Force AAD Connect Synchronization Cycle

The scheduler will run by default run every 30 minutes. In some cases you might want to run a sync cycle in between the scheduled cycles or you need to run a different type.

Delta Sync Cycle
It could be that you have an urgent change which must be synchronized immediately which is why you need to manually run a cycle. If you need to manually run a cycle, then from PowerShell run:


Start-ADSyncSyncCycle -PolicyType Delta

Full Sync Cycle
If you have made one of the following configuration changes, you need to run a full sync cycle (a.k.a. Initial):

  • Added more objects or attributes to be imported from a source directory
  • Made changes to the Synchronization rules
  • Changed filtering so a different number of objects should be included (e.g. Adding a new OU to the filter)

If you have made one of these changes, then you need to run a full sync cycle so the sync engine has the opportunity to reconsolidate the connector spaces. To initiate a full sync cycle, run:


Start-ADSyncSyncCycle -PolicyType Initial

Interested in deploying multi-factor authentication for your business? It is now part of Office 365

Multi-factor authentication is now part of Office 365 and available for all users. Any of the following may be used for the second factor of authentication.

  1. Call my mobile phone. The user receives a phone call that asks them to press the pound key. Once the pound key is pressed, the user is logged in.
  2. Text code to my mobile phone. The user receives a text message containing a six-digit code that they must enter into the portal.
  3. Call my office phone. This is the same as Call my mobile phone, but it enables the user to select a different phone if they do not have their mobile phone with them.
  4. Notify me through app. The user configured a smartphone app and they receive a notification in the app that they must confirm the login. Smartphone apps are available for Windows Phone, iPhone, and Android devices.
  5. Show one-time code in app. The same smartphone app is used. Instead of receiving a notification, the user starts the app and enters the six-digit code from the app into the portal.

For more information about Multi-Factor Authentication for Office 365 please read the TechNet article Multi-Factor Authentication for Office 365

How to filter Active Directory attributes with Windows Azure Active Directory Sync tool

I ran into a customer this week that had a requirement to partially synchronize certain user’s attribute to the cloud due to security concern without interrupting or degradation the service.

I found the following three filtering configuration types that can be applied to the Directory Synchronization tool: (TechNet Article:http://technet.microsoft.com/en-us/library/jj710171.aspx)

  • Organizational-unit (OU)–based: You can use this filtering type to manage the properties of the SourceAD Management Agent in the Directory Synchronization tool. This filtering type enables you to select which OUs are allowed to synchronize to the cloud.
  • Domain-based: You can use this filtering type to manage the properties of the SourceAD Management Agent in the directory synchronization tool. This type enables you to select which domains are allowed to synchronize to the cloud
  • User-attribute–based: You can use this filtering method to specify attribute-based filters for user objects. This enables you to control which objects should not be synchronized to the cloud.

However I could not find some information about how to filter some attributes and partially synchronize the objects. After some testing I found there is an easy way to accomplish that.

Thought of writing the step-by-step process, which might be helpful for some of you.

1. After having installing Windows Azure Active Directory Sync tool and From your DirSync Server navigate to <Drive>\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell
2. Double click on miisclient.exe
3. This opens a console something similar to the below screen capture

image002

4. Click on Management Agents
5. Double click on Active Directory Connector (see next screenshot)
6. Click on Configure Extensions (see next screenshot)
7. Search for the attributes that you are not interested in synchronizing and click delete (see next screenshot) – You may re-add the attribute if needed.

image004

8. Perform a full sync

  • On the Management Agent tab, right-click Active Directory Connector, click Run, click Full Import Full Sync, and then click OK.
  • Right Click on Windows Azure Active Directory Connector, click Run, click Full Import Full Sync Sync, and then click OK.
  • Right Click on Windows Azure Active Directory Connector, click Run, click Export, and then click OK.

9. You can also force run DirSync using the following PowerShell command.

  • From your dirsync server open PowerShell console as Administrator
  • Navigate to “C:\Program Files\Microsoft Online Directory Sync”
  • Run .\DirSyncConfigShell.psc1
  • Now execute Start-OnlineCoexistenceSync commendlet.

10. Verify only the Filtered users’s attributes are populated to Office365 from office365 user management.
Note: It is very important to remember that Filtering configurations applied to your directory synchronization instance aren’t saved when you install or upgrade to a newer version. If you are upgrading to a newer version of directory synchronization, you must re-apply filtering configurations after you upgrade, but before you run the first synchronization cycle.

ltering configurations after you upgrade, but before you run the first synchronization cycle.