Forum Discussion
Issue after sync with Azure AD Connet
Hello,
I'm trying to do some experiments with Azure AD Connet and found some issue and I like to find some suggestion from other experienced people on how to manage them.
First thing I noticed is with the registered devices: I simulated my organization, so I created some virtual machine where I installed Office desktop apps and Teams; the devices are seen in AAD as Azure AD Registered; then I've done the sync of the devices from AD; I have an OU with inside our org accounts, so I have, for example, an inner Management OU with management user accounts; inside Management OU I have an OU called Management Computers where there are the management's devices; I have synced them and then enabled the Hybrid Join in Azure AD Connect.
I've seen that the devices have been registered as Hybrid Join, but I have the situation where there are the duplicated devices; on every system, there is a Windows 10 version greated than 1803; I waited 2 days but never happened: I red some people that deleted the Azure registered one, but have red also that people have experiecenced issue to do so.
Other question: I synced my users and it seems was all ok, so I saw in AAD Users->All Users the parameter "Directory synced" on Yes; after some delta sync I saw that a user that was synced that have no more Yes on that parameter and a new user, with that parameter was created; I deleted it and done a sync but on the old user I can't see that directory sync is again true: how to resolve this issue?
Apart from these problems, I'd like to have a suggestion on how proceed when I have to sync real data; as I said previuosly, I have nested OU with users and their computers, but I don't want to sync all the users together; for example, I thought to sync first OU Managers (and their devices), than Marketing (and their computers) and so on: do you think this is an acceptable approach or I have to change it?
Any help is very appreciated.
- mikhailfSteel Contributor
Hello Marco,
It would be great to see the configuration of your AD Connect. (a screenshot would be enough)
Regarding the syncing of your users, you have filters in the AD Connect configuration wizard: Select the domains to be synchronized using the Azure AD Connect wizardLook at the picture inside the link I've provided. Domain and OU filtering -> Sync selected domains and OUs.
- MarcoMangianteIMBrass Contributor
Hello mikhailf
I have something like this in AD:
and in Azure AD Connect, in Domain and OU filtering I have configured this:
In Azure AD All Devices I see this:
I replied in the test environment what I have in my company AD; in Azure AD also replied the status quo, with all devices Azure AD Registered (because we have Office desktop apps on them); I suppose to have the behaviour in the screen because I have done a first sync without the OU where I have the computers, and then added them to the sync; what I expected, even with this 2 steps, was that I have, after some time, only one notebook per user and with hybrid registration; I can't disable the Azure AD Registered because I've seen that the apps on them are unusable.
Hope to have clarified.
- mikhailfSteel Contributor
Hello Marco,
It is expected behavior. When you added a device for the first time, it was registered. Then you reconfigure it and it becomes Azure Hybrid AD Joined. AAD sees this device as a new with a new ObjectID (DeviceID) in Azure. Because of that ObjectID (DeviceID), you see two devices with the same name.
You have "Columns" in the upper panel. Click on it and look for "Last Activity" or "Last Check-in" thereby you will be able to see what devices are in use and what are not in use. I assume that registered devices will be not in use. When you ensured that the registered devices are not in use (Not connecting to AAD) you can remove them.
I removed Registered devices several times and didn't have any issues with them. You can check this article to find out more about Registered to Hybrid Azure AD Joined change. Handling devices with Azure AD registered state"Any existing Azure AD registered state for a user would be automatically removed after the device is hybrid Azure AD joined and the same user logs in."
I hope this helps you.
It is good that it's a lab environment. You can try everything 🙂
- aexlzBrass ContributorRegarding your first question:
You will experience tons of AAD-registered devices in AAD over the time.
If some device is not used for a specific timeframe it becomes "stale".
Even if the status changed to HAAD, the old entry is not just altered, but a new device-entry is created and the old reamains.
You have to get rid off them with maintenance tasks.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices- MarcoMangianteIMBrass Contributor
Hello aexlz
ok, I understood this, but it seem that the hybrid ones have no get rid of the Azure AD registered, so if I disable one of them, I can't use the apps on them because I can't access them with user and pwd of 365.