Configuration Items that are part of Azure AD Connect’s Export and Import functionality

Azure AD Connect

Azure AD Connect is a crucial component in today’s Hybrid Identity strategies. This tool takes care of the synchronization of objects and their attributes from an on-premises Active Directory environment to Azure AD. In some scenarios, it also takes care of authentication when accessing Azure AD-integrated applications.

In version 1.5.42.0, Microsoft introduced Import and Export functionality to Azure AD Connect. In this blog post, I’ll share what configuration items are part of this functionality and how Azure AD Connect handles this information upon import.

Note:
The below information is based on version 1.5.45.0 of Azure AD Connect. Export/Import functionality is a Preview feature in this version of Azure AD Connect.

Items that are part of the Export and Import functionality

Items that are part of the Export and Import functionality include:

Azure AD Connect version

The version that was used to export the configuration on is part of the export. This might allow Microsoft to determine additional configuration actions to include when importing a configuration from an older version of Azure AD Connect to a newer version of Azure AD Connect. Such actions might help in achieving configuration integrity between Azure AD Connect versions.

Currently, Microsoft exports this information as part of the policyMetadata, but there does not appear to be any special logic around this information.


Service account information

The account that runs the Microsoft Azure AD Sync service (ADSync) is exported, along with its account type.

Currently, Microsoft exports this information as part of the deploymentMetadata, but has no use for it during import. As the service account information is configured before providing the location of the exported settings, this information is not used during import.

No passwords are part of the exported settings. Any applicable password needs to be re-entered during import.


Database information

The database information is part of the export. This information indicates whether the built-in SQLExpress database is used or a full-fledged SQL Server hosts Azure AD Connect’s database.

Currently, Microsoft exports this information as part of the deploymentMetadata, but has no use for it during import. No passwords are part of the export information. Any applicable password needs to be re-entered during import.

As the database settings are configured before providing the location of the exported settings, these settings are not used during import.


User sign-in

The sign-in method(s) are part of Azure AD Connect’s Export and Import functionality. This information is typically configured on the User sign-in page of the Azure AD Connect wizard.

This piece of information would indicate the configured authentication method and whether Password Hash Synchronization is optionally enabled on the Optional features page of the Azure AD Connect configuration wizard (if not selected on the User sign-in page of the Azure AD Connect wizard).

This information is exported as the authenticationPolicy and used to configure the Azure AD Connect installation you import the JSON file with exported settings on. The information is used as the default configuration, but can be deviated from.

Write-back features

While talking about the options on the Optional features page, Azure AD Connect’s enabled write-back features are also part of the exported information.

This information is exported as the authenticationPolicy and used to configure the Azure AD Connect installation you import the JSON file with exported settings on.


Active Directory information

Information on the on-premises Active Directory is part of the exported information. This information includes the friendly name (friendlyName), the fully qualified DNS domain name (FQDN) (fullyQualifiedDomainName) and information on the Connector account (onPremisesDirectoryAccount).

For each of the domains, the DN (distinguishedName) as well as the included and excluded containers and Organizational Units (containerInclusions and containerExclusions) are exported. This information is used to configure the Azure AD Connect installation you import settings on.

Metaverse extensions

When using Azure AD Connect’s directory extensions functionality, this information is also part of Azure AD Connect’s exported information.

This information is exported as part of the metaverseExtensionPolicy section.

Source Anchor attribute

The source anchor attribute defines the attribute that is used to couple the object in Active Directory to the object in Azure AD end-to-end. The recommended practice is to use the mS-DS-ConsistencyGUID attribute.

This information is exported as userPrincipalNameAttribute as part of the identityMappingPolicy section and used to configure the Azure AD Connect installation you import the JSON file with exported settings on.

userPrincipalName attribute

The userPrincipalName attribute defines the attribute for Active Directory objects that is used as the sign-in name to Azure AD. The recommended practice is to use the userPrincipalName attribute.

This information is exported as azureSourceAnchorAttribute as part of the identityMappingPolicy section and used to configure the Azure AD Connect installation you import the JSON file with exported settings on.

User matching method

As Azure AD Connect provides multi-forest support, information is gathered on the user matching policy on the Uniquely identifying your users page of the Azure AD Connect installation wizard:

Uniquely identifying your users page of the Azure AD Connect Wizard (click to view original screenshot)

The default setting (Users are represented only once accross all directories) is documented as AlwaysProvision.

This information is exported as userMatchingPolicy as part of the identityMappingPolicy section and used to configure the Azure AD Connect installation you import the JSON file with exported settings on.

Azure AD information

The Azure AD Connect’s Export and Import functionality exports the following information on the sign-in information for the account in the Global administrator or Hybrid Identity administrator role that was used to configure Azure AD Connect:

  1. Administrator account (userPrincipalName)
  2. Azure AD Tenant ID

This information is exported as administrator and tenantid as part of the azureDirectoryPolicy section. The administrator account is pre-typed on the Connect to Azure AD page of the Azure AD Connect configuration wizard when you import the JSON file with exported settings on.

No passwords are part of the exported settings. Any applicable password needs to be re-entered during import. Multi-factor authentication needs to be performed and Privileged Identity Management approval gates passed when configuring Azure AD Connect through importing settings.

Azure AD App and attribute Filtering

Using Azure AD Connect’s Azure AD App and Attribute Filtering functionality, only the objects and attributes that are needed can be filtered for synchronization to Azure AD.

This information is the exportedAttributePolicy as part of the azureDirectoryPolicy section.

Azure AD Connect Export Deletion Threshold

The Azure AD Connect Export Deletion Threshold is part of the Azure AD Connect exported configuration.

This information is exported as exportDeletionLimit as part of the azureDirectoryPolicy section and used to configure the Azure AD Connect installation you import the JSON file with exported settings on.

Synchronization rules

The standard Azure AD Connect synchronization rules are part of the Azure AD Connect exported configuration for all the connectors, including their names, unique identifiers, immutable tags and precedence.

This information is exported as standardSynchronizationRules and customSynchronizationRules as part of the azureDirectoryPolicy section and onPremisesDirectoryPolicy. It is used to configure the Azure AD Connect installation you import the JSON file with exported settings on.

Items that are not part of the Export and Import functionality

Items that are not part of the Export and Import functionality include:

Passwords

No passwords are part of the exported settings. Any applicable password needs to be re-entered during import. Multi-factor authentication needs to be performed and Privileged Identity Management approval gates passed when configuring Azure AD Connect through importing settings.

Staging Mode

Whether Azure AD Connect runs as a Staging Mode server is not part of the exported information.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.