force sync active directory & microsoft
Posted by Ok-Imagination1829@reddit | sysadmin | View on Reddit | 31 comments
Is there a way to force a sync between active directory and office 365 when a new user is created on active directory? i'm tried of waiting for it to sync.
any advise would be appreciated.
IcariteMinor@reddit
Look, everybody starts somewhere, but have you considered just looking at the documentation of the products you're using? Do people still know how to do that? How on earth are you unable to figure something out that bugs you this much to the point that you had to ask on reddit?
lexbuck@reddit
Hell a 5 second google would give the answer
40513786934@reddit
reddit is easier
rejectionhotlin3@reddit
You can call a powershell command for the azure ad sync to force a sync. Start-ADSyncSyncCycle -PolicyType delta
Hollow3ddd@reddit
Never found a solid delay on script or detect user am check every X minutes to integrate into a hybrid script
Adam_Kearn@reddit
A delta sync using that command is the best way
I would look int automating your user creation if possible.
Link it up to your HR system for the “source of truth” and have it run every night to pull changes/updates in. Then by the morning it should be fully created.
TYGRDez@reddit
My company's HR system is a filing cabinet full of paper.
Is there an API available that I can use to connect this cabinet to 365? 🙃
Randalldeflagg@reddit
I believe this API is called Susan. its a bit of a slower process
TYGRDez@reddit
Is Susan related to Claude?
Randalldeflagg@reddit
Most likely
rejectionhotlin3@reddit
So long as azure ad sync is configured to automatically do a sync, it generally shows up within 15-20 minutes for us.
AppIdentityGuy@reddit
Interesting little titbit if you leave the Aadconnect admin console open the sync operation doesn't actually run. As far as I know even if you set the schedule to less than 30 mins it only runs every 30 mins...
Entegy@reddit
It straight up tells you syncs are suspended while the config panel is open.
AppIdentityGuy@reddit
And you know how many times I've seen left open. 😁😁
ItaJohnson@reddit
You just need to identify the device running the Azure client.
CeC-P@reddit
We run that command so often, we just open Powershell and hit up arrow.
Professional_Ad_6463@reddit
Yup same
krilu@reddit
I just tried this and it rebooted my server!
-OP, probably
Spiritual-Yam-1410@reddit
make sure the user is in a synced OU
I’ve seen this happen where the account is created but not in scope for AAD Connect
Man-e-questions@reddit
Yeah good point. And also a good point to check and disable OUs that shouldn’t be synced. I worked at an MSP and a lot of companies are syncing service accounts etc that have no business syncing, and are just attack vectors, oftentimes with passwords that don’t expire and are stored in a file that get emailed between devs etc
krilu@reddit
Side question: Is there a known way to maliciously use an account with no license assigned, and is not a shared mailbox? Like doesn't the account just kinda do nothing?
Jagster_GIS@reddit
Even with the delta update via pwrshell it still takes 30 minutes for it to show up and done things with like add mailbox delegation rights etc
MalletNGrease@reddit
When I was still using AD I kicked off
on the host running Entra Connect at the end of the user creation script.
Did the same on offboarding events.
reducto85@reddit
Run powershell as admin
JwCS8pjrh3QBWfL@reddit
If you're on Entra Connect, you can move user syncing over to Entra Cloud Sync, which syncs every two minutes instead of 30 and you can have multiple copies of it in your domain(s) rather than just the one.
TechIncarnate4@reddit
I believe the recommended lowest delta sync time is 30 minutes. I think this is a process thing more than anything. A user should be able to be provisioned far enough that the 30-minute wait shouldn't matter.
For one-off requests or for service accounts or other oddball items, the PowerShell command to force a sync should work fine. In my mind, this should be very rarely neededAlso, a google search should find this answer in 10 seconds.
AtomicXE@reddit
Um create user using PowerShell script have sync command built into on-boarding script
PDQ_Brockstar@reddit
You could run this
Start-ADSyncSyncCycle -PolicyType Delta
AtomicXE@reddit
\^\^\^
PDQ_Brockstar@reddit
Love how the pervious responses didn't show up until I clicked comment lol
MushyBeees@reddit
Yes. “Start-adsyncsynccycle -policytype initial” run on the host with ad connect installed will trigger an instant, full sync.