If you are synchronizing your on premise Active Directory with Azure Active Directory, then you know for sure that maintaining a healthy synchronization is not an easy thing to do.
I want to give you my experience in synchronizing a single domain AD to Azure AD, using ObjectGuid as anchor attribute.
I am using Azure AD Connect to synchronize AD objects to Azure AD. The Azure AD Connect tool is nice, and it gives you the health of the synchronization process and a nice error messages if there is a problem synchronizing one of your on premise AD objects. I used the AD connect tool for a month, and everything was fine. No errors and everything looks clean.
I then noticed that couple of users are having problem with Office 365 and i discovered that they have never synched to Azure AD in the first place. I did Get-MSOLUser on them and no results are returned. I had to go to Azure AD Connect and force Full AD Import to sort out this issue.
I become so worried about this, and I started to compare the number of AD users and Azure AD users to at least ensure matching numbers. Count AD users and Azure AD users and compare them is not enough, as there is no guarantee that the same objects represent these numbers.
I then came with an idea. I wanted to take each AD user, collect his ObjectGuid, and then compute his ImmutableID, go to Azure AD, and search for that ImmutableID, and finally linked the AD user with his Azure AD copy. We will do that for all AD users. Finally, we can identify AD users that does not have Azure copies, and Azure AD users that are not mapped to AD users.
This will guarantee that each one of your AD users are mapped to Azure AD users. Along this journey, the script will generate couple of information:
- AD users not in Azure
- Azure users not in AD
- Azure users with Synch Errors
- Filtered AD users from Synchronization
- Total number of AD users
- Total number of Azure users
- Last AD Sync time
Conditions to use the script
- This script assumes you are using ObjectGuid as anchor attribute
- If you have multiple domains, forests or you are doing filters to scope AD users by OU or attribute, then you must write your script block to populate the $ADusers_Raw variable, by searching inside the script for (Raw data collection from AD) region. You can find examples there to do that. By default the script will do Get-ADuser to retrieve all users.
The script provides many visuals to help you see what is going on:
- The script code is divided into regions that you can expand separately for better script browsing.
- Progress bars will appear during running the script to give you a feel and sense of what is going on during the run time of the script.
- Summary information is displayed on the PowerShell console window with summary statistics.
- Results are written at the end of the script in two locations:
- The PowerShell console window.
- Couple of files that are generated on the script running directory.
The script connects to Active Directory and gets a list of users (Get-ADUser) , and then connects to Azure Active Directory AAD and gets all azure users (Get-MSOLUser). A comparison then is performed by mapping each AD user with his Azure user, and identify un-synchronized AD users that do not have a mapped/synched Azure copy.
This script assumes that ObjectGUID is used as the anchor attribute to link/map AD user and Azure AAD user. If you are using any other attribute, then this script is not for your case.
The script needs to get the list of AD users that you are synchronizing to Azure AD. Microsoft Sync tool gives you the ability to filter by OU or by attribute. Another tricky part of the script is when you are synchronizing multiple domains or perhaps multiple forests. For all those different cases, it is your job to populate the variable called ($ADusers_Raw) located under (Raw data collection from AD) region in this script.
By default, the script will do Get-ADUser to populate this variable. In your case, you may need to write your own script block to collect all AD user objects that you are synching to azure.
Path to store the script output files. For example C:\ , or ‘.\’ to represent the current directory.
As the script needs to connect to Azure, an internet connectivity is required. Use this option if you have an internet proxy that prompts for credentials.
The switch when used, the script will generate an extra csv file that contains a unified view of each user with properties from the on premise AD and Azure AD.
.\Compare-CorpAzureIDs.ps1 -ScriptFilesPath .\
.\Compare-CorpAzureIDs.ps1 -ScriptFilesPath .\ -Proxy:$true
.\Compare-CorpAzureIDs.ps1 -ScriptFilesPath .\ -CreateGlobalObject
Download the script
You can download the script from here.