none
Directory extensions not being sync'd to Azure AD via Azure AD Connect - missing rules RRS feed

  • Question

  • I have just discovered that none of the directory extension I have defined to sync in AAD Connect are being pushed into Azure AD.

    Last time I can confirm this was working is on 5/31/2019, and it was not working on 6/6/2019. Been running AADC 1.2.70.0 during this time frame. Today I upgraded to AADC 1.3.21.0 but it did not resolve the issue.

    After some digging around I found there are 5 template files related to Directory Extensions in C:\Program Files\Microsoft Azure Active Directory Connect\SynchronizationRuleTemplates 

    • In from AD - User DirectoryExtension.xml
    • In from AD - InetOrgperson DirectoryExtension.xml
    • In from AD - Group DirectoryExtension.xml
    • Out to AAD - User DirectoryExtension.xml
    • Out to AAD - Group DirectoryExtension.xml

    When I look in the Sync Rules Editor, only 2 of these rules actual exist:

    • In from AD - User DirectoryExtension
    • In from AD - InetOrgperson DirectoryExtension

    Given that neither of the "Out to AAD" rules exist, this explains why the values are not making it to Azure AD.

    What greatly concerns me is that this broke with no changes made by me, so something appears to cause the Out to AAD rules to drop out of the rule editor.  Even more concerning is when I upgraded AAD Connect today and it re-created the rules, it didn't create 3 of them.

    Is this a bug?  Is there a PowerShell script I can runt o get these rules re-created? 



    • Edited by HDClown Thursday, July 11, 2019 11:13 PM
    Thursday, July 11, 2019 11:12 PM

All replies

  • I managed to get this working again.

    I modified AADC sync properties and unchecked directory extensions option and click through to the last step of the wizard but didn't complete the wizard.  I then went back to options and re-enabled directory extensions option.  When I got to the directory extensions section I re-selected all of my extensions that I want to be sync'd as none were now listed to be sync'd, then completed the wizard.

    After the wizard finished, the sync rules editor showed the Out to AAD - User DirectoryExtension rule now and after sync completed these attributes were once again being pushed into Azure AD.

    I am still missing the In from AD - Group DirectoryExtension and Out to AAD Group DirectoryExtension rules in the sync rules editor but I suspect this may be because I have no attributes for group object types set.  Not hugely concerned with it now because of that.

    I'm still concerned that the Out to AAD rule was lost somehow without me making any changes and that it was a fluke that I stumbled across this issue in the first place.  It could have gone on much longer.


    • Edited by HDClown Friday, July 12, 2019 11:40 AM
    Friday, July 12, 2019 11:37 AM