PowerShell: Find Azure AD Connect Servers within On Premise AD

Azure AD Connect is a prevalent topic of the day. However, it is best practice to only have one instance installed per Active Directory forest. Yup, this thing can serve multiple domains of an entire forest. In fact, transitive trusts between forests would enable a single instance of AD Connect to sync accounts from domains of different forests. Blah blah blah… Do not install multiple instances of this thing. Here’s a way for you to quickly locate this Azure AD Connect host(s) in your environment.

Method 1: Search in Active Directory

# 1-liner to find the server(s) where AD Connect was used
(Get-ADUser -filter 'name -like "Msol*"' -Properties Description).Description | %{[void]($_ -match "computer\s(.+)\sconfigured");$matches[1]}

# Other methods to retrieve additional variables
$adConnectServers=(Get-ADUser -filter 'name -like "Msol*"' -Properties Description).Description | %{[void]($_ -match $regexMatchAdConnectServers);$matches[1]}

# Other variables
# $adConnectUsernames=(Get-ADUser -filter 'name -like "Msol*"').SamAccountName;
# $adConnectAccountDescriptions | %{$splitOnKeywordBefore = ($_ -split "computer ")[1];$splitOnKeywordAfter = ($splitOnKeywordBefore -split " configured")[0]; $splitOnKeywordAfter}
PS C:\Windows> (Get-ADUser -filter 'name -like "Msol*"' -Properties Description).Name
PS C:\Windows> Get-ADUser -filter 'name -like "Msol*"' -Properties Description

Description : Account created by Microsoft Azure Active Directory Connect with installation identifier
xxxxxxxxxxxxxx running on computer ADFS configured to synchronize to
tenant kimconnect.com. This account must have directory replication permissions in the local Active
Directory and write permission on certain attributes to enable Hybrid Deployment.
DistinguishedName : CN=MSOL_6a1e57285b53,CN=Users,DC=intranet,DC=kimconnect,DC=com
Enabled : True
GivenName :
Name : MSOL_xxxxxxxxxxxxxx
ObjectClass : user
ObjectGUID : 3f6aa813-fe12-42fd-ab27-xxxxxxxxxxxxxx
SamAccountName : MSOL_xxxxxxxxxxxxxx
Surname :
UserPrincipalName :

Method 2: Search on Office 365

# Office 365 Global Admin Credential
$password=ConvertTo-securestring "PASSWORT" -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username,$password
#$cred = Get-Credential

# Connect to Office 365
if (!(Get-Module -ListAvailable -Name MSOnline)){Install-Module MSOnline -Confirm:$false -Force;}
# Install-Module AzureAD -Confirm:$false -Force # Azure AD may not be necessary for managing O365
$O365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session -AllowClobber
Connect-MsolService -Credential $cred

# Collect O365 accounts with the prefix of Sync_ and then use regex to retrieve names of associated computer names
$azureSyncAccounts=(Get-MsolUser -EnabledFilter EnabledOnly -MaxResults 2147483647 | Where-Object {$_.UserPrincipalName -like "Sync_*"}).UserPrincipalName
$azureSyncAccounts | %{[void]($_ -match "_(.+)_");$matches[1]}

Leave a Reply

Your email address will not be published. Required fields are marked *