The Azure AD Connect tool has a default sync schedule to run every 30 minutes. However sometime you need changes you make to get sync-ed NOW! So from time-to-time it’s necessary to manually force Azure AD Connect to run and sync your on-prem AD up to Azure AD. This can be done with PowerShell as either a full sync or a delta sync.
If you’re running PowerShell on the server where AD Connect Sync resides, you can skip this step. Connect to the AAD Connect Sync server by running the following command to create a PSRemoting session. Replacing <SERVERNAME> with the name of your AD Connect server.
Enter-PSSession -ComputerName <SERVERNAME>
Import the ADSync module with the following command.
Run one of the following command to manually force the sync.
For a Delta Sync (most commonly use cases)
Start-ADSyncSyncCycle -PolicyType Delta
For a Full Sync (less common use cases)
Start-ADSyncSyncCycle -PolicyType Initial
If you used the “Enter-PSSession” command earlier, then you need to exit that session. Otherwise it will stay open even after terminating the connection. To close the “PSSession” use the following command:
So another gotcha when using O365 in hybird mode with on-prem sync is that you can’t hide a user’s email address [from address books and distribution lists] by using the Exhange Admin Portal. This is because the setting are made on-prem, and those defined values are simply pushing to your AAD tenant in Microsoft’s Azure cloud.
We used to be able to, from the Exchange Management Console on the on-prem server, just open the user and check a tick box to hide their address from everything. The work around isn’t much harder, it’s just buried deeper.
Open the user in your on-prem AD, and navigate the “Attribute Editor” tab.
Scroll down until you find the following attribute.
Setting it to “TRUE” will make the email addess hidden.
Setting it to “FALSE” or “<not set>” will make the email address visible.
After you have made the desired change to the value of the attribute, you just need to wait for [or force] your on-prem AD to re-sync with your AAD.
If you use O365 in hybird mode, with your tenant sync-ed to your on-prem AD or Exchange server, then you will definitely run into an issue if you try to add an alias email address to a user.
When you attempt to add an alias, or alternate, email in your Exchange Admin Center portal you will see this error message.
To get around this you’ll need to edit the user “local” from your on-prem AD. In AD, right-click and open the users’ properties. Select the tab “Attribute Editor”
You will want to look for and edit the following two attributes.
Add the user’s alias/alternate email address into the above mentioned attributes in the form of: smtp:email@example.com
That’s it. Now you just need to let your AD sync back up to the O365 cloud.
WARNING: If you add it in CAPS (SMTP:firstname.lastname@example.org) then it will get interpreted as the default address and not as an alias/alternate email. Make sure that “smtp” is lowercase.
Multi-factor authentication is something that you should have enabled in your Azure or Office 365 tenant. It’s going to solve at least 90% of your problems about worrying if someone is going to ‘hack’ into your organization. That said, it can provide a few headaches of it’s own.
When your user is choosing their methods or means to authenticate, one of the options is to use their “Office Phone”. That great… But if you sync your on-prem AD to AzureAD then you’ll quickly realize that that option is grayed out and you can’t set it. You’ll get some message about contacting your administrator.
To set this number, simply edit the properties of your user in your on-prem AD.
- Open “Active Directory Users and Computers” and navigate to your user.
- Right-click on the user and choose ‘properties’.
- Under ‘Telephone’ enter the user’s phone number, country code first, like either of the examples below.
- +1 8085551234
- +1 8085551234 x123
- Click ‘OK’ to save the edits.
After you have finished editing the user, all you have to do is wait for next sync cycle. From then on, your users will be able to authenticate and login by using their work desk phone.