Azure AD Connect (now part of Microsoft Entra ID) is the backbone of hybrid identity for organizations that run both on‑premises Active Directory and Microsoft’s cloud services. Whether you're synchronizing users, managing password hash sync, or troubleshooting sync failures, understanding how to monitor and manage Azure AD Connect with PowerShell is essential.
This guide provides a clear overview of Azure AD Connect, followed by the top 10 most commonly used PowerShell commands—all explained in a practical, admin‑friendly way.
What Is Azure AD Connect?
Azure AD Connect is Microsoft’s synchronization tool that links your on‑premises Active Directory with Microsoft Entra ID. It ensures identity consistency across cloud and on‑prem environments.
Key capabilities include:
- Directory Synchronization (users, groups, devices)
- Password Hash Sync (PHS) or Pass‑Through Authentication (PTA)
- Federation support (AD FS)
- Password writeback
- Health monitoring
- Hybrid identity lifecycle management
Azure AD Connect installs several PowerShell modules, including:
- ADSync
- ADSyncConfig
- MSOnline / AzureAD / Microsoft Graph (for cloud‑side checks)
Top 10 PowerShell Commands for Managing Azure AD Connect
Below are the most frequently used commands for monitoring, troubleshooting, and managing Azure AD Connect in real-world environments.
1. Check the current sync scheduler configuration
Get-ADSyncScheduler
Why it matters: This command shows sync frequency, next sync time, and whether the scheduler is enabled. It’s the first place to look when sync timing seems off.
2. Run a delta sync (most common daily operation)
Start-ADSyncSyncCycle -PolicyType Delta
Use case: Triggers a sync of only changed objects — ideal after modifying a user, group, or attribute.
3. Run a full sync
Start-ADSyncSyncCycle -PolicyType Initial
Use case: Required after major configuration changes such as:
- OU filtering updates
- Attribute mapping changes
- Connector configuration changes
4. Check the installed Azure AD Connect version
(Get-Item "C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe").VersionInfo
Why it matters: Version mismatches can cause sync issues or missing features. This is essential for patching and compliance.
5. List all connectors
Get-ADSyncConnector
Use case: Displays all configured connectors, including: On‑prem AD DS, Azure AD, Additional forests (if applicable)
6. View connector run profiles and history
Get-ADSyncRunProfile -ConnectorName "<ConnectorName>"
Why it matters: Helps diagnose sync failures, slow syncs, or misconfigured run profiles.
7. Export Azure AD Connect configuration
Export-ADSyncServerConfiguration -Path "C:\ADConnectConfig"
Use case: Critical for: Backup, Disaster recovery and Staging server deployment
8. Import Azure AD Connect configuration
Import-ADSyncServerConfiguration -Path "C:\ADConnectConfig"
Use case: Used when restoring a server or deploying a secondary staging server.
9. Manage deletion threshold
Check threshold: Get-ADSyncExportDeletionThreshold
Why it matters: Prevents accidental mass deletions in Microsoft Entra ID. If too many deletions are detected, sync is automatically paused.
10. Enable or disable the sync scheduler
Disable: Set-ADSyncScheduler -SyncCycleEnabled $false
Enable: Set-ADSyncScheduler -SyncCycleEnabled $true
Use case: Useful during maintenance windows or when performing bulk AD changes.
Additional Helpful Details for Admins
Common Symptoms of Sync Issues
Users not appearing in Microsoft 365
Passwords not updating
Groups missing in cloud apps
Large numbers of unexpected deletions
Sync scheduler stuck or disabled
Where to check logs
Synchronization Service Manager (
miisclient.exe)Event Viewer → Applications and Services Logs → Directory Synchronization
Azure AD Connect Health portal (if enabled)
Best Practices
Always run a delta sync after user or group changes
Run a full sync only when necessary
Keep Azure AD Connect updated
Use a staging server for high availability
Monitor sync health regularly
Comments
Post a Comment