Pilot cloud sync for an existing synced AD forest

This tutorial walks you through piloting cloud sync for a test Active Directory forest that is already synced using Azure Active Directory (Azure AD) Connect sync.

Diagram that shows the Azure AD Connect cloud sync flow.

Considerations

Before you try this tutorial, consider the following items:

  1. Ensure that you're familiar with basics of cloud sync.

  2. Ensure that you're running Azure AD Connect sync version 1.4.32.0 or later and have configured the sync rules as documented.

  3. When piloting, you'll be removing a test OU or group from Azure AD Connect sync scope. Moving objects out of scope leads to deletion of those objects in Azure AD.

    • User objects, the objects in Azure AD are soft-deleted and can be restored.
    • Group objects, the objects in Azure AD are hard-deleted and can't be restored.

    A new link type has been introduced in Azure AD Connect sync, which will prevent the deletion in a piloting scenario.

  4. Ensure that the objects in the pilot scope have ms-ds-consistencyGUID populated so cloud sync hard matches the objects.

    Note

    Azure AD Connect sync does not populate ms-ds-consistencyGUID by default for group objects.

  5. This configuration is for advanced scenarios. Ensure that you follow the steps documented in this tutorial precisely.

Prerequisites

The following are prerequisites required for completing this tutorial

  • A test environment with Azure AD Connect sync version 1.4.32.0 or later
  • An OU or group that is in scope of sync and can be used the pilot. We recommend starting with a small set of objects.
  • A server running Windows Server 2012 R2 or later that will host the provisioning agent.
  • Source anchor for Azure AD Connect sync should be either objectGuid or ms-ds-consistencyGUID

Update Azure AD Connect

As a minimum, you should have Azure AD connect 1.4.32.0. To update Azure AD Connect sync, complete the steps in Azure AD Connect: Upgrade to the latest version.

Stop the scheduler

Azure AD Connect sync synchronizes changes occurring in your on-premises directory using a scheduler. In order to modify and add custom rules, you want to disable the scheduler so that synchronizations won't run while you're working making the changes. To stop the scheduler, use the following steps:

  1. On the server that is running Azure AD Connect sync open PowerShell with Administrative Privileges.
  2. Run Stop-ADSyncSyncCycle. Hit Enter.
  3. Run Set-ADSyncScheduler -SyncCycleEnabled $false.

Note

If you are running your own custom scheduler for Azure AD Connect sync, then please disable the scheduler.

Create custom user inbound rule

  1. Launch the synchronization editor from the application menu in desktop as shown below:

    Screenshot of the synchronization rule editor menu.

  2. Select Inbound from the drop-down list for Direction and select Add new rule.

    Screenshot that shows the "View and manage your synchronization rules" window with "Inbound" and the "Add new rule" button selected.

  3. On the Description page, enter the following and select Next:

    • Name: Give the rule a meaningful name
    • Description: Add a meaningful description
    • Connected System: Choose the AD connector that you're writing the custom sync rule for
    • Connected System Object Type: User
    • Metaverse Object Type: Person
    • Link Type: Join
    • Precedence: Provide a value that is unique in the system
    • Tag: Leave this empty

    Screenshot that shows the "Create inbound synchronization rule - Description" page with values entered.

  4. On the Scoping filter page, enter the OU or security group that you want the pilot based off. To filter on OU, add the OU portion of the distinguished name. This rule will be applied to all users who are in that OU. So, if DN ends with "OU=CPUsers,DC=contoso,DC=com, you would add this filter. Then select Next.

    Rule Attribute Operator Value
    Scoping OU DN ENDSWITH Distinguished name of the OU.
    Scoping group ISMEMBEROF Distinguished name of the security group.

    Screenshot that shows the Create inbound synchronization rule - Scoping filter page with a scoping filter value entered.

  5. On the Join rules page, select Next.

  6. On the Transformations page, add a Constant transformation: flow True to cloudNoFlow attribute. Select Add.

    Screenshot that shows the Create inbound synchronization rule - Transformations page with a Constant transformation flow added.

Same steps need to be followed for all object types (user, group and contact). Repeat steps per configured AD Connector / per AD forest.

Create custom user outbound rule

  1. Select Outbound from the drop-down list for Direction and select Add rule.

    Screenshot that shows the Outbound Direction selected and the Add new rule button highlighted.

  2. On the Description page, enter the following and select Next:

    • Name: Give the rule a meaningful name
    • Description: Add a meaningful description
    • Connected System: Choose the Azure AD connector that you're writing the custom sync rule for
    • Connected System Object Type: User
    • Metaverse Object Type: Person
    • Link Type: JoinNoFlow
    • Precedence: Provide a value that is unique in the system
    • Tag: Leave this empty

    Screenshot that shows the Description page with properties entered.

  3. On the Scoping filter page, choose cloudNoFlow equal True. Then select Next.

    Screenshot that shows a custom rule.

  4. On the Join rules page, select Next.

  5. On the Transformations page, select Add.

Same steps need to be followed for all object types (user, group and contact).

Install the Azure AD Connect provisioning agent

If you're using the Basic AD and Azure environment tutorial, it would be CP1. To install the agent, follow these steps:

  1. In the Azure portal, select Azure Active Directory.
  2. On the left, select Azure AD Connect.
  3. On the left, select Cloud sync.

Screenshot of new UX screen.

  1. On the left, select Agent.
  2. Select Download on-premises agent, and select Accept terms & download.

Screenshot of download agent.

  1. Once the Azure AD Connect Provisioning Agent Package has completed downloading, run the AADConnectProvisioningAgentSetup.exe installation file from your downloads folder.
  2. On the splash screen, select I agree to the license and conditions, and then select Install.

Screenshot that shows the Microsoft Azure AD Connect Provisioning Agent Package splash screen.

  1. Once the installation operation completes, the configuration wizard will launch. Select Next to start the configuration. Screenshot of the welcome screen.
  2. On the Select Extension screen, select HR-driven provisioning (Workday and SuccessFactors) / Azure AD Connect Cloud Sync and click Next. Screenshot of the select extensions screen.

Note

If you are installing the provisioning agent for use with on-premsise app provisioning then select On-premises application provisioning (Azure AD to application).

  1. Sign in with your Azure AD global administrator account. If you have Internet Explorer enhanced security enabled, it will block the sign-in. If so, close the installation, disable Internet Explorer enhanced security, and restart the Azure AD Connect Provisioning Agent Package installation.

Screenshot of the Connect Azure AD screen.

  1. On the Configure Service Account screen, select a group Managed Service Account (gMSA). This account is used to run the agent service. If a managed service account is already configured in your domain, you might skip this screen. If prompted, choose either:
  • Create gMSA which lets the agent create the provAgentgMSA$ managed service account for you. The group managed service account (for example, CONTOSO\provAgentgMSA$) will be created in the same Active Directory domain where the host server has joined. To use this option, enter the Active Directory domain administrator credentials.
  • Use custom gMSA and provide the name of the managed service account.

To continue, select Next.

Screenshot of the Configure Service Account screen.

  1. On the Connect Active Directory screen, if your domain name appears under Configured domains, skip to the next step. Otherwise, type your Active Directory domain name, and select Add directory.

  2. Sign in with your Active Directory domain administrator account. The domain administrator account shouldn't have password change requirements. In case the password expires or changes, you'll need to reconfigure the agent with the new credentials. This operation will add your on-premises directory. Select OK, then select Next to continue.

Screenshot that shows how to enter the domain admin credentials.

  1. The following screenshot shows an example of contoso.com configured domain. Select Next to continue.

Screenshot of the Connect Active Directory screen.

  1. On the Configuration complete screen, select Confirm. This operation will register and restart the agent.

  2. Once this operation completes, you should be notified that Your agent configuration was successfully verified. You can select Exit.

Screenshot that shows the finish screen.

  1. If you still get the initial splash screen, select Close.

Verify agent installation

Agent verification occurs in the Azure portal and on the local server that's running the agent.

Azure portal agent verification

To verify that the agent is being registered by Azure AD, follow these steps:

  1. Sign in to the Azure portal.
  2. Select Azure Active Directory.
  3. Select Azure AD Connect, and then select Cloud sync. Screenshot of new UX screen.
  4. On the cloud sync page, you'll see the agents you've installed. Verify that the agent is displayed and the status is healthy.

On the local server

To verify that the agent is running, follow these steps:

  1. Sign in to the server with an administrator account.
    1. Open Services either by navigating to it or by going to Start/Run/Services.msc.
  2. Under Services, make sure that Microsoft Azure AD Connect Agent Updater and Microsoft Azure AD Connect Provisioning Agent are present and the status is Running. Screenshot that shows the Windows services.

Configure Azure AD Connect cloud sync

Use the following steps to configure provisioning:

  1. Sign-in to the Azure AD portal.

  2. Select Azure Active Directory

  3. Select Azure AD Connect

  4. Select Manage cloud sync

    Screenshot showing "Manage cloud sync" link.

  5. Select New Configuration

    Screenshot of Azure AD Connect cloud sync screen with "New configuration" link highlighted.

  6. On the configuration screen, enter a Notification email, move the selector to Enable and select Save.

    Screenshot of Configure screen with Notification email filled in and Enable selected.

  7. Under Configure, select All users to change the scope of the configuration rule.

    Screenshot of Configure screen with "All users" highlighted next to "Scope users".

  8. On the right, change the scope to include the specific OU you created "OU=CPUsers,DC=contoso,DC=com".

    Screenshot of the Scope users screen highlighting the scope changed to the OU you created.

  9. Select Done and Save.

  10. The scope should now be set to one organizational unit.

    Screenshot of Configure screen with "1 organizational unit" highlighted next to "Scope users".

Verify users are provisioned by cloud sync

You'll now verify that the users that you had in our on-premises directory have been synchronized and now exist in out Azure AD tenant. This process may take a few hours to complete. To verify users are provisioning by cloud sync, follow these steps:

  1. Browse to the Azure portal and sign in with an account that has an Azure subscription.
  2. On the left, select Azure Active Directory
  3. Select on Azure AD Connect
  4. Select on Manage cloud sync
  5. Select on Logs button
  6. Search for a username to confirm that the user is provisioned by cloud sync

Additionally, you can verify that the user and group exist in Azure AD.

Start the scheduler

Azure AD Connect sync synchronizes changes occurring in your on-premises directory using a scheduler. Now that you've modified the rules, you can restart the scheduler. Use the following steps:

  1. On the server that is running Azure AD Connect sync open PowerShell with Administrative Privileges
  2. Run Set-ADSyncScheduler -SyncCycleEnabled $true.
  3. Run Start-ADSyncSyncCycle, then press Enter.

Note

If you are running your own custom scheduler for Azure AD Connect sync, then please enable the scheduler.

Once the scheduler is enabled, Azure AD Connect will stop exporting any changes on objects with cloudNoFlow=true in the metaverse, unless any reference attribute (such as manager) is being updated. In case there's any reference attribute update on the object, Azure AD Connect will ignore the cloudNoFlow signal and export all updates on the object.

Something went wrong

In case the pilot doesn't work as expected, you can go back to the Azure AD Connect sync setup by following the steps below:

  1. Disable provisioning configuration in the Azure portal.
  2. Disable all the custom sync rules created for Cloud Provisioning using the Sync Rule Editor tool. Disabling should cause full sync on all the connectors.

Next steps