Azure AD Connect - Azure AD Full Import only sees 28 of 400+ accounts

Marshall Hamilton 21 Reputation points
2021-06-15T14:57:40.047+00:00

I'm working with a fresh install of Azure AD Connect, version 1.5.45.0. The service is in staging mode and hasn't performed any initial exports.

I've manually performed a full import/full sync of all connectors. On full import, the Azure AD connector is only getting back 28 out of 400+ users that I know exist in Azure AD. In other words, a full import doesn't appear to be seeing everything that exists in Azure AD, just a small subset of users. The 28 users that do show up on Full Import don't seem any different from the hundreds that aren't coming on the full import.

The 28 accounts that do come back successfully join to on-prem accounts as I would expect.

However, I have hundreds of pending "export adds" to Azure AD for users that are already there. In other words, it feels that if I send the export I will have a bunch of duplicates on my hands.

What could be the problem? It seems to me that the full import isn't working properly since it is only seeing 28 out of 400+ users.

Any advice is appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,272 questions
{count} votes

Accepted answer
  1. Danny Zollner 9,971 Reputation points Microsoft Employee
    2021-06-15T15:36:41.277+00:00

    Imports from Azure AD only read objects that are already marked as DirSyncEnabled = True. Objects that are DirSyncEnabled = False (or not set) will not be returned via imports from Azure AD. When you export something that shows as a Pending Export - Add that already has a matching object in AAD, what will actually happen is that AAD Connect will tell the service that it talks to "I have a user with sourceAnchor of X and userPrincipalName/mail/proxyAddresses values of Y/Z, I need it to exist in Azure AD" - at that point, the service that AAD Connect talks to (known as DirSyncWebService or AdminWebService) will take the request, evaluate the state of Azure AD, find that the user objects already exist and will soft match them.

    All that to say that the objects showing as "Pending Export - Add" is expected. If the existing objects in the cloud show their source as Azure Active Directory in the Azure AD UI, that means they are NOT DirSyncEnabled = True. In that case, as long as 1) they do not already have a value for ImmutableId in Azure AD, and 2) there is a match on the value for userPrincipalName or mail (possibly proxyAddresses, I'm a bit rusty and can't recall if that is a match criteria as well..), the outcome will be that the AD user and the AAD user soft-match and become linked as one object.

    3 people found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.