Monday, March 02, 2015

AAD Sync and Shared Configuration

Learned something useful last week while demonstrating PowerShell Desired State Configuration for managing AAD Sync configuration.  The AAD Sync wizard loads a synchronization configuration complete with things like connectors, schema, credentials, synchronization rules, run profiles, partitions, etc. 

My demo was showing how to represent the AAD Sync configuration as a DSC configuration document, so the AAD Sync wizard would not need to load the configuration, and we could manage the configuration in a DSC document neatly stored in source control.

To treat AAD Sync as a proper system with good continuous delivery practices we should employ source control and configuration management, which typically means dumping the sync engine’s configuration and tracking it in source control, then automating the deployment of that configuration.  In MIIS/ILM/FIM/MIM the sync engine does not have the programmatic hooks to get this done, but AAD Sync does.  The challenge is that the wizard in AAD Sync manages the sync configuration.  The wizard ‘shares’ the configuration with you, which means it tries to honor your changes by not destroying them (there are some exceptions).  While this makes a ton of sense for what most deployments probably need, it is a bit of a pain when you are trying to automate things. 

This is interesting because that is also how MMS worked with its ‘profile templates’.  Those profile templates were script files deployed on installation, and sometimes modified by updates (ouch?). 

Hoping to get this nailed down and share some solutions in the near future.  Wish me luck, and stay tuned!

No comments: