Commands

Azure AD Connect: Top 10 PowerShell Commands for Monitoring & Management

Anil K··4 min read
#azure-ad-connect#microsoft-entra-id#powershell#hybrid-identity#adsync#sync#sysadmin#commands
Azure AD Connect synchronising on-premises Active Directory with Microsoft Entra ID

Azure AD Connect (now part of Microsoft Entra ID) is the backbone of hybrid identity for organisations that run both on-premises Active Directory and Microsoft's cloud services. Whether you're synchronising users, managing password hash sync, or troubleshooting sync failures, understanding how to monitor and manage Azure AD Connect with PowerShell is essential.

This guide provides a clear overview of Azure AD Connect, followed by the top 10 most commonly used PowerShell commands — all explained in a practical, admin-friendly way.

What Is Azure AD Connect?

Azure AD Connect is Microsoft's synchronisation tool that links your on-premises Active Directory with Microsoft Entra ID. It ensures identity consistency across cloud and on-prem environments.

Key capabilities include:

  • Directory Synchronisation (users, groups, devices)
  • Password Hash Sync (PHS) or Pass-Through Authentication (PTA)
  • Federation support (AD FS)
  • Password writeback
  • Health monitoring
  • Hybrid identity lifecycle management

Azure AD Connect installs several PowerShell modules, including:

  • ADSync
  • ADSyncConfig
  • MSOnline / AzureAD / Microsoft Graph (for cloud-side checks)

For the authoritative reference, see Microsoft's Azure AD Connect documentation.

Top 10 PowerShell Commands for Managing Azure AD Connect

Below are the most frequently used commands for monitoring, troubleshooting, and managing Azure AD Connect in real-world environments.

1. Check the current sync scheduler configuration

Get-ADSyncScheduler

Why it matters: This command shows sync frequency, next sync time, and whether the scheduler is enabled. It's the first place to look when sync timing seems off.

2. Run a delta sync (most common daily operation)

Start-ADSyncSyncCycle -PolicyType Delta

Use case: Triggers a sync of only changed objects — ideal after modifying a user, group, or attribute.

3. Run a full sync

Start-ADSyncSyncCycle -PolicyType Initial

Use case: Required after major configuration changes such as:

  • OU filtering updates
  • Attribute mapping changes
  • Connector configuration changes

4. Check the installed Azure AD Connect version

(Get-Item "C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe").VersionInfo

Why it matters: Version mismatches can cause sync issues or missing features. This is essential for patching and compliance.

5. List all connectors

Get-ADSyncConnector

Use case: Displays all configured connectors, including on-prem AD DS, Azure AD, and any additional forests if applicable.

6. View connector run profiles and history

Get-ADSyncRunProfile -ConnectorName "<ConnectorName>"

Why it matters: Helps diagnose sync failures, slow syncs, or misconfigured run profiles.

7. Export Azure AD Connect configuration

Export-ADSyncServerConfiguration -Path "C:\ADConnectConfig"

Use case: Critical for backup, disaster recovery, and staging-server deployment.

8. Import Azure AD Connect configuration

Import-ADSyncServerConfiguration -Path "C:\ADConnectConfig"

Use case: Used when restoring a server or deploying a secondary staging server.

9. Manage the deletion threshold

# Check threshold
Get-ADSyncExportDeletionThreshold

# Disable threshold
Disable-ADSyncExportDeletionThreshold

# Enable threshold
Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500

Note: When you enable or disable the threshold, run a delta sync afterwards:

Start-ADSyncSyncCycle -PolicyType Delta

Why it matters: Prevents accidental mass deletions in Microsoft Entra ID. If too many deletions are detected, sync is automatically paused.

10. Enable or disable the sync scheduler

# Disable
Set-ADSyncScheduler -SyncCycleEnabled $false

# Enable
Set-ADSyncScheduler -SyncCycleEnabled $true

Use case: Useful during maintenance windows or when performing bulk AD changes.

Additional Helpful Details for Admins

Common symptoms of sync issues

  • Users not appearing in Microsoft 365
  • Passwords not updating
  • Groups missing in cloud apps
  • Large numbers of unexpected deletions
  • Sync scheduler stuck or disabled

Where to check logs

  • Synchronisation Service Manager (miisclient.exe)
  • Event Viewer → Applications and Services Logs → Directory Synchronisation
  • Azure AD Connect Health portal (if enabled)

Best practices

  • Always run a delta sync after user or group changes
  • Run a full sync only when necessary
  • Keep Azure AD Connect updated
  • Use a staging server for high availability
  • Monitor sync health regularly
Found this useful? Give it a like.

Stay in the loop

New articles on AI, Cybersecurity, and PKI — delivered to your inbox.

← Back to Commands