As a consultant, I see a lot of different environments. Often, I need to know the answer to one of the most important questions:
What did you select during the setup of Azure AD Connect?
The answers vary:
A colleague did the setup and has left the company, department…
A external supplier did the setup for a pilot or part of a project…
Of course, these answers are supported by a lack of documentation.
Why is this important to know?
During the setup of Azure AD Connect, the Microsoft Azure Active Directory Connect wizard shows several options. These options are only shown during the initial setup. Some of these options are not displayed when you perform the View Configuration task after initial configuration. Some options cannot be altered after the initial configuration; They can only be achieved with a new installation of Azure AD Connect, except for one option.
Initial setup options
Let's look at these options as they are presented chronologically as you perform a Custom settings installation of Azure AD Connect:
Uniquely identifying your users
(cannot be altered after initial config)
When you install your first Azure AD Connect instance and configure the connection to Azure Active Directory, the following setup options are presented on the Uniquely identifying your users page of the Microsoft Azure Active Directory Connect wizard:
The top half of the Uniquely identifying your users page shows the option to configure how Azure AD Connect should behave, when the organization has deployed a user account forest and resource forest Active Directory topology. However, a more common scenario is when an organization merges with another organization and is consolidating resources; Instead of two Exchange Server environments or Skype for Business Server environments, all is provisioned from one forest.
The bottom half of the Uniquely identifying your users page allows the option to choose the source anchor.
The Microsoft documentation on these options can be found here.
Azure AD sign-in configuration
(cannot be altered after initial config)
The second option is the selection of the source for the Azure Active Directory UserPrincipalName on the Azure AD sign-in configuration page of the Microsoft Azure Active Directory Connect wizard.
During the installation wizard, the administrator can choose which on-premises attribute should be used to populate the Azure Active Directory UserPrincipalName attribute.
The Microsoft documentation on this option can be found here.
Filter users and devices
(can be altered after initial config)
The last option I want to discuss is intended for pilot use only. The option on the Filter users and devices page enables administrators to scope what objects are synchronized, based on a group membership instead of a selection of Organizational Units (OUs) and containers:
The Microsoft documentation on this option can be found here.
What is configured in Azure AD Connect
Of course, we want to answer the initial question.
Native tooling
There are two ways to get the configuration from the Azure AD Connect server using native tooling:
- Azure AD Connect's Graphical User Interfaces (GUIs)
- Windows PowerShell
The GUI provides almost all the information you need. However, if you have configured the “pilot” group filtering, you see it’s enabled, but you cannot see the actual configured group. If you also want to see the group. Then you will need to go to the second option.
The second option is to use Windows PowerShell to get all the configured options for your Azure AD Connect configuration.
Third-party tooling
A third option is to use a third party tool called Azure AD Connect Configuration Documenter.
Using the Graphical User Interface
The steps below describe how to use the graphical user interface (GUI) to get information on the configured options:
- Sign in interactively to the Azure AD Connect server using an account that is a member of local Administrators and the SyncAdmins groups.
- Open the “Azure AD Connect ” link to the Microsoft Azure Active Directory Connect wizard, found on the desktop or start menu.
- Click Configure on the Welcome to Azure AD Connect page:
- Select the View current configuration task on the Additional tasks page and click Next.
- All the configuration options are shown on the Review Your Solution page:
So let's review our configured solution:
The first part provides information on the Azure AD tenant, the Active Directory environments it is connected to and the Azure AD Connect service account per Active Directory environment:
The second part provides the actual configuration of the Azure AD Connect instance:
The top two rows of this information shows the configured options that are mentioned before:
In the table below I map the configuration item to the setup option.
Configuration Item | Setup Option |
SOURCE ANCHOR | |
USER PRINCIPAL NAME | |
SYNC CRITERIA | |
FILTER OBJECTS TO SYNCHRONIZE BY GROUP |
As mentioned before, the GUI shows that we configured a group to scope synchronization, but it will not show the actual configured group:
The Windows PowerShell steps below provides the method to get the actual group name
Using Windows PowerShell
The steps below describe how to use Windows PowerShell to get information on the configured options:
- Sign in interactively to the Azure AD Connect server using an account that is a member of local Administrators and the SyncAdmins groups.
- Open Windows PowerShell as administrator.
- Issue the following line of Windows PowerShell: Get-ADSyncGlobalSettingsParameter | Select-Object * | Sort-Object -Property Name | Out-GridView
- It will now show the configured options of Azure AD Connect:
In the Out-GridView windows there are multiple entries. In the table below a overview of the configuration items and setup option is shown:
To get the actual configured group that is configured on the Filter users and devices page, follow these steps:
- Issue the following line of Windows PowerShell in the elevated Windows PowerShell window:( (Get-ADSyncConnector).GlobalParameters | Where-Object {$_.Name -eq "Connector.GroupFilteringGroupDn"} ).Value
- It will now show the configured group:
Using the Azure AD Connect Configuration Documenter
The Azure AD Connect Configuration Documenter is a free tool to document the configuration of Azure AD Connect. It is available on GitHub.
I use this tool every time when an update is needed of a Azure AD Connect instance. I use it to get a snapshot of the configuration before an update and after the update. Also, I use it to compare the configuration between Azure AD Connect instances, when an organization has one or more Azure AD Connect Staging Mode instances running or has instances running in their development, test, acceptance and production environments.
To use the tool, follow the provided instructions located in the readme file on GitHub.
The tool creates a report. In the report, there is a Global Settings section and this looks similar to the output when you'd use Windows PowerShell:
At time of writing this blog. The Azure AD Connect Configuration Documenter doesn’t show the configured group on the Filter users and devices page, if the option to filter based on a group has been activated.
Concluding
For me, as a consultant, it's important to provide as much documentation as possible to the customer about what I did or what is configured.
When I configure Azure AD Connect, I use the Problem Step Recorder (PSR) a lot, which is available by default on Windows installations and installations of Windows Server with the Desktop Experience. PSR takes a full screenshot when you click your mouse and when you type and leave the entry field. The PSR file of my activities is the raw draft for the actual as-built documentation that I always deliver to my customers.
I hope every consultant and systems administrator uses the same method, but it's not always the case. If not, I use the described methods to retrieve the actual Azure AD Connect configuration.
I hope to have given you the tools to retrieve the configuration yourselves, and find out what is actually configured, too.