HOWTO: Use Azure AD Connect’s v2 Endpoint

Azure AD Connect

Azure AD Connect is Microsoft’s free tool to synchronize objects and their attributes from Active Directory Domain Services (AD DS) implementations to Azure Active Directory tenants. Many millions of organizations depend on Azure Active Directory and the APIs that the tool connects to. Now, there is a new endpoint Public Preview, so it’s time to take a closer look!

Why use the Azure AD Connect v2 Endpoint?

For years, Azure AD Connect has used an endpoint. The endpoint has served Azure AD Connect well. However, there are a couple of known limits to the endpoint:

Group membership limitations

With Azure AD Connect’s v1 endpoint, group memberships are limited to 50,000 members. Without a verified DNS domain name, a limit of 15,000 members is applied, though. With the v2 Endpoint, group memberships can now be set at 250,000 objects.

When the group memberships limit is increased, the new limit also applies to writing back Office 365 groups from Azure AD to Active Directory (if the Group WriteBack feature is enabled).

Performance limitations

Due to the way the v1 endpoint handles attribute changes, the v2 brings significant performance gains on exports and (delta) imports to Azure AD. Again, these changes benefit groups most as their members attribute may change often.

   

Known issues with the v2 Endpoint

There are three known issue for Azure AD Connect’s v2 Endpoint:

Additional errors shown

After enabling the new endpoint, you may see additional export errors on the AAD connector with name dn-attributes-failure. There will be a corresponding event log entry for each error with id 6949. The errors are informational and do not indicate a problem with your installation, but rather that the sync process could not add certain members to a group in Azure AD because the member object itself was not synced to Azure AD.

The new V2 endpoint code handles some types of export errors slightly different from how the V1 code did. You may see more of the informational error messages when you use the V2 endpoint.

In-place Upgrades

When upgrading Azure AD Connect, ensure that the steps below are rerun, as the changes are not preserved through the upgrade process.

Public Preview

Microsoft supports organization using the v2 Endpoint in production. If you need support when using this feature you should open a support case.

However, please know that Public Preview capabilities may be withdrawn and possibly redesigned before reaching further milestones. 

     

Getting ready

To take advantage of the v2 endpoints, you’ll need to meet the following requirements:

  1. One or more Azure AD Connect installations running version 1.5.30.0, or above.
  2. An Azure AD tenant in the global cloud. The Public Preview does not extend to sovereign clouds, like the US Government and VIANet’s China Azure, yet.

   

Enabling the use of the v2 Endpoint

Sign in on the Windows Server running Azure AD Connect.

Run the following lines of Windows PowerShell in an elevated Windows PowerShell window on the Windows Server with Azure AD Connect, that you’d want to use with the v2 Endpoint:

Set-ADSyncScheduler -SyncCycleEnabled $false

Import-Module 'C:\Program Files\Microsoft Azure AD Sync\Extensions\AADConnector.psm1'

Set-ADSyncAADConnectorExportApiVersion 2

Set-ADSyncAADConnectorImportApiVersion 2

Set-ADSyncScheduler -SyncCycleEnabled $true

After these changes, the synchronization performance increases apply, but the group memberships limit of 50,000 members still applies.

    

Increasing the group memberships limit

To increase the group memberships limit, we’ll need to change the synchronization rule. Follow these steps to do so:

  1. Run the following line of Windows PowerShell in an elevated Windows PowerShell window on the Windows Server with Azure AD Connect, that you’d want to use with the v2 Endpoint:
                                                                                                 
  2. Set-ADSyncScheduler -SyncCycleEnabled $false
                                                 

  3. Open Synchronization Rules Editor from the Azure AD Connect folder in the Start Menu.
    The Synchronization Rules Editor screen appears.
  4. From the list of synchronization rules, select the Out to AAD – Group Join sync rule.
  5. Click the Edit button at the bottom of the Synchronization Rules Editor screen.
    The Edit Reserved Rule Confirmation pop-up appears.
  6. Click on the Yes button to acknowledge that to edit an out-of-the-box synchronization rule, you’d need to disable the rule and edit a copy of the original rule. As you click Yes, the original rule is disabled, an editable copy is created and you’ll start editing the copy.
    The Edit outbound synchronization rule screen appears.
  7. On the Description page of the Edit outbound synchronization rule wizard, change the value for Precedence to an available value between 1 and 99.
  8. Click the Next > button three times.
  9. On the Transformation page of the Edit outbound synchronization rule wizard, change the Source for the Expression for member. The source contains the default 50000 limit. You can change this value to anywhere between 50000 and 250000.
  10. Click the Save button.
  11. Close the Synchronization Rules Editor window.
  12. Switch to the PowerShell window.
  13. Run the following line of Windows PowerShell:
                                                                                                     
    Set-ADSyncScheduler -SyncCycleEnabled $true

One Response to HOWTO: Use Azure AD Connect’s v2 Endpoint

  1.  

    Great article Sander!
    But how do you know that AAD Connect is using the new endpoint? I didn't see any difference after enabling it, i.e. it is still connecting to https://adminservice.microsoftonline.com/provisioningservice.svc

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.