Manage users with directory synchronization
- 9 minutes
Organizations must complete several required management tasks to ensure:
- Its users synchronize efficiently.
- Its directory synchronization tool of choice (Microsoft Entra Connect Sync or Microsoft Entra Cloud Sync) successfully deploys.
The following sections outline these tasks, which include:
- Managing user accounts.
- Recovering an accidentally deleted user account.
- Recovering from unsynchronized deletes.
- Enhanced user management.
Managing user accounts
Microsoft 365 administrators can create, modify, and delete user objects using either:
- The local Active Directory Users and Computers snap-in.
- Windows PowerShell in the organization's on-premises Active Directory.
Administrators can't manage synchronized user accounts using the Microsoft 365 admin center or Exchange Online admin center (EAC). Once an organization synchronizes user accounts, the source of authority reverts back to the organization's on-premises Active Directory. As such, if an administrator updates attributes in the Microsoft 365 admin center or EAC, the updates aren't synchronized back to the on-premises environment.
There are a few extra attributes that aren't available in an organization's on-premises Active Directory. Administrators must manage these attributes in the Microsoft 365 admin center, including:
- Microsoft 365 product licenses
- Advanced Exchange Online settings, such as enabling In-place Archiving
Recovering an accidentally deleted user account
Microsoft Entra ID supports soft deletes. This feature is also available if:
- Users are deleted in the on-premises Active Directory.
- The deletion is synchronized to Microsoft 365.
In this case, the system puts the user object in a deleted state, and it no longer appears in the Active user list. When an administrator deletes a user, the system makes the user's license available, allowing the administrator to reassign it to another user. The user object isn't linked to an on-premises object unless an administrator either restores it or creates a new object with the same source anchor. An organization can recover a deleted user object within 30 days.
Administrators can use either the Microsoft 365 admin center or Windows PowerShell to recover deleted user objects. They can do so using the following steps in the Microsoft 365 admin center:
- In the Microsoft 365 admin center, on the left navigation pane, select Users and then select Deleted users.
- On the Deleted users page, select the deleted user account that you want to recover, and then select Restore user on the menu bar.
- On the Restore page, select either Autogenerate password or Let me create the password. If you previously enabled Password hash synchronization, the next password hash sync cycle overwrites it with your current selection.
If you prefer to use PowerShell, you can use the following Microsoft Graph PowerShell cmdlet to recover a user object: Restore-MgDirectoryDeletedItem.
If an administrator accidentally deletes a user account and a directory synchronization cycle runs, the system deletes the user account in Microsoft 365. However, if the organization enabled the recycle bin feature in Active Directory, the administrator can recover the deleted user account from the recycle bin. In doing so, system re-establishes the link between accounts. If the organization didn't enable the recycle bin feature, the administrator must create a new account with a new GUID for the user.
Caution
After an organization purges (hard deletes) its cloud recycle bin, it can't restore any previously deleted accounts.
Additional reading. For more information, see How to troubleshoot deleted user accounts in Office 365.
Recovering from unsynchronized deletes
Another important maintenance task is dealing with an on-premises delete that doesn't synchronize to Microsoft 365. In this scenario, the system doesn't remove the linked object from Microsoft Entra ID. This situation can occur if directory synchronization doesn't complete, or if directory synchronization failed to delete a specific cloud object. The result of either scenario is a linked object that isn't removed from Microsoft Entra ID. Such an object is referred to as an orphaned Microsoft Entra object.
To resolve this issue, follow these steps:
- Manually run a directory synchronization update. An administrator can run this update using either Microsoft Entra Connect’s Synchronization Service Manager or Windows PowerShell. With PowerShell, use the Start-ADSyncSyncCycle -PolicyType Delta cmdlet.
- Check that directory synchronization occurred correctly. Open the Synchronization Service Manager and verify that all synchronizations finished and the Status line displays “Success”.
- Verify directory synchronization. Open the Microsoft 365 admin center and verify the synchronization process deleted the objects as expected.
After completing these steps, validate that directory synchronization is working correctly. If directory synchronization has yet to propagate the Active Directory object deletion to Microsoft Entra ID, an administrator can use one of the following Microsoft Graph PowerShell cmdlets to manually remove the orphaned object: Remove-MgUser, Remove-MgContact, or Remove-MgGroup.
For example, assume directory synchronization orphaned a user named Joni Sherman, whose user ID is 5c442efb-5e66-484a-936a-91b6810bed14. An administrator can remove the orphaned user by running the following Microsoft Graph PowerShell command:
Remove-MgUser -UserId '5c442efb-5e66-484a-936a-91b6810bed14'
Moving an out-of-sync user
Another unsynchronized delete scenario occurs when moving an out-of-sync Active Directory user. Consider the scenario where a user's account information, such as the user's password, group memberships, and so on, is updated on one domain controller (DC). In this scenario, the user account is considered to be out-of-sync when its updated account information has yet to replicate on other DCs. Here's the typical scenario involving an out-of-sync user:
- The user account information is updated on one DC (say DC1), but the information has yet to replicate to other DCs.
- The account is now out of sync, with updated information on DC1 but not on DC2, DC3, and so on.
- To resolve this situation, an administrator moves the user account to a different OU/container in the on-premises Active Directory.
- The move operation itself force the updated account state from DC1 to be replicated to the other DCs.
- After replication completes, the account information is consistent (in sync) across all DCs.
Now, if Microsoft Entra Connect Sync is involved for directory synchronization to Microsoft Entra ID, moving an out-of-sync Active Directory user can have other implications:
- In the previous steps, the move operation in step 4 replicates the latest account state from DC1 to the other DCs, syncing the account info across on-premises DCs.
- However, while the updated account information is now synchronized across all DCs, it isn't synchronized yet to Microsoft Entra ID through Microsoft Entra Connect Sync.
- When Microsoft Entra Connect Sync performs its periodic synchronization between on-premises Active Directory and Microsoft Entra ID, it can detect when a user account is no longer in its expected OU. If this scenario occurs, it assumes an administrator either deleted the user or moved it another OU in the on-premises AD. As a result, Microsoft Entra Connect Sync soft-deletes the corresponding Microsoft Entra user account. It does so to synchronize with the assumed user delete or move operation in the on-premises AD.
- If the on-premises user is moved back to its original OU within 30 days, Microsoft Entra Connect Sync reactivates the Microsoft Entra user account the next time it resyncs.
- However, if the on-premises user isn't moved back to its original OU within 30 days, Microsoft Entra Connect Sync permanently deletes the soft-deleted Microsoft Entra user account.
This process is shown in the following diagram.
Enhanced user management
Microsoft Entra Connect Sync and Microsoft Entra Connect Cloud Service offer enhanced user management features, including password writeback and device writeback.
Password writeback
Users can change their passwords through the sign-in page or through user settings in Microsoft 365. With password writeback, the system writes the updated passwords back to the organization’s on-premises Active Directory.
Organizations must complete the following prerequisites to enable this feature:
- Windows Server 2008 or higher Domain Controllers in the on-premises Active Directory.
- Microsoft Entra Premium license.
- Configure the Self-Service Password Reset (SSPR) option in the Microsoft 365 tenant.
You must first enable password writeback in whichever directory synchronization tool that you select. You must then configure Microsoft Entra self-service password reset (SSPR) for password writeback.
Enable password writeback when using Microsoft Entra Connect Sync
To enable the password writeback feature when using Microsoft Entra Connect Sync, the administrator must enable the password writeback option during installation of Microsoft Entra Connect Sync. To do so, select the Custom Setup option when running the Microsoft Entra Connect Sync installation wizard. When you enable this option, password change events cause Microsoft Entra Connect Sync to synchronize the updated credentials back to the on-premises AD DS environment.
To enable SSPR for password writeback, you must first enable the writeback option in Microsoft Entra Connect Sync. From your Microsoft Entra Connect Sync server, complete the following steps:
- Sign in to your Microsoft Entra Connect Sync server and start the Microsoft Entra Connect Sync configuration wizard.
- On the Welcome page, select Configure.
- On the Additional tasks page, select Customize synchronization options, and then select Next.
- On the Connect to Azure AD page, enter a global administrator credential for your Microsoft Entra tenant, and then select Next.
- On the Connect directories and Domain/OU filtering pages, select Next.
- On the Optional features page, select the check box next to Password writeback and then select Next.
- On the Directory extensions page, select Next.
- On the Ready to configure page, select Configure and wait for the process to finish.
- When you see the configuration finish, select Exit.
Once you enable password writeback in Microsoft Entra Connect Sync, you can then enable password writeback for SSPR. See the following section on enabling password writeback for SSPR.
Enable password writeback when using Microsoft Entra Cloud Sync
Microsoft Entra Cloud Sync uses the lightweight Microsoft Entra cloud provisioning agent to simplify the setup for self-service password reset writeback. This process provides a secure way to send password changes in the cloud back to an on-premises directory.
You must enable password writeback in Microsoft Entra Cloud Sync by using the Set-AADCloudSyncPasswordWritebackConfiguration cmdlet on the servers with the provisioning agents. You need global administrator credentials to run the following PowerShell commands:
Import-Module 'C:\\Program Files\\Microsoft Azure AD Connect Provisioning Agent\\Microsoft.CloudSync.Powershell.dll'
Set-AADCloudSyncPasswordWritebackConfiguration -Enable $true -Credential $(Get-Credential)
Once you enable password writeback, you can then enable password writeback for SSPR. See the following section on enabling password writeback for SSPR.
Enable password writeback for SSPR
Once you enable password writeback in either Microsoft Entra Connect Sync or Microsoft Entra Cloud Sync, you can then enable password writeback for SSPR. When you enable SSPR to use password writeback, users who change or reset their password have that updated password synchronized back to the on-premises AD DS environment as well.
To verify and enable password writeback in SSPR, complete the following steps:
- Sign into the Microsoft Entra admin center using a global administrator account.
- In the left-hand navigation pane, select Identity, then select Protection, and then select Password reset.
- On the Password reset | Properties page, in the middle navigation pane under the Manage section, select On-premises integration.
- On the Password reset | on-premises integration page, the status of both the Microsoft Entra Connect Sync agent and the Microsoft Entra Connect Sync provisioning agent are displayed. If you selected Microsoft Entra Cloud Sync, then verify the Cloud Sync agent setup is complete.
- Under the Manage settings section:
- Select the Write back passwords with Microsoft Entra Cloud Sync check box.
- Select the Allow users to unlock accounts without resetting their password check box.
- Select Save.
Device writeback
Device writeback enables conditional access based on either devices to AD FS protected applications, or on relying party trusts. This feature provides extra security and assurance by granting access to applications only to trusted devices.
To implement device writeback, and organization must ensure that its devices and users are in the same forest. Since device writeback writes devices back to a single forest, this feature doesn't support a deployment with multiple user forests.
Device writeback requires the following prerequisites:
- A subscription to Microsoft Entra Premium.
- Active Directory forest runs Windows Server 2012 R2 or later.
- AD FS is hosted from Windows Server 2012 R2 (AD FS v3.0) or later.
- Microsoft Entra Premium license.
Warning
Both Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync support password writeback. However, only Microsoft Entra Connect Sync supports device writeback.
To enable device writeback for Microsoft Entra Connect Sync, you must run the Microsoft Entra Connect Sync installation wizard twice.
- You must run it the first time as previously covered in the training. You can run it using either Custom or Express settings. This initial run synchronizes your users and groups.
- You must then run the installation wizard a second time to enable device writeback.
Important
Microsoft recommends that you successfully synchroinize all users and groups before you enable device writeback.
When you run the Microsoft Entra Connect Sync installation wizard a second time to enable device writeback, you must run it in Custom Setup mode.
Run the Microsoft Entra Connect Sync installation wizard a second time. Select Configure device options from the Additional Tasks page and then select Next.
Note
The Configure device options feature is available only in version 1.1.819.0 and newer.
On the Device options page, select Configure device writeback. The option to Disable device writeback isn't available until after you enable device writeback. Select Next.
The Writeback page, verify the supplied domain displays as the default Device writeback forest. Select Next.
The Device container page provides the option of preparing the Active Directory by using one of the two available options:
- Provide enterprise administrator credentials. If you provide the enterprise administrator credentials for the forest where devices are written back, Microsoft Entra Connect Sync prepares the forest automatically during the configuration of device writeback.
- Download PowerShell script. Microsoft Entra Connect Sync autogenerates a PowerShell script that can prepare the Active Directory for device writeback. In the event you can't provide the Microsoft 365 administrator credentials in Microsoft Entra Connect Sync, Microsoft suggests downloading the PowerShell script. You should provide the downloaded PowerShell script titled CreateDeviceContainer.ps1 to the Microsoft 365 administrator of the forest where devices plan to be written back.
The Microsoft Entra Connect Sync installation wizard only needs to run on one forest, even if the organization installs Microsoft Entra Connect Sync in multiple forests. The wizard performs the following operations to prepare the Active Directory forest:
- The wizard creates and configures new containers and objects under "CN=Device Registration Configuration,CN=Services,CN=Configuration,[forest-dn]" if they don't already exist.
- If the containers don't exist already, it creates and configures new containers and objects under "CN=RegisteredDevices,[domain-dn]." The wizard creates device objects in this container.
- To manage devices on your Active Directory, the wizard sets the necessary permissions on the Microsoft Entra Connector account.
It can take up to three hours for device objects to be written-back to your on-premises Active Directory. To verify that your devices synced properly, complete the following steps after the sync rules finish:
- Launch the Active Directory Administrative Center.
- Expand RegisteredDevices within the domain that is being federated.
- The system displays the current registered devices here.
Additional reading. For more information, see the article titled: How to enable device writeback in Microsoft Entra Connect Sync.
Knowledge check
Choose the best response for the following question.