The Azure AD Connect Powershell commands you should know

  • Post author:
  • Post category:Main
  • Post last modified:September 10, 2023
  • Reading time:8 mins read

Azure AD Connect PowerShell commands allow you to report on and manage your Azure AD Connect or hybrid identity infrastructure. These are useful as you can quickly find configuration settings, update your configuration or manage your sync without having to go through the GUI. This means all of the above can be done without having to remote desktop connect to your Azure AD Connect server.

I am going to assume a couple of things in this post, the first being that you already have Azure AD Connect installed on one of your domain controllers in your environment. The second is that you are somewhat familiar with how Azure AD Connect works and its purpose. If you are not yet either of them things do not fear. Head over to my other post: How to Install and Manage Azure AD Connect for Directory Synchronisation.

I will not be going through every command available for Azure AD Connect, there would be too much to cover, but I will certainly demonstrate the most useful and those you are likely to need for day to day administration.

View your Azure AD Connect configuration with PowerShell

Let us start with 3 Azure AD Connect PowerShell commands that will make your life easier. 

View enabled Azure AD Connect sync features

Running the Get-ADSyncAADCompanyFeature command will report back to you which synchronisation features you have enabled in your environment. This allows you easily identify what is happening with your user identities, especially if you are auditing a new environment.

Get-ADSyncAADCompanyFeature

Get-ADSyncAADCompanyFeature

PasswordHashSync           : True
ForcePasswordChangeOnLogOn : False
UserWriteback              : False
DeviceWriteback            : False
UnifiedGroupWriteback      : False
GroupWritebackV2           : False

View your Azure AD Connect sync schedule and settings

The Get-ADSyncScheduler command will display all the important settings related to the type of directory sync in place currently and when the sync is scheduled to take place.

Get-ADSyncScheduler

And here is an example output.

AllowedSyncCycleInterval            : 00:30:00
CurrentlyEffectiveSyncCycleInterval : 00:30:00
CustomizedSyncCycleInterval         :
NextSyncCyclePolicyType             : Delta
NextSyncCycleStartTimeInUTC         : 12/10/2021 8:21:09 AM
PurgeRunHistoryInterval             : 7.00:00:00
SyncCycleEnabled                    : True
MaintenanceEnabled                  : True
StagingModeEnabled                  : False
SchedulerSuspended                  : False
SyncCycleInProgress                 : False

View your Azure AD Connect Synchronisation Source Anchor

The source anchor is the unique value that pairs your on-premise users to their cloud Azure AD identities. It is important to know this if you are ever re-installing Azure AD Connect or migrating to another server.

Here is what the output will look like.

Value
-----
mS-DS-ConsistencyGuid

Manage Azure AD Connect Synchronisation with PowerShell

Now we know how to view those all-important Azure AD Connect settings, let’s take a look at how we can start, stop and edit our synchronisation settings.

To begin, as we can see above, our synchronisation is running around every 30 mins. However, if we make a change and want the sync to happen sooner, or immediately we can use the following commands to make this happen.

Force Azure AD Connect to synchronise immediately

Start-ADSyncSyncCycle -PolicyType Delta

The delta sync cycle will run a delta import, sync and export on all connectors in Azure AD Connect. Delta is the keyword here, meaning it will only synchronise changed attributes and complete quicker than a full sync. 

When you should run a full sync?

A full sync is required when the synchronisation rules are changed or modified causing additional objects or attributes to be added. The same goes for any filters you have in place. A full sync can be run with the following command.

Start-ADSyncSyncCycle -PolicyType Initial

How to disable and re-enable the AD Sync schedule

This is important to know if you need to make changes to any synchronisation rules or filters. To disable the schedule you can run the following.

Set-ADSyncScheduler -SyncCycleEnabled $false

And to enable the sync schedule.

Set-ADSyncScheduler -SyncCycleEnabled $true

As we discussed above, you can view the current sync status by using the commands at the beginning of this article.

Change how often the synchronisation runs

You may be required to change the default sync schedule from 30 minutes to something else. Below I will show you how you can change the sync schedule. In my case, I am going to change my schedule from every 30 minutes to every 15 minutes.

Set-ADSyncScheduler -CustomizedSyncCycleInterval 00:15:00

You can check the new configuration with the following commands. You should know that the new settings only take effect after the next scheduled sync. You can however force this to happen sooner with the Start-ADSyncSyncCycle commands.

Enable Azure AD Connect company features with PowerShell

At the beginning of this article, we demonstrated how to view the currently enabled company features with the Get-ADSyncAADCompanyFeature command. This shows which features you have enabled such as; password hash sync, user writeback and device writeback. Let me show you how to change these features with Powershell.

The following command will demonstrate how to enable device writeback

Set-ADSyncAADCompanyFeature -devicewriteback $true

You can apply this same concept to enable and disable each of the available features, these are:

  • PasswordHashSync
  • ForcePasswordChangeOnLogOn
  • UserWriteback
  • DeviceWriteback
  • UnifiedGroupWriteback
  • GroupWritebackV2

If you are disabling a feature, simply change the $true option to $false.

Overview of the ADConnectivityTools included with Azure AD Connect

Included with Azure AD Connect is the ADConnectivityTools PowerShell Module (adconnectivitytools.psm1). Included in this module are a range of tools you can use to ensure connectivity to your Active Directory to ensure Azure AD Connect will function without error.

The scenario may be that you are installing (or have installed) Azure AD Connect on a separate domain member server (not a domain controller) or even on a workgroup server and you need to ensure connectivity to your domain.

The AD Connectivity tools include the following commands.

  • Confirm-DnsConnectivity
  • Confirm-ForestExists
  • Confirm-FunctionalLevel
  • Confirm-NetworkConnectivity
  • Confirm-TargetsAreReachable
  • Confirm-ValidDomains
  • Confirm-ValidEnterpriseAdminCredentials
  • Get-DomainFQDNData
  • Get-ForestFQDN
  • Start-ConnectivityValidation
  • Start-NetworkConnectivityDiagnosisTools

The full range of syntaxes and examples can be found at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-adconnectivitytools

Mastering Active Directory, Third Edition provides extensive coverage of AD Domain Services and helps you explore their capabilities as you update to Windows Server 2022. This book will also teach you how to extend on-premises identity presence to cloud via Azure AD hybrid setup. By the end of this Microsoft Active Directory book, you’ll feel confident in your ability to design, plan, deploy, protect, and troubleshoot your enterprise identity infrastructure.

Summary

Thank you for taking the time to reach this post. It is important to know that Azure AD Connect PowerShell can be a great help in administering your environment, but it is not always best practice when doing more complex tasks, such as creating synchronisation rules or changing OU filter. In that scenario, I always recommend using the GUI.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.