Error event logs from ADSync - How to troubleshoot
First we are using the latest ADSync as of this post, 1.4.38.0. As far as we can tell nothing is broken. The only purpose of this tool is to allow Office 365 to be assigned to our domain users and verify licencing / entitlements. We are not doing anything else in the cloud and our Exchange, Skype for business is on prem at this point. We are getting these logs from our server called ADFS1 which had the ADSync tool installed. I'm not sure what to do with them because it seems everything is working fine. I would like to know if there's a way to silence these alerts without filtering them out of our EventSentry log management system. We are just tired of seeing these alerts to our email. Below is a sample of what we wee multiple times a day, about once every hour. Any ideas? EVENT # 5182516 EVENT LOG Application EVENT TYPE Error OPCODE Info SOURCE ADSync CATEGORY Server EVENT ID 6311 DATE / TIME 2/21/2020 10:42:46 AM COMPUTERNAME ADFS1 MESSAGE The server encountered an unexpected error while performing a callback operation. "ERR_: MMS(6640): ..\ma.cpp(4898): Completing apply rules step has failed. Azure AD Sync 1.4.38.0" EVENT # 5182517 EVENT LOG Application EVENT TYPE Error OPCODE Info SOURCE ADSync CATEGORY Server EVENT ID 6401 DATE / TIME 2/21/2020 10:42:46 AM COMPUTERNAME ADFS1 MESSAGE The management agent controller encountered an unexpected error. "ERR_: MMS(6640): ..\crcntrl.cpp(336): Completing synchronization run step has failed. Azure AD Sync 1.4.38.0" EVENT # 5182518 EVENT LOG Application EVENT TYPE Warning OPCODE Info SOURCE ADSync CATEGORY Management Agent Run Profile EVENT ID 6100 DATE / TIME 2/21/2020 10:42:46 AM COMPUTERNAME ADFS1 MESSAGE The management agent "domain.com" step execution completed on run profile "Delta Synchronization" with errors. Additional Information Discovery Errors : "0" Synchronization Errors : "1" Metaverse Retry Errors : "0" Export Errors : "0" Warnings : "0" User Action View the management agent run history for details.
AD Connect attribute-based filter on proxyaddresses
Hello, I would like to create an attribute-based filter. The goal is to only synchronize users with a proxyaddresses ending with @mytestdomain.com, @myothertestdomain.com and @mydomain.onmicrosoft.com. However, after reviewing the documentation from the link below, I am left with more questions. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering I was thinking about implementing a "positive filter" The section for "positive filter" states that we must, "override the default filter in the out-of-box rule In from AD - User Join" After examining the default rule "In from AD - User Join" that rule has a link type set to Provision. However, the example states to set the link type to join. That default rule appears to filter out critical system objects and a few other accounts so I want to make sure I don't mess things up. I'm not sure if I should just leave this rule in place and create rules with a lower precedence, duplicate, disable the original rule, follow the instructions and change the link type, or do something else completely. Seems like it might be something fairly common to do, filter based on the proxyaddresses attribute but I can seem to find much on this topic. Anyone have any ideas?
ADConnect - Directory sync service account is WRONG
Hello Community, I hope someone has had this problem before , because I am stuck. My Office Tenant was about a year ago with an Active Directory synchronized... let's call it DIR-A.. This sync was terminated so that the users are cloud only.... Now the sync has to be rebuilt but with an other Active Directory... let's call it DIR-B .... I know the issue with the Immutable ID and have this scenario a few times.... Unfortunately, from my point of view, a completely new problem has arisen. I have successfully installed ADConnect and started the sync. I then looked at the sync status in the cloud and saw that the "Directory sync service account" which is created by ADConnect (Sync_NameOfTheServer) is the old Account from the Old ActiveDirectory DIR-A.... But the account and the AD no longer exist... so it have to be saved in the Cloud.. The Sync brings me of course nothing if this account can not be deleted / overwritten. The Microsoft support has sent me a link to see the password back at the local AD account... but with no success.. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-serviceacct-pass#provide-the-password-of-the-ad-ds-connector-account Has anyone had this problem before ? Thanks for the information and help skykitchen
The MFA message will be automatically turned on for all users
Hello I received a message in my email: Default security settings for your tenant will turn on on Tuesday, February 13, 2024 This setting will enable MFA for all users. My company is not ready for all users to use MFA. I found a tutorial where you can create a conditional clause that allows you to set an exception. The problem is that the option is not available, we use basic licenses. So is there an option like turning off MFA and leaving it on for some users? Thank you for your help.
Additional Microsoft 365 users not showing as registered users on an Entra ID joined device.
Most of our clients are on M365 these days, and they consist of the following variations in how they integrate: On-prem AD with no Entra ID sync to M365. On-prem AD with Entra ID sync to M365 but no hybrid connection for devices. On-prem AD with Entra ID sync and hybrid connection for devices with Intune. No on-prem AD with all devices connected directly to Entra ID and Intune. For clients using integration methods 1 and 2, we always see multiple device registrations in Entra ID, and for clients using integration method 3, we see a primary user that was used to hybrid join the device, along with additional users showing up as registered in Entra ID. However, we have just recently discovered that clients that use method 4, i.e. they are 100% Entra ID with no on-prem AD, the only user that shows in Entra ID is the user that joined the device. Any other use that logs in and creates a profile on one of these machines is not recorded as a registered user in Entra ID for that device. So, for clients that use integration methods 1-3, if we want to remotely block access on a particular device for a specific user, we just need to delete their Entra ID registration for that device. However, for clients using method 4, we have no visibility for the additional user, nor can we remotely block a user in this scenario. Is this behaviour a current bug in the Entra ID join/register process? Or is this the expected behaviour? If the latter, then this seems to be a flaw in the join/register process.Frequent Account lockouts
We are having passthrough authentication setup and we see lot of errors recently with the below process Process Information: Caller Process ID: 0x8e4 Caller Process Name: C:\Program Files\Microsoft Azure AD Connect Authentication Agent\AzureADConnectAuthenticationAgentService.exe Users are getting locked out too frequently. The auditing software points to the server where AD connect is installed. I am not sure why this is happening but need your advice and suggestions please. Thank you all.
O365 Email Migration to Another Tenant while Deferring Migration of Sharepoint files
Hi, This is the context: ChildCompany has O365 and it has an Azure AD in hybrid mode synchronizing to a on-prem AD server. They have an internal domain ChildCompany.com, and an external domain ChildCompany.com where they also receive and send email using O365. ParentCompany is going absorb the ChildCompany some time in next year, and I was asked about the integration options. According to this https://download.microsoft.com/download/b/a/1/ba19dfe7-96e2-4983-8783-4dcff9cebe7b/microsoft-365-tenant-to-tenant-migration.pdf I could do a phased migration, where the end state is that they decomm their onprem AD and that they only use our ParentCompany systems. The business requirement is to start their integration with Email, and then in later phases do the Sharepoint integration as that requires way more analysis on their data sources, as they also have wikis and many other on prem legacy stuff. They are less than 50 users, so I can use Quest migration tools for the email part, but I wonder what needs to happen in what order. This is what I have in mind: Migrate their current O365 into our ParentCompany Office 365 subscription, so that they can continue logging in into their domain joined windows machines using childCompany.co, so they start using ParentCompany.com email addresses, but the problem then is how can they continue using their sharepoint and onedrive resources associated with the Azure and local domain at ChildCompany.com? This is more or less what I have in mind, for the intermediate step, the cutover: Child Company ParentCompany --------------------- ---------------- On-Prem | MS Cloud: | MS Cloud: ---------------|----------------------|-------------- Local AD (ADFS)| Azure Subscription | Azure Sub | Azure AD | Azure AD |--------------------- |--------------------- | O365 Sub -> | O365 Sub | Exchange mailboxes-> | Exchange mailboxes | Sharepoint? -> | ??? | -------------------- |--------------------- I wonder how could it be possible to defer the sharepoint and onedrive migration, so that the child company users can still work on their sharepoint files using their normal auth methods, while disabling childcompany.com as MX so they start using ParentCompany.com mailboxes.Is that even possible? Would make more sense to try to migrate everything at once? That is way more work, but I'm weighting my options.
