Click the image!
Microsoft TechNet used to be one of the best documentation libraries in the industry. Sadly, it still is; so what’s that tell you about the industry today?
Office 365 and Azure are truly great cloud services, but the frequency of updates and new releases are a challenge for Microsoft’s own sales team to keep up with, let alone us in the field, trying to work with the stuff. As made abundantly clear by their actions (e.g. killing tech conferences, technical writer layoffs, shuttering TechNet subscriptions, and abandoning the MCM program), Microsoft doesn’t really see “the problem”.
When Microsoft shipped DirSync and then later Azure AD Sync, documentation of the associated PowerShell modules became increasingly sparse, though some cmdlets did have a help synopsis, as I discussed last year. Azure AD Connect, the current version of Office 365 and Azure Active Directory synchronization technology, has 69 cmdlets in the “ADSync” module.
Wanna take a guess at how many of these have an associated help topic? Don’t forget, this product was launched earlier this summer and is now on it’s second public release.
Zero
(Pause for effect)
So, I have listed all 69 cmdlets here, with a brief note about what I’ve found so far. Right now, most are empty, but I will fill them in as I discover their purpose and/or have more time. If you’ve got a question about one I don’t have detailed, leave a comment and I’ll try to prioritize some research for you. I haven’t checked with the Azure AD team on this, so please take my findings with a grain of salt, and hope for real support documentation to arrive soon!
NOTE: This refers to the “ADSync” module that ships with Azure AD Connect 1.0.8667.0.
|
Cmdlet |
Add-ADSyncAADServiceAccount |
My |
|
|
Sample |
|
||
|
Cmdlet |
Add-ADSyncAttributeFlowMapping |
My |
Maps a source to target Export one of the rules |
|
Sample |
Add-ADSyncAttributeFlowMapping ` -SynchronizationRule $syncRule[0] ` -Source @(‘mailNickname’,‘sAMAccountName’) -Destination ‘cloudFiltered’ -FlowType ‘Expression’ -ValueMergeType ‘Update’ ` -Expression ‘IIF(IsPresent([isCriticalSystemObject]) -OutVariable syncRule |
||
|
Cmdlet |
Add-ADSyncConnector |
My |
|
|
Sample |
|
||
|
Cmdlet |
Add-ADSyncConnectorAnchorConstructionSettings |
My |
|
|
Sample |
|
||
|
Cmdlet |
Add-ADSyncConnectorAttributeInclusion |
My |
|
|
Sample |
|
||
|
Cmdlet |
Add-ADSyncConnectorHierarchyProvisioningMapping |
My |
|
|
Sample |
|
||
|
Cmdlet |
Add-ADSyncConnectorObjectInclusion |
My |
|
|
Sample |
|
||
|
Cmdlet |
Add-ADSyncGlobalSettingsParameter |
My |
|
|
Sample |
|
||
|
Cmdlet |
Add-ADSyncJoinConditionGroup |
My |
Used in the construction of Export one of the rules |
|
Sample |
Add-ADSyncJoinConditionGroup ` -SynchronizationRule $syncRule[0] ` -JoinConditions @($condition0[0]) ` -OutVariable syncRule |
||
|
Cmdlet |
Add-ADSyncRule |
My |
Export one of the rules samples. |
|
Sample |
Add-ADSyncRule ` -SynchronizationRule $syncRule[0] |
||
|
Cmdlet |
Add-ADSyncRunProfile |
My |
|
|
Sample |
|
||
|
Cmdlet |
Add-ADSyncRunStep |
My |
|
|
Sample |
|
||
|
Cmdlet |
Add-ADSyncScopeConditionGroup |
My |
Used in the construction of Export one of the rules |
|
Sample |
Add-ADSyncScopeConditionGroup ` -SynchronizationRule $syncRule[0] ` -ScopeConditions @($condition0[0],$condition1[0],$condition2[0]) ` -OutVariable syncRule |
||
|
Cmdlet |
Disable-ADSyncConnectorPartition |
My |
|
|
Sample |
|
||
|
Cmdlet |
Disable-ADSyncConnectorPartitionHierarchy |
My |
|
|
Sample |
|
||
|
Cmdlet |
Disable-ADSyncExportDeletionThreshold |
My |
Disables the accidental deletion safety feature.
More info here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-prevent-accidental-deletes/ |
|
Sample |
Disable-ADSyncExportDeletionThreshold |
||
|
Cmdlet |
Enable-ADSyncConnectorPartition |
My |
|
|
Sample |
|
||
|
Cmdlet |
Enable-ADSyncConnectorPartitionHierarchy |
My |
|
|
Sample |
|
||
|
Cmdlet |
Enable-ADSyncExportDeletionThreshold |
My |
Enables the accidental deletion safety feature. To verify, run Get-MsolDirSyncConfiguration.More info here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-prevent-accidental-deletes/ |
|
Sample |
Enable-ADSyncExportDeletionThreshold |
||
|
Cmdlet |
Get-ADSyncAADPasswordResetConfiguration |
My |
I believe this is used to |
|
Sample |
Get-ADSyncAADPasswordResetConfiguration -Connector ‘demo1923.onmicrosoft.com – AAD’
|
||
|
Cmdlet |
Get-ADSyncAADPasswordSyncConfiguration |
My |
Indicates whether or not |
|
Sample |
Get-ADSyncAADPasswordSyncConfiguration -SourceConnector ‘laptop.lab’ |
||
|
Cmdlet |
Get-ADSyncConnector |
My |
Gets the management agents |
|
Sample |
Get-ADSyncConnector |
||
|
Cmdlet |
Get-ADSyncConnectorHierarchyProvisioningDNComponent |
My |
Couldn’t get it to work |
|
Sample |
x = Get-ADSyncConnectorHierarchyProvisioningDNComponent -ShowHidden -Connector $x |
||
|
Cmdlet |
Get-ADSyncConnectorHierarchyProvisioningMapping |
My |
Couldn’t get it to work |
|
Sample |
$x = Get-ADSyncConnectorHierarchyProvisioningMapping -Connector $x |
||
|
Cmdlet |
Get-ADSyncConnectorHierarchyProvisioningObjectClass |
My |
Didn’t test: I presume it |
|
Sample |
|
||
|
Cmdlet |
Get-ADSyncConnectorParameter |
My |
|
|
Sample |
|
||
|
Cmdlet |
Get-ADSyncConnectorPartition |
My |
|
|
Sample |
|
||
|
Cmdlet |
Get-ADSyncConnectorPartitionHierarchy |
My |
|
|
Sample |
|
||
|
Cmdlet |
Get-ADSyncConnectorTypes |
My |
|
|
Sample |
|
||
|
Cmdlet |
Get-ADSyncGlobalSettings |
My |
Displays Global |
|
Sample |
(Get-ADSyncGlobalSettings).Parameters |
||
|
Cmdlet |
Get-ADSyncGlobalSettingsParameter |
My |
|
|
Sample |
|
||
|
Cmdlet |
Get-ADSyncRule |
My |
Lists the sync rules |
|
Sample |
|
||
|
Cmdlet |
Get-ADSyncRunProfile |
My |
|
|
Sample |
|
||
|
Cmdlet |
Get-ADSyncSchema |
My |
|
|
Sample |
|
||
|
Cmdlet |
Get-ADSyncServerConfiguration |
My |
|
|
Sample |
|
||
|
Cmdlet |
New-ADSyncConnector |
My |
|
|
Sample |
|
||
|
Cmdlet |
New-ADSyncJoinCondition |
My |
|
|
Sample |
|
||
|
Cmdlet |
New-ADSyncRule |
My |
Export one of the rules |
|
Sample |
New-ADSyncRule ` -Name ‘In from -Identifier ‘c2db05cb-39bd-4e17-a19a-26718c692e48’ -Description ” -Direction ‘Inbound’ -Precedence 100 -PrecedenceAfter ‘00000000-0000-0000-0000-000000000000’ ` -PrecedenceBefore ‘00000000-0000-0000-0000-000000000000’ ` -SourceObjectType ‘user’ ` -TargetObjectType ‘person’ ` -Connector ‘43617e64-d544-4426-9354-e7d7508915b1’ -LinkType ‘Provision’ -SoftDeleteExpiryInterval 0 ` -ImmutableTag ‘Microsoft.InfromADUserJoin.003’ ` -OutVariable syncRule |
||
|
Cmdlet |
New-ADSyncRunProfile |
My |
|
|
Sample |
|
||
|
Cmdlet |
New-ADSyncScopeCondition |
My |
|
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncAADPasswordResetConfiguration |
My |
|
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncAADPasswordSyncConfiguration |
My |
|
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncAADServiceAccount |
My |
|
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncAttributeFlowMapping |
My |
|
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncConnector |
My |
Removes one of your Management Agents (Connectors) |
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncConnectorAnchorConstructionSettings |
My |
|
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncConnectorAttributeInclusion |
My |
|
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncConnectorHierarchyProvisioningMapping |
My |
|
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncConnectorObjectInclusion |
My |
|
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncGlobalSettingsParameter |
My |
|
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncJoinConditionGroup |
My |
|
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncRule |
My |
Removes a sync rule. |
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncRunProfile |
My |
|
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncRunStep |
My |
|
|
Sample |
|
||
|
Cmdlet |
Remove-ADSyncScopeConditionGroup |
My |
|
|
Sample |
|
||
|
Cmdlet |
Search-ADSyncDirectoryObjects |
My |
|
|
Sample |
|
||
|
Cmdlet |
Set-ADSyncAADCompanyFeature |
My |
|
|
Sample |
|
||
|
Cmdlet |
Set-ADSyncAADPasswordResetConfiguration |
My |
|
|
Sample |
|
||
|
Cmdlet |
Set-ADSyncAADPasswordSyncConfiguration |
My |
See details here: http://blogs.technet.com/b/undocumentedfeatures/archive/2015/11/18/reset-aadsync-or-aadconnect-password-hash-sync-configuration.aspx |
|
Sample |
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false |
||
|
Cmdlet |
Set-ADSyncAADPasswordSyncState |
My |
|
|
Sample |
|
||
|
Cmdlet |
Set-ADSyncConnectorParameter |
My |
|
|
Sample |
|
||
|
Cmdlet |
Set-ADSyncGlobalSettings |
My |
|
|
Sample |
|
||
|
Cmdlet |
Set-ADSyncSchema |
My |
|
|
Sample |
|
||
|
Cmdlet |
Set-ADSyncServerConfiguration |
My |
|
|
Sample |
|
||
|
Cmdlet |
Set-MIISADMAConfiguration |
My |
|
|
Sample |
|
||
|
Cmdlet |
Test-AdSyncUserHasPermissions |
My |
|
|
Sample |
|
||
|
Cmdlet |
Update-ADSyncConnectorPartition |
My |
|
|
Sample |
|
||
|
Cmdlet |
Update-ADSyncConnectorSchema |
My |
|
|
Sample |
|
||
|
Cmdlet |
Update-ADSyncDRSCertificates |
My |
|
|
Sample |
|
||
Mike Crowley's Whiteboard 
Thank you for the list and specifically for ‘import-module adsync’ and ‘Disable-ADSyncExportDeletionThreshold’ cmdlets! I was trying to fix ‘configured deletion threshold’ issue and got link from MSOnlineService team with link to old DirSync version of fix. Bumped on your article just in time!
Hi
Good work..
In Dirsync module the ps cmdet to force the sync manually is Start-onlinecoexistancesync.
What is the PS command in Azure AD Connect to force the sync manually?
There is no cmdlet. You use DirectorySyncClientCmd.Exe (initial | delta) or force the scheduled task in Windows.
you can use this command:
Start-ADSyncSyncCycle -PolicyType Delta
In the versions since Feb 2016, yes this is the new approach.
Hey! Maybe you can help me out?
I am trying to change the username for the MA for AzureAD connector. I have something like this right now…
$a = Get-ADSyncConnector -Identifier b891884f-051e-4a83-95af-2544101c9083 # MY AZURE AD CONNECTOR
Set-ADSyncConnectorParameter -Type ConnectorConnectivity -Connector $a -ParameterValues @{“Username” = “BLah@blah.com”}
Good question. That seems to be used to build/modify connectors in memory that are then sent to the New-ADSyncConnector cmdlet. Perhaps its used to modify files like “MA-ADDSTemplate.xml”
Maybe you cannot change the username value of a live connector with this module? You could instead go directly to SQL with sqlcmd. If you figure this out, please post back; I’ll do the same.
Hi Mike
I am trying to clarify DR options. I am aware of having the staging server available but unclear on how we can keep the configuration in sync (sorry for the pun) with the online AADC. With MIM we could export server config rebuild and import server config (plus other .Net bits) . Is there a simple rebuild option for AADC in a DR scenario.
TIA Nigel Jones
I haven’t worked on this myself, but it looks to be documented here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-operations/#import-and-synchronize
Thanks Mike
The challenge with DR is as stated . The things you need to document and save are the configuration changes made to the server, such as filtering and synchronization rules. These custom configurations must be reapplied before you start synchronizing.
Rgds
Nigel
I think I have it… The sync engine has export for
MA and MV… and SR Editor export provides the PS scripts to import the rules…
Well the MA import fails on the same AADC you export from … This is probably because the MA configuration is managed during AADC setup. The MV config does import to another AADC instance – if you have any custom attributes needed. You can use the Add-ADSync files produced by the SR export function to import to another AADC if you change the connector ID’s (not needed for the AAD Connector) . Use Get-ADSyncConnector | FT Name, Identifier to get the Name and identifier for each connector
The commands look great, but a different issue, we just stood up a staging sync server and during the configuration another user missed clicking on a particular OU during the filtering. We then made the staging the primary and we lost users and group membership and other issues. What I was looking for was some way to document what OU’s are chosen during the AADConnect configuration and the filtering of the OU’s Thank You
The required command-line option for ‘Get-ADSyncServerConfiguration’ is simply the target-folder for outputting the XML version of the configs, e.g.
> Get-ADSyncServerConfiguration -Path “c:\2019-08-ADsync-Config-XML”
Sweet, thanks! This post is pretty old. I should probably revisit it with up to date info…