet          Set-ADSyncAADPasswordResetConfiguration            ADSync            

Cmdlet          Set-ADSyncAADPasswordSyncConfiguration             ADSync            

Cmdlet          Set-ADSyncAADPasswordSyncState                     ADSync            

Cmdlet          Set-ADSyncConnectorParameter                       ADSync            

Cmdlet          Set-ADSyncGlobalSettings                           ADSync            

Cmdlet          Set-ADSyncSchema                                   ADSync            

Cmdlet          Set-ADSyncServerConfiguration                      ADSync            

Cmdlet          Set-MIISADMAConfiguration                          ADSync            

Cmdlet          Update-ADSyncConnectorPartition                    ADSync            

Cmdlet          Update-ADSyncConnectorSchema                       ADSync             


There are a lot of commands in there (pretty cool!) so it is useful to know how to find what you’re looking for.  Here are couple commands I use to dig them out:

### Get all the commands in the ADSync module

Get-Command -Module ADSync


### Find commands with the word 'rule'

Get-Command -Module adsync -Name *rule*


### Find commands with the word 'join'

Get-Command -Module adsync -Name *join*


### Find commands with the word 'attributeFlow'

Get-Command -Module adsync -Name *attributeFlow*


### Find commands with the verb 'Set'

Get-Command -Module adsync -Verb Set


Monday, February 23, 2015

Install and Remove AAD Sync

Been doing some automation around AAD Sync lately and find it convenient to start from scratch without throwing away the whole machine.  In that case I just uninstall AAD Sync, then re-install.

In each case I’m just calling msiexec.exe with the command line options.  The only secret sauce is in the MSI parameters; dug those out of the MSI using Orca.

Here’s the script snippets:

Start-Process -FilePath msiexec.exe -Wait -ArgumentList @(


'/x "C:\InstallationFiles\AADSync\Synchronization Service.msi"'



Invoke-Sqlcmd -Query "DROP DATABASE ADSync" -Verbose


Start-Process -FilePath msiexec.exe -Wait -ArgumentList @(


'/i "C:\InstallationFiles\AADSync\Synchronization Service.msi"'

'/lv* C:\Temp\SynchronizationService.log'















UPDATE - March 2, 2014: had a conversation with an authoritative source about this approach and it turns out to be not very useful.  The AAD Sync wizard does a lot of work, and bypassing it has the potential to break a deployment when AAD Sync gets updated.  The DevOps nerd in me protests any wizard getting in the way of automating a system, but all is not lost since the wizard can be automated with an answer file.  More on that later.

Monday, February 09, 2015

Azure AD Conditional Access and Azure AD Connect Health - Now in Preview

This is a really neat announcement for a couple of reasons.  First, the Azure AD Conditional Access feature is a nice looking user experience for building simple policies.  At a glace you could see how it might be an admin experience for a policy engine like MIM’s request processor.  What is shown in the blog article does not have the extensibility of MIM, but it also requires a LOT less skill to configure, and none of the deployment finesse required (it’s already deployed).  Pretty cool.

Second, the Azure AD Connect Health should significantly reduce the burden of operations because it has such little on-premises footprint.  The local agent just uploads data to Azure which runs the already-deployed engine.  Optimistically I have to believe this is part of Operational Insights which I’ve been trying out (think SCOM in the cloud).  Right now it works for ADFS, and there are plans for it to monitor sync servers soon.

Oh, and here’s the blog post:

Azure AD Conditional Access and Azure AD Connect Health - Now in Preview

Microsoft Cloud Platform Roadmap

Came across this great view for the state Microsoft’s Cloud Platform, including both Azure and on-premises products.  It also neatly divides between:

  • Recently available
  • In preview
  • In development
  • Canceled

Nice to see a spot in there for MIM, and looking forward to that release this year!

Cloud Platform Roadmap