Field Notes: How has your Azure AD Connect been configured?

As a consultant, I see a lot of different environments. Often, I need to know the answer to one of the most important questions:

What did you select during the setup of Azure AD Connect?

The answers vary:

A colleague did the setup and has left the company, department…

A external supplier did the setup for a pilot or part of a project…

Of course, these answers are supported by a lack of documentation.

Why is this important to know?

During the setup of Azure AD Connect, the Microsoft Azure Active Directory Connect wizard shows several options. These options are only shown during the initial setup. Some of these options are not displayed when you perform the View Configuration task after initial configuration. Some options cannot be altered after the initial configuration; They can only be achieved with a new installation of Azure AD Connect, except for one option.

Initial setup options

Let’s look at these options as they are presented chronologically as you perform a Custom settings installation of Azure AD Connect:

Uniquely identifying your users
(cannot be altered after initial config)

When you install your first Azure AD Connect instance and configure the connection to Azure Active Directory, the following setup options are presented on the Uniquely identifying your users page of the Microsoft Azure Active Directory Connect wizard:

image

The top half of the Uniquely identifying your users page shows the option to configure how Azure AD Connect should behave, when the organization has deployed a user account forest and resource forest Active Directory topology. However, a more common scenario is when an organization merges with another organization and is consolidating resources; Instead of two Exchange Server environments or Skype for Business Server environments, all is provisioned from one forest.

Custom installation - sourceAnchor configuration

The bottom half of the Uniquely identifying your users page allows the option to choose the source anchor.

The Microsoft documentation on these options can be found here.

Azure AD sign-in configuration
(cannot be altered after initial config)

The second option is the selection of the source for the Azure Active Directory UserPrincipalName on the Azure AD sign-in configuration page of the Microsoft Azure Active Directory Connect wizard.

image

During the installation wizard, the administrator can choose which on-premises attribute should be used to populate the Azure Active Directory UserPrincipalName attribute.

The Microsoft documentation on this option can be found here.

Filter users and devices
(can be altered after initial config)

The last option I want to discuss is intended for pilot use only. The option on the Filter users and devices page enables administrators to  scope what objects are synchronized, based on a group membership instead of a selection of Organizational Units (OUs) and containers:image

The Microsoft documentation on this option can be found here.

What is configured in Azure AD Connect

Of course, we want to answer the initial question.

Native tooling

There are two ways to get the configuration from the Azure AD Connect server using native tooling:

  1. Azure AD Connect’s Graphical User Interfaces (GUIs)
  2. Windows PowerShell

The GUI provides almost all the information you need. However, if you have configured the “pilot” group filtering, you see it’s enabled, but you cannot see the actual configured group.  If you also want to see the group. Then you will need to go to the second option.

The second option is to use Windows PowerShell to get all the configured options for your Azure AD Connect configuration.

Third-party tooling

A third option is to use a third party tool called Azure AD Connect Configuration Documenter.

Using the Graphical User Interface

The steps below describe how to use the graphical user interface (GUI) to get information on the configured options:

  1. Sign in interactively to the Azure AD Connect server using an account that is a member of local Administrators and the SyncAdmins groups.
  2. Open the “Azure AD Connect ” link to the Microsoft Azure Active Directory Connect wizard, found on the desktop or start menu.
    image
  3. Click Configure on the Welcome to Azure AD Connect page:
    image
  4. Select the View current configuration task on the Additional tasks page and click Next.
    image
  5. All the configuration options are shown on the Review Your Solution page:
    image

So let’s review our configured solution:

The first part provides information on the Azure AD tenant, the  Active Directory environments it is connected to and the Azure AD Connect service account per Active Directory environment:
image

The second part provides the actual configuration of the Azure AD Connect instance:
image

The top two rows of this information shows the configured options that are mentioned before:

image

In the table below I map the configuration item to the setup option.

Configuration Item Setup Option
SOURCE ANCHOR image
USER PRINCIPAL NAME image
SYNC CRITERIA image
FILTER OBJECTS TO SYNCHRONIZE BY GROUP image

As mentioned before, the GUI shows that we configured a group to scope synchronization, but it will not show the actual configured group:

image

The Windows PowerShell steps below provides the method to get the actual group name

Using Windows PowerShell

The steps below describe how to use Windows PowerShell to get information on the configured options:

  1. Sign in interactively to the Azure AD Connect server using an account that is a member of local Administrators and the SyncAdmins groups.
  2. Open Windows PowerShell as administrator.
  3. Issue the following line of Windows PowerShell: Get-ADSyncGlobalSettingsParameter | Select-Object * | Sort-Object -Property Name | Out-GridView
  4. It will now show the configured options of Azure AD Connect:
    image

In the Out-GridView windows there are multiple entries. In the table below a overview of the configuration items and setup option is shown:

Configuration item Setup Option
Microsoft.OptionalFeature.GroupFiltering image
Microsoft.SynchronizationOption.AnchorAttribute image
Microsoft.SynchronizationOption.JoinCriteria image
Microsoft.SynchronizationOption.UPNAttribute image

To get the actual configured group that is configured on the Filter users and devices page, follow these steps:

  1. Issue the following line of Windows PowerShell in the elevated Windows PowerShell window:( (Get-ADSyncConnector).GlobalParameters | Where-Object {$_.Name -eq “Connector.GroupFilteringGroupDn”} ).Value
  2. It will now show the configured group:image

Using the Azure AD Connect Configuration Documenter

The Azure AD Connect Configuration Documenter is a free tool to document the configuration of Azure AD Connect. It is available on GitHub.

I use this tool every time when an update is needed of a Azure AD Connect instance. I use it to get a snapshot of the configuration before an update and after the update. Also, I use it to compare the configuration between Azure AD Connect instances, when an organization has one or more Azure AD Connect Staging Mode instances running or has instances running in their development, test, acceptance and production environments.

To use the tool, follow the provided instructions located in the readme file on GitHub.

The tool creates a report. In the report, there is a Global Settings section and this looks similar to the output when you’d use Windows PowerShell:

image

At time of writing this blog. The Azure AD Connect Configuration Documenter doesn’t show the configured group on the Filter users and devices page, if the option to filter based on a group has been activated.

Concluding

For me, as a consultant, it’s important to provide as much documentation as possible to the customer about what I did or what is configured.

When I configure Azure AD Connect,  I use the Problem Step Recorder (PSR) a lot, which is available by default on Windows installations and installations of Windows Server with the Desktop Experience. PSR takes a full screenshot when you click your mouse and when you type and leave the entry field. The PSR file of my activities is the raw draft for the actual as-built documentation that I always deliver to my customers.

I hope every consultant and systems administrator uses the same method, but it’s not always the case. If not, I use the described methods to retrieve the actual Azure AD Connect configuration.

I hope to have given you the tools to retrieve the configuration yourselves, and find out what is actually configured, too.