Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.
Azure AD Connect needs to be installed on a Windows Server with Desktop Experience, but this does not mean there aren’t some tools available to automate.
This blogpost features the built-in and extra PowerShell modules and cmdlets available with Azure AD Connect.
Azure AD Connect’s Built-in PowerShell modules
The following Windows PowerShell modules and cmdlets are available as part of Azure AD Connect:
ADSync
The core PowerShell functionality for Azure AD Connect can be found in the ADSync Windows PowerShell module, It offers the following Windows PowerShell cmdlets:
- Add-ADSyncAADServiceAccount
- Add-ADSyncAttributeFlowMapping
- Add-ADSyncConnector
- Add-ADSyncConnectorAnchorConstructionSettings
- Add-ADSyncConnectorAttributeInclusion
- Add-ADSyncConnectorHierarchyProvisioningMapping
- Add-ADSyncConnectorObjectInclusion
- Add-ADSyncGlobalSettingsParameter
- Add-ADSyncJoinConditionGroup
- Add-ADSyncRule
- Add-ADSyncRunProfile
- Add-ADSyncRunStep
- Add-ADSyncScopeConditionGroup
- Add-AgentToResourceGroup
- Disable-ADSyncConnectorPartition
- Disable-ADSyncConnectorPartitionHierarchy
- Disable-ADSyncExportDeletionThreshold
- Enable-ADSyncConnectorPartition
- Enable-ADSyncConnectorPartitionHierarchy
- Enable-ADSyncExportDeletionThreshold
- Get-ADSyncAADCompanyFeature
- Get-ADSyncAADPasswordResetConfiguration
- Get-ADSyncAADPasswordSyncConfiguration
- Get-ADSyncADConnectorSchemaDsml
- Get-ADSyncAutoUpgrade
- Get-ADSyncConnector
- Get-ADSyncConnectorHierarchyProvisioningDNComponent
- Get-ADSyncConnectorHierarchyProvisioningMapping
- Get-ADSyncConnectorHierarchyProvisioningObjectClass
- Get-ADSyncConnectorParameter
- Get-ADSyncConnectorPartition
- Get-ADSyncConnectorPartitionHierarchy
- Get-ADSyncConnectorRunStatus
- Get-ADSyncConnectorStatistics
- Get-ADSyncConnectorTypes
- Get-ADSyncCSObject
- Get-ADSyncCSObjectLog
- Get-ADSyncDatabaseConfiguration
- Get-ADSyncExportDeletionThreshold
- Get-ADSyncGlobalSettings
- Get-ADSyncGlobalSettingsParameter
- Get-ADSyncMVObject
- Get-ADSyncPartitionPasswordSyncState
- Get-ADSyncRule
- Get-ADSyncRunProfile
- Get-ADSyncRunProfileResult
- Get-ADSyncRunStepResult
- Get-ADSyncScheduler
- Get-ADSyncSchedulerConnectorOverride
- Get-ADSyncSchema
- Get-ADSyncServerConfiguration
- Invoke-ADSyncCSObjectPasswordHashSync
- Invoke-ADSyncGarbageCollection
- Invoke-ADSyncRunProfile
- New-ADSyncConnector
- New-ADSyncJoinCondition
- New-ADSyncRule
- New-ADSyncRunProfile
- New-ADSyncScopeCondition
- Register-Agent
- Remove-ADSyncAADPasswordResetConfiguration
- Remove-ADSyncAADPasswordSyncConfiguration
- Remove-ADSyncAADServiceAccount
- Remove-ADSyncAttributeFlowMapping
- Remove-ADSyncConnector
- Remove-ADSyncConnectorAnchorConstructionSettings
- Remove-ADSyncConnectorAttributeInclusion
- Remove-ADSyncConnectorHierarchyProvisioningMapping
- Remove-ADSyncConnectorObjectInclusion
- Remove-ADSyncGlobalSettingsParameter
- Remove-ADSyncJoinConditionGroup
- Remove-ADSyncRule
- Remove-ADSyncRunProfile
- Remove-ADSyncRunStep
- Remove-ADSyncScopeConditionGroup
- Search-ADSyncDirectoryObjects
- Set-ADSyncAADCompanyFeature
- Set-ADSyncAADPasswordResetConfiguration
- Set-ADSyncAADPasswordSyncConfiguration
- Set-ADSyncAADPasswordSyncState
- Set-ADSyncAutoUpgrade
- Set-ADSyncConnectorParameter
- Set-ADSyncDirSyncConfiguration
- Set-ADSyncGlobalSettings
- Set-ADSyncScheduler
- Set-ADSyncSchedulerConnectorOverride
- Set-ADSyncSchema
- Set-ADSyncServerConfiguration
- Set-MIISADMAConfiguration
- Start-ADSyncAADPasswordResetEndpoint
- Start-ADSyncPurgeRunHistory
- Start-ADSyncSyncCycle
- Stop-ADSyncAADPasswordResetEndpoint
- Stop-ADSyncRunProfile
- Stop-ADSyncSyncCycle
- Sync-ADSyncCSObject
- Test-AdSyncAzureServiceConnectivity
- Test-ADSyncGetDirectoryReplicationChanges
- Test-AdSyncUserHasPermissions
- Update-ADSyncConnectorPartitions
- Update-ADSyncConnectorSchema
- Update-ADSyncDirectoryObject
- Update-ADSyncDRSCertificates
AzureADConnectHealthSync
Azure AD Connect Health for Sync is installed by default on each Azure AD Connect installation. To manage Azure AD Connect Health, the AzureADConnectHealthSync Windows PowerShell module offers the following Windows PowerShell cmdlets:
- Enable-AzureADConnectHealth
- Get-AzureADConnectHealthProxySettings
- Register-AzureADConnectHealthSyncAgent
- Set-AzureADConnectHealthProxySettings
- Test-AzureADConnectHealthConnectivity
ADSyncDiagnostics
On the system where Azure AD Connect in installed, the ADSyncDiagnostics Windows PowerShell module is also installed by default, offering the Invoke-ADSyncDiagnostics diagnostics tool to troubleshoot object synchronization, troubleshoot password hash synchronization and collect general diagnostics.
Azure AD Connect’s tools
Apart from all the functionality that Azure AD Connect brings, Azure AD Connect offers several useful tools shaped as PowerShell modules:
ADSyncPrep
The ADSyncPrep Windows PowerShell module includes the following Windows PowerShell cmdlets:
- Initialize-ADSyncDomainJoinedComputerSync
- Initialize-ADSyncDeviceWriteBack
- Initialize-ADSyncNGCKeysWriteBack
The ADSyncPrep Windows PowerShell module can only be used if you also have the Active Directory Module for Windows PowerShell installed on the system.
ADSyncConfig
The ADSyncConfig Windows PowerShell module includes the following Windows PowerShell cmdlets:
- Set-ADSyncBasicReadPermissions
- Set-ADSyncRestrictedPermissions
- Set-ADSyncPasswordHashSyncPermissions
- Set-ADSyncPasswordWritebackPermissions
- Set-ADSyncUnifiedGroupWritebackPermissions
- Set-ADSyncMsDsConsistencyGuidPermissions
- Set-ADSyncExchangeMailPublicFolderPermissions
- Set-ADSyncExchangeHybridPermissions
- Get-ADSyncObjectsWithInheritanceDisabled
- Show-ADSyncADObjectPermissions
- Get-ADSyncADConnectorAccount
ADConnectivityTool
The ADConnectivityTool Windows PowerShell module includes the following Windows PowerShell cmdlets:
- Get-DomainFQDNData
- Confirm-ValidEnterpriseAdminCredentials
- Get-ForestFQDN
- Confirm-ValidDomains
- Confirm-FunctionalLevel
- Confirm-NetworkConnectivity
- Confirm-DnsConnectivity
- Confirm-TargetsAreReachable
- Confirm-ForestExists
- Start-ConnectivityValidation
- Start-NetworkConnectivityDiagnosisTools
ADSyncTools
The ADSyncTools Windows PowerShell module includes the following Windows PowerShell cmdlets:
- Confirm-ADSyncToolsADModuleLoaded
- Get-ADSyncToolsADuser
- Get-ADSyncToolsConsistencyGuid
- Set-ADSyncToolsConsistencyGuid
- Clear-ADSyncToolsConsistencyGuid
- Get-ADSyncToolsObjectGuid
- Import-ADSyncToolsImmutableIdMigration
- Export-ADSyncToolsConsistencyGuidMigration
- Update-ADSyncToolsConsistencyGuidMigration
- Get-ADSyncToolsRunHistory
- Get-ADSyncToolsSourceAnchorChanged
- Remove-ADSyncToolsExpiredCertificates
- Restore-ADSyncToolsExpiredCertificates
- Trace-ADSyncToolsADImport
- Trace-ADSyncToolsLdapQuery
- Repair-ADSyncToolsAutoUpgradeState
- Connect-AdSyncDatabase
- Invoke-AdSyncDatabaseQuery
- Resolve-ADSyncHostAddress
- Test-ADSyncNetworkPort
- Get-ADSyncSQLBrowserInstances
AzureADKerberos
The AzureADKerberos Windows PowerShell module includes the following Windows PowerShell cmdlets:
- Get-AzureADKerberosServer
- Remove-AzureADKerberosServer
- Set-AzureADKerberosServer
Concluding
Azure AD Connect offers a vast array of Windows PowerShell modules and cmdlets to configure and troubleshoot almost every aspect of it.
With 155 available Windows PowerShell cmdlets, there’s always something you can automate!
I can not find the library in import-module Adsync. A lot of searches point to C:Program FilesMicrosoft Azure AD SyncBinADSyncADSync.psd1 but it's not on my Windows 10 build and I can't find it on microsoft's site. Any help would be great.
Hi Kent,
The folder and file is only present on Windows installations and Windows Server installations that have a recent version of Azure AD Connect installed and configured.
Thanks for detailed sharing.
Hi Team,
We have upgraded ADConnect Server and Installed latest version of PowerShell 7, when we run the command "Get-ADSyncScheduler" we are receiving the below error.
Get-ADSyncScheduler: Could not load type 'System.Web.Util.Utf16StringValidator' from assembly 'System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'.
I got that same error with PS7. When I ran powershell ISE in administrator mode, it worked
Using Powershell 7.4 on an Azure AD Connect server and the ADSync module installed – when I run: Get-ADSyncServerConfiguration
I receive the following error:
The term 'Get-ADSyncServerConfiguration' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
I have checked the included commands listed above and it should be present and recognised yet it isn't. Any pointers? Thanks very much for the article.
I run the PowerShell cmdlets in the default PowerShell version that ships with Windows Server (PowerShell 5) without problems.