New Sync features in Azure AD Connect Public Preview 2This document describes new features introduced for synchronization in Azure AD Connect sync compared to Azure AD Sync.

Sync filtering based on groupsIt is already possible to filter which objects should be synchronized to Azure AD by using Domain/OU filtering and attribute filtering. Azure AD Connect PP2 introduces the possibility to also filter on group membership. This is particularly useful for a small pilot where only a small set of users and groups from the on-premises ADDS should be in Azure AD.

To use this feature, in the customized path you will see this page:

Add the name of the group containing the users and groups. Only members of this group will be synchronized to Azure AD.

Directory Extension attribute syncWith directory extensions you can extend the schema in Azure AD with custom attributes added by your organization or other attributes in Active Directory. To use this feature select “Directory Extension attribute sync” on the “Optional Features” page. This will give you this page where you can select your additional attributes.

Only single-valued attributes are supported and the value cannot be longer than 250 characters. The metaverse and Azure AD schema will be extended with the attributes selected. In Azure AD a new application is added with the attributes.

These attributes will now be available through Graph:

User writebackUser writeback allows you to take a user created in Azure AD (through the portal, graph, PowerShell, or any other method) and write the user back to on-premises ADDS. To enable the feature, select “User writeback” on the optional features page. You will now be presented with the location where you want these users to be created. The default configuration will create all users in one location in ADDS.

The users will be created with a random password so you have to reset the password in ADDS for the user to actually be able to login.

Group writebackThe option for group writeback in optional features will allow you to writeback “Groups in Office 365” to a forest with Exchange installed. This is a new group type which is always mastered in the cloud. You can find this in outlook.office365.com or on myapps.microsoft.com as shown here:

outlook.office365.com myapps.microsoft.com

This group will be represented as a distribution group in on-premises ADDS. Your on-premises Exchange server must be on Exchange 2013 CU8 (released in March 2015) to recognize this new group type.

Note: The address book attribute is currently not populated. The easiest is to find the address book property from another group in your org and populate this outside the sync engine.

Note: Only forests with the Exchange schema are valid targets for groups. If no Exchange was detected, then group writeback will not be possible to enable.

Note: The Group writeback feature does not currently handle security groups or distribution groups.

More information can be found here: http://blogs.office.com/2014/09/25/delivering-first-chapter-groups-office-365/

Device writebackThe device writeback feature will allow you take a device registered in the cloud, for example in Intune, and have it in ADDS for conditional access. To enable the feature, ADDS must be prepared. If you install ADFS and the device registration service (DRS), DRS provides PowerShell cmdlets to prepare AD for device writeback. If you do not have DRS installed, then you can run C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncAdPrep.psm1 as an enterprise admin.

Device syncIf you enable the feature device sync then your Windows 10 devices which are domain joined will be synchronized to Azure AD. Unless you are part of the Windows 10 pre-release program and have been instructed by Microsoft to enable this feature, leave this option unselected.

Staging modeWith staging mode the process to setup a new sync server in parallel with an existing server is possible. It is only supported to have one sync server connected to one directory in the cloud. But if we want to move from another server, for example one running DirSync, then we can enable Azure AD Connect in staging mode. When enabled the sync engine will import and synchronize data as normal, but it will not export anything to Azure AD and will turn off password sync and password writeback.

While in staging mode, it is possible to make required changes to the sync engine and review what is about to be exported. When the configuration looks good, run the installation wizard again and disable staging mode. This will enable data to be exported to Azure AD. Make sure to disable the other server at the same time so only one server is actively exporting.

Preventing accidental deletionsWhen installing Azure AD Connect the feature preventing accidental deletions will be enabled by default and configured to not allow an export with more than 500 deletes. The 500 is a default value and can be changed. With this feature enabled, if there are too many deletes, the export will not continue and you will receive an email like this:

If this was unexpected, then investigate and take any corrective actions.

To temporarily disable this protection and let these deletes go through, run:

Disable-ADSyncExportDeletionThreshold

To re-enable the protection or to change the default threshold setting, run:

Enable-ADSyncExportDeletionThreshold