0

Get Synced OU Configuration in Azure AD Connect PowerShell

If you manage a hybrid environment, chances are you’ve had to manage Azure AD Connect. Getting the configuration settings via the GUI is pretty nice to get, but opening the wizard prevents you from syncing so sometimes it may not be possible. Today we’re going to show you a snippet so you can export the OU Configuration in Azure AD Connect in your environment.

Requirements

In order for you to get all of the synced organizational units as well as the synced attributes, there are a few things you must have in place. First things first, you need to have a supported version of Azure AD Connect installed. Since AAD Connect should be in a tier 0 security configuration, you may need to run this locally on the machine itself.

Get Synced OU Configuration in Azure AD Connect using PowerShell

If you have an Active Directory OU structure that’s pretty dense it may be challenging to figure out what exactly is being synced and what is not. My lab is pretty simple and straight forward but here are the organizational units that are synced and what’s shown from the GUI.

Get Synced OU Configuration in Azure AD Connect GUI

 
Let’s get this same information from PowerShell. Remember you will need to be logged in to the active AAD Connect server since that’s what is actually being synced to Azure AD.

#Get Connect information for your on-premises domain.
$SyncConnector = Get-ADSyncConnector | Where-Object {$_.Name -notmatch ' - aad'}

#Get OU inclusion list
$SyncConnector.Partitions.ConnectorPartitionScope.ContainerInclusionList

#Get OU exclusion list
$SyncConnector.Partitions.ConnectorPartitionScope.ContainerExclusionList

Get Synced OU Configuration in Azure AD Connect PowerShell
 

As you can see from the images above, the only OU I am syncing to Azure AD is the “Home” OU. I do have a few sub organizational units that are excluded from sync and that’s also shown in the PowerShell image. Hopefully this will paint a pretty picture when you need to see which OUs are synced.

Get Synced Attributes using PowerShell

If you need to get what attributes are syncing, there’s a way to get that information using PowerShell as well. Not all attributes will show with an Azure AD attribute, but this is a good start to see what’s there and what’s not.
 

It is important to note that attributes syncing from your on-premises Active Directory will not show up exactly the same in Azure AD. Therefore, we will show the on-premises sync connector as well as the Azure AD sync connector. This is key if you have custom mappings or have enabled directory extension attributes to use for custom claims.

#Get attributes syncing from on-premises Active Directory
$SyncConnector = Get-ADSyncConnector | Where-Object {$_.Name -notmatch ' - aad'}
$SyncConnector.AttributeInclusionList


#Get attributes syncing to Azure Active Directory
$SyncConnector = Get-ADSyncConnector | Where-Object {$_.Name -match ' - aad'}
$SyncConnector.AttributeInclusionList

Attribtue Configuration in Azure AD Connect Onprem

Attribtue Configuration in Azure AD Connect Cloud

Conclusion

Hopefully this article was able to show you how to get synced OU configuration in Azure AD Connect PowerShell as well as the attributes that are currently synced. This is pretty handy because when you open up the Azure AD Connect application, sync is temporarily disabled until the wizard is closed.
 

Being able to gather this information using PowerShell helps solve that problem so you can run it at anytime. If you would like to see more sysadmin content, be sure to check out our YouTube Channel

5/5 - (5 votes)

Paul Contreras

Hi, my name is Paul and I am a Sysadmin who enjoys working on various technologies from Microsoft, VMWare, Cisco and many others. Join me as I document my trials and tribulations of the daily grind of System Administration.

Leave a Reply

Your email address will not be published.