If you manage a hybrid environment, chances are you’ve had to manage Azure AD Connect. Getting the configuration settings via the GUI is pretty nice to get, but opening the wizard prevents you from syncing so sometimes it may not be possible. Today we’re going to show you a snippet so you can export the OU Configuration in Azure AD Connect in your environment.
Table Of Contents
Requirements
In order for you to get all of the synced organizational units as well as the synced attributes, there are a few things you must have in place. First things first, you need to have a supported version of Azure AD Connect installed. Since AAD Connect should be in a tier 0 security configuration, you may need to run this locally on the machine itself.
Get Synced OU Configuration in Azure AD Connect using PowerShell
If you have an Active Directory OU structure that’s pretty dense it may be challenging to figure out what exactly is being synced and what is not. My lab is pretty simple and straight forward but here are the organizational units that are synced and what’s shown from the GUI.
Let’s get this same information from PowerShell. Remember you will need to be logged in to the active AAD Connect server since that’s what is actually being synced to Azure AD.
#Get Connect information for your on-premises domain.
$SyncConnector = Get-ADSyncConnector | Where-Object {$_.Name -notmatch ' - aad'}
#Get OU inclusion list
$SyncConnector.Partitions.ConnectorPartitionScope.ContainerInclusionList
#Get OU exclusion list
$SyncConnector.Partitions.ConnectorPartitionScope.ContainerExclusionList
As you can see from the images above, the only OU I am syncing to Azure AD is the “Home” OU. I do have a few sub organizational units that are excluded from sync and that’s also shown in the PowerShell image. Hopefully this will paint a pretty picture when you need to see which OUs are synced.
Get Synced Attributes using PowerShell
If you need to get what attributes are syncing, there’s a way to get that information using PowerShell as well. Not all attributes will show with an Azure AD attribute, but this is a good start to see what’s there and what’s not.
It is important to note that attributes syncing from your on-premises Active Directory will not show up exactly the same in Azure AD. Therefore, we will show the on-premises sync connector as well as the Azure AD sync connector. This is key if you have custom mappings or have enabled directory extension attributes to use for custom claims.
#Get attributes syncing from on-premises Active Directory
$SyncConnector = Get-ADSyncConnector | Where-Object {$_.Name -notmatch ' - aad'}
$SyncConnector.AttributeInclusionList
#Get attributes syncing to Azure Active Directory
$SyncConnector = Get-ADSyncConnector | Where-Object {$_.Name -match ' - aad'}
$SyncConnector.AttributeInclusionList
Conclusion
Hopefully this article was able to show you how to get synced OU configuration in Azure AD Connect PowerShell as well as the attributes that are currently synced. This is pretty handy because when you open up the Azure AD Connect application, sync is temporarily disabled until the wizard is closed.
Being able to gather this information using PowerShell helps solve that problem so you can run it at anytime. If you would like to see more sysadmin content, be sure to check out our YouTube Channel
