New Sync features in Azure AD Connect Public Preview 2

This document describes new features introduced for synchronization in Azure AD

Connect sync compared to Azure AD Sync.

Sync filtering based on groups

It is already possible to filter which objects should be synchronized to Azure AD by
using Domain/OU filtering and attribute filtering. Azure AD Connect PP2 introduces
the possibility to also filter on group membership. This is particularly useful for a
small pilot where only a small set of users and groups from the on-premises ADDS
should be in Azure AD.
To use this feature, in the customized path you will see this page:

Add the name of the group containing the users and groups. Only members of this
group will be synchronized to Azure AD.

Directory Extension attribute sync

With directory extensions you can extend the schema in Azure AD with custom
attributes added by your organization or other attributes in Active Directory. To use
this feature select Directory Extension attribute sync on the Optional Features
page. This will give you this page where you can select your additional attributes.

Only single-valued attributes are supported and the value cannot be longer than
250 characters. The metaverse and Azure AD schema will be extended with the
attributes selected. In Azure AD a new application is added with the attributes.

These attributes will now be available through Graph:

User writeback
User writeback allows you to take a user created in Azure AD (through the portal,
graph, PowerShell, or any other method) and write the user back to on-premises
ADDS. To enable the feature, select User writeback on the optional features page.
You will now be presented with the location where you want these users to be
created. The default configuration will create all users in one location in ADDS.

The users will be created with a random password so you have to reset the
password in ADDS for the user to actually be able to login.

Group writeback
The option for group writeback in optional features will allow you to writeback
Groups in Office 365 to a forest with Exchange installed. This is a new group type
which is always mastered in the cloud. You can find this in outlook.office365.com or
on myapps.microsoft.com as shown here:
outlook.office365.com

myapps.microsoft.com

This group will be represented as a distribution group in on-premises ADDS. Your onpremises Exchange server must be on Exchange 2013 CU8 (released in March 2015)
to recognize this new group type.
Note: The address book attribute is currently not populated. The easiest is to find
the address book property from another group in your org and populate this outside
the sync engine.
Note: Only forests with the Exchange schema are valid targets for groups. If no
Exchange was detected, then group writeback will not be possible to enable.
Note: The Group writeback feature does not currently handle security groups or
distribution groups.
More information can be found here: http://blogs.office.com/2014/09/25/deliveringfirst-chapter-groups-office-365/

Device writeback
The device writeback feature will allow you take a device registered in the cloud, for
example in Intune, and have it in ADDS for conditional access. To enable the
feature, ADDS must be prepared. If you install ADFS and the device registration
service (DRS), DRS provides PowerShell cmdlets to prepare AD for device writeback.
If you do not have DRS installed, then you can run C:\Program Files\Microsoft Azure
Active Directory Connect\AdPrep\AdSyncAdPrep.psm1 as an enterprise admin.

Device sync
If you enable the feature device sync then your Windows 10 devices which are
domain joined will be synchronized to Azure AD. Unless you are part of the Windows
10 pre-release program and have been instructed by Microsoft to enable this
feature, leave this option unselected.

Staging mode
With staging mode the process to setup a new sync server in parallel with an
existing server is possible. It is only supported to have one sync server connected to
one directory in the cloud. But if we want to move from another server, for example
one running DirSync, then we can enable Azure AD Connect in staging mode. When
enabled the sync engine will import and synchronize data as normal, but it will not
export anything to Azure AD and will turn off password sync and password
writeback.

While in staging mode, it is possible to make required changes to the sync engine
and review what is about to be exported. When the configuration looks good, run
the installation wizard again and disable staging mode. This will enable data to be
exported to Azure AD. Make sure to disable the other server at the same time so
only one server is actively exporting.

Preventing accidental deletions

When installing Azure AD Connect the feature preventing accidental deletions will
be enabled by default and configured to not allow an export with more than 500
deletes. The 500 is a default value and can be changed. With this feature enabled, if
there are too many deletes, the export will not continue and you will receive an
email like this:

If this was unexpected, then investigate and take any corrective actions.
To temporarily disable this protection and let these deletes go through, run:
Disable-ADSyncExportDeletionThreshold
To re-enable the protection or to change the default threshold setting, run:
Enable-ADSyncExportDeletionThreshold