Microsoft Azure allows you to implement the federated identity solution in which users from Active Directory on-premises are synchronized with Windows Azure Active Directory to avail services such as Single-Sign-On. In an Azure federated identity solution, employees can access on-premises and Office 365 resources by using the same credentials. As part of the SSO service, you will be required to synchronize users along with their passwords to Office 365. You can use AAD Connect tool, developed by Microsoft for Azure customers, to sync on-premises Active Directory to Office 365. And while you can use AAD Connect tool to synchronize users, you would also need to verify Active Directory synchronization status of all users to ensure they have been synchronized and no errors have been reported. This article helps you understand what you can do to verify synchronization status of all users in Office 365.
Ways to check Active Directory synchronization status
There are two ways to check synchronization status of synced users — using PowerShell cmdlets and the Azure AD Connect health tool. PowerShell cmdlets are available when you install Azure Windows PowerShell modules for Active Directory. You will be required to use the Get-MSOlUser cmdlet to check sync status of users. Azure AD Connect Health tool can be used in the Azure portal, which provides sync alerts, sync insight, and object level synchronization error report.
Installing PowerShell cmdlets
Before you execute PowerShell cmdlets to verify Active Directory synchronization status of users, make sure you have met the requirements and installed the Office 365 PowerShell cmdlets on a computer. At a minimum, ensure you meet the following requirements:
- You have a computer running Windows 7 or later OS to install Office 365 WAAD cmdlets.
- You have an account that has access to the Office 365 subscription.
- You have obtained and installed Microsoft Online Sign-In Assistance for IT Professional.
- Windows Azure Active Directory Module for Windows PowerShell has been installed and installation has been verified.
Once these requirements are met, proceed with the remaining sections of this article to verify synchronization status of synced users.
Tip: It is important to note that apart from synchronizing users from on-premises Active Directory, you can also create “Cloud” users. A user account created in the cloud will have its ImmutableID set to $NULL and LastDirSyncTime attribute will have no data. So when verifying synchronization status of a single user, make sure you are verifying sync status of synced users, not the accounts that were created in the cloud.
Verify LastDirSyncTime attribute of users
Note that when a user is synced to Office 365, the user account is updated with the last time and date it was synced in the LastDirSyncTime attribute. You need to check data of LastDirSyncTime for users and match it with the synchronization date.
Verifying synchronization of single user
To verify the synchronization status of a single user, execute Get-MsolUser PowerShell cmdlet from an elevated PowerShell command prompt and retrieve date and time stored in LastDirSyncTime attribute of users. For example, if you wish to check synchronization status for a user named JohnThomas@TechGenix.com, you will execute the command below:
Get-MSOlUser -UserPrincipalName "JohnThomas@TechGenix.com" | Select-Object UserPrincipalName, LastDirSyncTime
When you run the above command, it will show last date and time the user was synchronized to Office 365. To check the last synchronization date and time for another user, just replace JohnThomas@TechGenix.com with another username.
Verifying synchronization of all users
You can execute the above command in case you are troubleshooting synchronization for a single user, but in case you need to check synchronization status for all users, you will be required to export the value of LastDirSyncTime attribute for all users by executing the command below:
Get-MSOlUser -ALL | Select-Object UserPrincipalName, LastDirSyncTime | Export-CSV C:\Temp\SyncStatus.CSV
The above PowerShell command retrieves all users from Office 365 with their user principal name and last synchronization date and time. The output is exported to C:\Temp\SyncStatus.CSV file. You can navigate through the file to ensure last synchronization date and time for all users matches with the current synchronization date and time.
Checking health of synchronized users
Not many Office 365 administrators know that Office 365 provides a quick way to check the health status of synchronized users who sync from on-premises Active Directory to Office 365. The user properties that you can use to report on the health status of synced users are “ValidationStatus” and “DirSyncProvisioningErrors.” ValidationStatus property stores the health status of synced users and DirSyncProvisioningErrors indicates if any errors were encountered during the synchronization. To retrieve synchronization status for users along with ValidationStatus, LastDirSyncTime, and DirSyncProvisioningErrors data, execute the command below:
Get-MSOlUser -ALL | Select-Object UserPrincipalName, LastDirSyncTime, ValiadtionStatus, DirSyncProvisioningErrors | Export-CSV C:\Temp\SyncStatusHealth.CSV
Once you have executed the command above, open the CSV file in Excel and filter ValidationStatus and DirSyncProvisioningErrors columns to ensure there are no errors reported. If you find any users with errors, check the last synchronization date and time for the user. You may need to troubleshoot further as to know what caused synchronization failure for a user.
Microsoft provides the necessary PowerShell commands you can use to check Active Directory synchronization status of users that sync from on-premises Active Directory to Office 365. You can check synchronization status of a single user and all users by using Get-MsolUser PowerShell cmdlet as explained in this article.