Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
SOLVED

AD Connect and powershell execution policy requirement

Copper Contributor

Hello,

 

We recently setup Azure/Entra AD Connect to sync our on prem AD accounts with 365. While the setup went through successfully, and the sync status in 365 was green, I started getting notifications about directory sync being paused. Then in the 365 admin there is a warning about directory sync not being completed after some period.

 

Looking in the Application Event log on our sync server, I saw Event 905's - Directory Synchronization:

 

Scheduler::SchedulerThreadMain : An error occured and scheduler run failed to perform all operation.

 System.Management.Automation.CmdletInvocationException: File C:\Program Files\Microsoft Azure AD Sync\Extensions\AADConnector.psm1 cannot be loaded because running scripts is disabled on this system....

 

I changed the Powershell execution policy to RemoteSigned (from the default of Restricted), and that cleared up errors in event log, and synching seemed to start working normally.

 

So my question is -- Do I really need to have the PS executionpolicy on RemoteSigned machine wide for Connect to function properly? I checked the properties of the Powershell module referenced in the error message, AADConnector.psm1, and it not marked as blocked.

 

Thanks

 

1 Reply
best response confirmed by MauryJ (Copper Contributor)
Solution

Hi @MauryJ,

 

Yes, the PowerShell execution policy does play a role in the functionality of Azure/Entra AD Connect. Here’s a detailed explanation and the best practices for configuring the execution policy to ensure your directory synchronization works smoothly.

Understanding PowerShell Execution Policies

PowerShell execution policies are designed to prevent the execution of scripts that could potentially harm your system. The default policy is usually Restricted, which does not allow any scripts to run.

Why RemoteSigned for AD Connect?

Azure/Entra AD Connect uses PowerShell scripts for its operations, including the script mentioned in your error (AADConnector.psm1). Setting the execution policy to RemoteSigned ensures that scripts downloaded from the internet must be signed by a trusted publisher before they can be run. This is generally a safe practice because it allows locally created scripts to run without being signed, while still protecting your system from potentially malicious remote scripts.

Setting Execution Policy to RemoteSigned

To ensure Azure/Entra AD Connect functions properly, you need to set the execution policy to RemoteSigned. Here’s how you can do it:

  1. Open PowerShell as Administrator:

    • Right-click on the PowerShell icon and select Run as Administrator.
  2. Set Execution Policy:

 

Set-ExecutionPolicy RemoteSigned -Scope LocalMachine -Force

 

This command sets the execution policy to RemoteSigned for the entire machine. The -Force parameter ensures that the command runs without prompting for confirmation.

 

 

3. Verify Execution Policy

 

Get-ExecutionPolicy -List

 

 

  1. This command will display the execution policies for each scope. Ensure that LocalMachine is set to RemoteSigned.

Best Practices

  1. Review Script Sources: Ensure that any scripts downloaded from the internet are from trusted sources and are properly signed.

  2. Monitor Execution Policy Changes: Regularly check your execution policy to ensure it hasn’t been inadvertently changed.

  3. Least Privilege Principle: While RemoteSigned is necessary for AD Connect, avoid setting the execution policy to Unrestricted, which could expose your system to security risks.

 

Conclusion

Setting the PowerShell execution policy to RemoteSigned is required for Azure/Entra AD Connect to function properly, as it allows necessary scripts to run while still maintaining a level of security. By following the steps above, you can ensure that your directory synchronization continues to work without interruption.

 

If you have any further questions or need additional assistance, feel free to ask.

Please click Mark as Best Response & Like if my post helped you to solve your issue.

This will help others to find the correct solution easily. It also closes the item.

If the post was useful in other ways, please consider giving it Like.

 

1 best response

Accepted Solutions
best response confirmed by MauryJ (Copper Contributor)
Solution

Hi @MauryJ,

 

Yes, the PowerShell execution policy does play a role in the functionality of Azure/Entra AD Connect. Here’s a detailed explanation and the best practices for configuring the execution policy to ensure your directory synchronization works smoothly.

Understanding PowerShell Execution Policies

PowerShell execution policies are designed to prevent the execution of scripts that could potentially harm your system. The default policy is usually Restricted, which does not allow any scripts to run.

Why RemoteSigned for AD Connect?

Azure/Entra AD Connect uses PowerShell scripts for its operations, including the script mentioned in your error (AADConnector.psm1). Setting the execution policy to RemoteSigned ensures that scripts downloaded from the internet must be signed by a trusted publisher before they can be run. This is generally a safe practice because it allows locally created scripts to run without being signed, while still protecting your system from potentially malicious remote scripts.

Setting Execution Policy to RemoteSigned

To ensure Azure/Entra AD Connect functions properly, you need to set the execution policy to RemoteSigned. Here’s how you can do it:

  1. Open PowerShell as Administrator:

    • Right-click on the PowerShell icon and select Run as Administrator.
  2. Set Execution Policy:

 

Set-ExecutionPolicy RemoteSigned -Scope LocalMachine -Force

 

This command sets the execution policy to RemoteSigned for the entire machine. The -Force parameter ensures that the command runs without prompting for confirmation.

 

 

3. Verify Execution Policy

 

Get-ExecutionPolicy -List

 

 

  1. This command will display the execution policies for each scope. Ensure that LocalMachine is set to RemoteSigned.

Best Practices

  1. Review Script Sources: Ensure that any scripts downloaded from the internet are from trusted sources and are properly signed.

  2. Monitor Execution Policy Changes: Regularly check your execution policy to ensure it hasn’t been inadvertently changed.

  3. Least Privilege Principle: While RemoteSigned is necessary for AD Connect, avoid setting the execution policy to Unrestricted, which could expose your system to security risks.

 

Conclusion

Setting the PowerShell execution policy to RemoteSigned is required for Azure/Entra AD Connect to function properly, as it allows necessary scripts to run while still maintaining a level of security. By following the steps above, you can ensure that your directory synchronization continues to work without interruption.

 

If you have any further questions or need additional assistance, feel free to ask.

Please click Mark as Best Response & Like if my post helped you to solve your issue.

This will help others to find the correct solution easily. It also closes the item.

If the post was useful in other ways, please consider giving it Like.

 

View solution in original post