Agents
What is the Directory Sync agent?
The Directory Sync agent is the key component that communicates between a local Active Directory environment and the Directory Sync service.
Where do you install the agent?
The agent must be installed in every forest that you plan to include as a Directory Sync environment. We suggest that you create a virtual machine exclusively for this purpose. Review the Directory Sync Requirements for the minimal hardware and software requirements.
How do I download and install the agent?
First, choose the environment that the agent will be associated with.
You will be able to download the latest version of the agent from the Directory Sync agent screen. Copy the URL and the access key that will be needed during the install of the agent. The downloadable executable is the same for all projects, it is the Registration URL and Registration Key that makes the agent unique when it is installed.
To install of the agent enter credentials that have read or read\write access to the domain, depending on the direction of synchronization.
Copy and paste the information from the Directory Sync agent screen.
No further action is needed on the workstation. A look at services confirms that the Directory Sync agent is running.
A list of agents appears on summary screen, including status information as well as the registration URL and access keys should you need them again in the future.
Where do I manage agents?
To manage agents, simply open the left navigation menu and click Agents, located under Setup, see figure 1.
Figure 1: Directory Sync Setup and Settings Menu
How do I manage the agents?
On the Agents page, you can check the current status of your current agents or add new ones. Select an agent for additional options. You have the option to copy the Registration URL or the Registration Key if you need to reinstall the agent for any reason. The History button will give you details on the run history. When the agent is updated, any agent using the old version will offer you the upgrade option so that you can update your current agent installation.
Do I need to configure a Local Directory Sync agent if my tenant is a hybrid with local Active Directory attached?
A Local Directory Sync agent is only required when working with Hybrid MailUsers (a mailuser object synced with a local active directory object). A Directory Sync agent is used to configure the mail-forwarding rule on the local AD object when working with Hybrid MailUsers. A Directory Sync agent is not required when working with Mailbox and Cloud Only Objects as mail-forwarding rules are configured via EXO PowerShell.
How do I uninstall an agent?
If you need to uninstall an agent from any machine, in order to reinstall on the same machine, you must first delete the registry folder located at HKEY_LOCAL_MACHINE> SOFTWARE> Quest > Agent and then uninstall.
Afterwards, simply create a new agent (with a new access key) under Agents managements from the left navigation menu before re-installing on the same machine.
Guest Users
What is a Guest User?
A guest user is an Microsoft Entra ID Business-to-Business account which is utilized to provide seamless collaboration between the Microsoft Cloud organizations.
For more context and details check out Microsoft’s document on the topic, What is guest user access in Microsoft Entra ID B2B?
Can I create, update and delete Guest user objects with Directory Sync?
Yes, Directory Sync provides create, update and delete capabilities to keep your multiple identities, objects and properties in sync for short-term and long-term integration needs.
There are two (2) new additional options to create users in a target cloud directory, highlighted below. The image shows the Template wizard where you may manage how users are created.
Figure 1: Example Template Wizard - Create New Users – Guest Options
What does the Guest User option do?
The Guest User option (see figure 1) will create a user object with the type of Guest within the destination directory configured in the workflow. This user’s password will be set and managed within the target directory management controls. This user’s UPN, Display Name and email address will be constructed based on the template mapping controls configured within the workflow.
What does the Guest Invite option do?
The Guest Invite option (see figure 1) will create a user object with the type of Guest within the destination directory configured in the workflow and immediately send an invitation to the source email user account. This user’s UPN will be constructed automatically by Microsoft to meet their requirements for B2B functionality. This user’s password will not be set and will continue to be managed from the source directory management tools and administrators. All other attributes set during creation will be determined by the template mapping controls configured within the workflow.
Can I send an invitation later if I didn’t send one during creation?
Yes, Microsoft provides numerous methods for managing invitations. For more details, see the Microsoft Entra ID B2B documentation.
Can I match to an existing Guest user and update it?
Yes, Directory Sync can match and update existing Guest user types in Active Directory and Microsoft Entra ID.
What is the recommend matching attribute for Guest Users?
To match a source user object to a target Guest user object can sometimes be challenging because depending on the type of target Guest user object, there may not be a readily available attribute or property that can be used for an exact match to ensure an accurate match.
How to identify unique attributes for Matching to Guest Users
Before synchronization, you must first decide how to derive the matching attribute pairs between the source user object and target guest object. In other words, what parameters in your environment are unique to your external collaborators? Determine a parameter that distinguishes these external collaborators from members of your own organization.
A common approach to resolve this is to:
- Designate an unused attribute (for example, extensionAttribute1) to use as the source attribute that will match to a unique identifier attribute, such as email, in the target.
- Next construct the value for that attribute from other source properties, to create a unique identifier that will be found in the target. For example, use the email address of the source user to construct the extensionAttribute1 value as Source Local Part @ Target Domain.
Can I create a local user, so it is ready to be synchronized up to Microsoft Entra ID as a Guest?
Yes, Directory Sync supports the creation of local user objects for this purpose. Simply configure the template mappings to set the attribute value of the predetermined attributed which will be used by Microsoft Entra Connect to set the UserType = Guest in the cloud object. If you are using a different method within Microsoft Entra Connect, adjust your mapping rules to fit your needs.
You can use Microsoft Entra Connect to sync the accounts to the cloud as Microsoft Entra B2B users (that is, users with UserType = Guest). This enables your users to access cloud resources using the same credentials as their local accounts, without giving them more access than they require.
For more information about How to grant local users access to cloud apps read this Microsoft article on the topic.
For details on How to enable synchronization of UserType for Microsoft Entra Connect then please read this Microsoft document.
Additional Information
How To Use Guest Users in Directory Sync
Guest Users in Power365 Tenant-to-Tenant
What is guest user access in Microsoft Entra ID B2B?
Microsoft Entra ID B2B best practices
Microsoft Entra ID B2B documentation
Properties of an Microsoft Entra ID B2B collaboration user
Quickstart: Add guest users to your directory in the Azure portal
Add guests to the global address list
Settings
Environments
What is an Environment?
If a workflow is a series of action steps, an environment is the receiver of those actions. On the Select Environments screen you will choose two or more environments that the workflow will take actions against. You need at least two so that you have at least one source and one target, but you can choose several in a more complex migration scenario. For example, you may choose to read from two different environments as sources, to be written to a single target environment.
Where do I manage Environments?
To manage environments, simply open the left navigation menu and click Environments, located under Settings, see figure 1.
Figure 1: Directory Sync Setup and Settings Menu
How are Local Environments added?
To add a local environment:
On the Environments page, Click the New button. The Select your Environment type page appears.
Select Local and click Next.
Enter a name for your environment and click Next.
- Enter a name for your agent and click Next.
Enter values in the following fields:
Target Domain Controller IP Address – The IP address of the target Domain Controller.
Target Domain Controller Ping Interval - The number of seconds the script will sleep between pings to the defined target domain controller. The default value is 300 seconds.
Timeout Before Job Failure – The number of minutes to wait after Credential Cache job is downloaded by the agent before marking the job a failure due to timeout. The default value is 180 minutes.
Timeout for User Credential Prompt – The number of minutes to prompt the user with a dialog box to enter their target domain credentials for caching. The default value is 5 minutes
Click Save Profile. The Credential Cache Profile is added to the list.
How do you export a list of Users, Groups, Contacts, and Devices in an environment?
Select an environment in the Environments table and then click Details. On the Details page, click the Export button to download a CSV file of the Users, Groups, Contacts, and Devices.
How do you unmatch Users, Groups, Contacts, and Devices so they will not be synchronized?
Select an environment in the Environments table and then click Details. On the Details page, select an object in the table and click the Unmatch button. The Match Status for the object will change to "Unmatched" and the object will not be synchronized.
The Unmatch action is not supported for objects belonging to the Tenant-to-Tenant project and registered devices.
How do you view logs for local environments?
Select a local environment in the Environments table and then click Password Logs or Discovery Logs to export a CSV with password or discovery information.
How do you discover local environments?
Select a local environment in the Environments table and then click Discover to begin the discovery process for the environment.
How do you filter out users and groups in cloud environments you do not want to synchronize?
Select a cloud environment in the Environments table and then click Settings. Then select the Object Filter tab to view the filter options. Uncheck the object types you wish to exclude. Options to exclude unlicensed and disabled accounts are also available. Click Attribute Filters to build filters that allow you to be more specific as to which object(s) to sync. Select the Filter Groups tab to enable Group filters.
How do you set the object filter to synchronize Microsoft Entra ID Joined devices in cloud environments?
If you subscribe to the Microsoft Entra ID Joined Device add on feature, you can enable the Microsoft Entra ID Joined device object filter option in Settings. To enable the Microsoft Entra ID Joined device option, select a cloud environment in the Environments table and then click Settings. Then select the Object Filter tab to view the filter options. Check the Microsoft Entra ID Joined devices option. Click Attribute Filters to build filters that allow you to be more specific as to which device(s) to sync.
The below table displays filterable properties and the object types that can be filtered by them. ✓= The property can be used to filter this object type.
| Property Name | Users | Contacts | Distribution And Mail Enabled Security Groups | Unified Groups And Teams | Devices |
|---|---|---|---|---|---|
| AcceptMessagesOnlyFrom | ✓ | ✓ | ✓ | ||
| AcceptMessagesOnlyFromDLMembers | ✓ | ✓ | ✓ | ||
| AcceptMessagesOnlyFromSendersOrMembers | ✓ | ✓ | ✓ | ||
| AccessType | ✓ | ||||
| AccountDisabled | ✓ | ||||
| AddressListMembership | ✓ | ✓ | ✓ | ||
| AdministrativeUnits | ✓ | ✓ | ✓ | ✓ | |
| Alias | ✓ | ✓ | ✓ | ||
| AllowAddGuests | ✓ | ||||
| AllowUMCallsFromNonUsers | ✓ | ||||
| AlwaysSubscribeMembersToCalendarEvents | ✓ | ||||
| ArbitrationMailbox | ✓ | ✓ | |||
| ArchiveRelease | ✓ | ||||
| AssistantName | ✓ | ||||
| AuditLogAgeLimit | ✓ | ||||
| AuthenticationPolicy | ✓ | ||||
| AutoSubscribeNewMembers | ✓ | ||||
| BypassModerationFromSendersOrMembers | ✓ | ✓ | ✓ | ||
| BypassNestedModerationEnabled | ✓ | ||||
| CalendarMemberReadOnly | ✓ | ||||
| CalendarUrl | ✓ | ||||
| CertificateSubject | ✓ | ||||
| City | ✓ | ||||
| Classification | ✓ | ||||
| Company | ✓ | ||||
| ConnectorsEnabled | ✓ | ||||
| ConsumerNetID | ✓ | ||||
| CountryOrRegion | ✓ | ||||
| CustomAttribute1 | ✓ | ✓ | ✓ | ✓ | |
| CustomAttribute10 | ✓ | ✓ | ✓ | ✓ | |
| CustomAttribute11 | ✓ | ✓ | ✓ | ✓ | |
| CustomAttribute12 | ✓ | ✓ | ✓ | ✓ | |
| CustomAttribute13 | ✓ | ✓ | ✓ | ✓ | |
| CustomAttribute14 | ✓ | ✓ | ✓ | ✓ | |
| CustomAttribute15 | ✓ | ✓ | ✓ | ✓ | |
| CustomAttribute2 | ✓ | ✓ | ✓ | ✓ | |
| CustomAttribute3 | ✓ | ✓ | ✓ | ✓ | |
| CustomAttribute4 | ✓ | ✓ | ✓ | ✓ | |
| CustomAttribute5 | ✓ | ✓ | ✓ | ✓ | |
| CustomAttribute6 | ✓ | ✓ | ✓ | ✓ | |
| CustomAttribute7 | ✓ | ✓ | ✓ | ✓ | |
| CustomAttribute8 | ✓ | ✓ | ✓ | ✓ | |
| CustomAttribute9 | ✓ | ✓ | ✓ | ✓ | |
| Database | ✓ | ||||
| DataEncryptionPolicy | ✓ | ||||
| Department | ✓ | ||||
| DirectReports | ✓ | ||||
| DisplayName | ✓ | ✓ | ✓ | ✓ | ✓ |
| DistinguishedName | ✓ | ✓ | ✓ | ✓ | |
| EmailAddressPolicyEnabled | ✓ | ✓ | ✓ | ||
| ExchangeGuid | ✓ | ||||
| ExchangeVersion | ✓ | ✓ | ✓ | ✓ | |
| ExpansionServer | ✓ | ✓ | |||
| ExtensionCustomAttribute1 | ✓ | ✓ | ✓ | ||
| ExtensionCustomAttribute2 | ✓ | ✓ | ✓ | ||
| ExtensionCustomAttribute3 | ✓ | ✓ | ✓ | ||
| ExtensionCustomAttribute4 | ✓ | ✓ | ✓ | ||
| ExtensionCustomAttribute5 | ✓ | ✓ | ✓ | ||
| Extensions | ✓ | ||||
| ExternalDirectoryObjectId | ✓ | ✓ | ✓ | ✓ | |
| ExternalEmailAddress | ✓ | ||||
| Fax | ✓ | ||||
| FileNotificationsSettings | ✓ | ||||
| FirstName | ✓ | ||||
| GeoCoordinates | ✓ | ||||
| GrantSendOnBehalfTo | ✓ | ✓ | ✓ | ||
| GroupExternalMemberCount | ✓ | ||||
| GroupMemberCount | ✓ | ||||
| GroupPersonification | ✓ | ||||
| GroupSKU | ✓ | ||||
| GroupType | ✓ | ✓ | |||
| Guid | ✓ | ✓ | ✓ | ✓ | |
| HasPicture | ✓ | ||||
| HasSpokenName | ✓ | ||||
| HiddenFromAddressListsEnabled | ✓ | ✓ | ✓ | ||
| HiddenFromExchangeClientsEnabled | ✓ | ||||
| HiddenGroupMembershipEnabled | ✓ | ✓ | |||
| HomePhone | ✓ | ||||
| Id | ✓ | ✓ | ✓ | ✓ | |
| Identity | ✓ | ✓ | ✓ | ✓ | |
| InboxUrl | ✓ | ||||
| Initials | ✓ | ||||
| InPlaceHolds | ✓ | ||||
| InPlaceHoldsRaw | ✓ | ✓ | |||
| IsExternalResourcesPublished | ✓ | ||||
| IsLinked | ✓ | ||||
| IsMailboxConfigured | ✓ | ||||
| IsMembershipDynamic | ✓ | ||||
| IsSecurityPrincipal | ✓ | ||||
| IsSoftDeletedByDisable | ✓ | ||||
| IsSoftDeletedByRemove | ✓ | ||||
| IsValid | ✓ | ✓ | ✓ | ✓ | |
| Language | ✓ | ||||
| LastExchangeChangedTime | ✓ | ✓ | ✓ | ||
| LastName | ✓ | ||||
| LegacyExchangeDN | ✓ | ✓ | ✓ | ✓ | |
| LinkedMasterAccount | ✓ | ||||
| MacAttachmentFormat | ✓ | ||||
| MailboxLocations | ✓ | ||||
| MailboxProvisioningConstraint | ✓ | ✓ | |||
| MailboxProvisioningPreferences | ✓ | ||||
| MailboxRegion | ✓ | ✓ | |||
| MailboxRegionLastUpdateTime | ✓ | ||||
| MailboxRelease | ✓ | ||||
| MailTip | ✓ | ✓ | ✓ | ||
| MailTipTranslations | ✓ | ✓ | ✓ | ||
| ManagedBy | ✓ | ✓ | |||
| ManagedByDetails | ✓ | ||||
| Manager | ✓ | ||||
| MaxReceiveSize | ✓ | ✓ | ✓ | ||
| MaxRecipientPerMessage | ✓ | ||||
| MaxSendSize | ✓ | ✓ | ✓ | ||
| MemberDepartRestriction | ✓ | ||||
| MemberJoinRestriction | ✓ | ||||
| MessageBodyFormat | ✓ | ||||
| MessageFormat | ✓ | ||||
| MicrosoftOnlineServicesID | ✓ | ||||
| MigrationToUnifiedGroupInProgress | ✓ | ✓ | |||
| MobilePhone | ✓ | ||||
| ModeratedBy | ✓ | ✓ | ✓ | ||
| ModerationEnabled | ✓ | ✓ | ✓ | ||
| Name | ✓ | ✓ | ✓ | ✓ | |
| NetID | ✓ | ||||
| Notes | ✓ | ✓ | |||
| ObjectCategory | ✓ | ✓ | ✓ | ✓ | |
| ObjectClass | ✓ | ✓ | ✓ | ✓ | |
| ObjectState | ✓ | ✓ | ✓ | ✓ | |
| Office | ✓ | ||||
| OrganizationalUnit | ✓ | ✓ | ✓ | ✓ | |
| OrganizationId | ✓ | ✓ | ✓ | ✓ | |
| OriginatingServer | ✓ | ✓ | ✓ | ✓ | |
| OtherFax | ✓ | ||||
| OtherHomePhone | ✓ | ||||
| OtherTelephone | ✓ | ||||
| Pager | ✓ | ||||
| PeopleUrl | ✓ | ||||
| Phone | ✓ | ||||
| PhoneticDisplayName | ✓ | ||||
| PhotoUrl | ✓ | ||||
| PoliciesExcluded | ✓ | ✓ | ✓ | ||
| PoliciesIncluded | ✓ | ✓ | ✓ | ||
| PostalCode | ✓ | ||||
| PostOfficeBox | ✓ | ||||
| PreviousRecipientTypeDetails | ✓ | ||||
| RecipientType | ✓ | ✓ | ✓ | ✓ | |
| RecipientTypeDetails | ✓ | ✓ | ✓ | ✓ | |
| RejectMessagesFrom | ✓ | ✓ | ✓ | ||
| RejectMessagesFromDLMembers | ✓ | ✓ | ✓ | ||
| RejectMessagesFromSendersOrMembers | ✓ | ✓ | ✓ | ||
| RemotePowerShellEnabled | ✓ | ||||
| ReportToManagerEnabled | ✓ | ✓ | |||
| ReportToOriginatorEnabled | ✓ | ✓ | |||
| RequireSenderAuthenticationEnabled | ✓ | ✓ | ✓ | ||
| ResetPasswordOnNextLogon | ✓ | ||||
| RunspaceId | ✓ | ✓ | ✓ | ✓ | |
| SamAccountName | ✓ | ✓ | |||
| SendModerationNotifications | ✓ | ✓ | ✓ | ||
| SendOofMessageToOriginatorEnabled | ✓ | ✓ | |||
| SeniorityIndex | ✓ | ||||
| ServerName | ✓ | ||||
| SharePointDocumentsUrl | ✓ | ||||
| SharePointNotebookUrl | ✓ | ||||
| SharePointSiteUrl | ✓ | ||||
| Sid | ✓ | ||||
| SidHistory | ✓ | ||||
| SiloName | ✓ | ||||
| SimpleDisplayName | ✓ | ✓ | ✓ | ||
| SKUAssigned | ✓ | ||||
| StateOrProvince | ✓ | ||||
| StreetAddress | ✓ | ||||
| StsRefreshTokensValidFrom | ✓ | ||||
| SubscriptionEnabled | ✓ | ||||
| TelephoneAssistant | ✓ | ||||
| Title | ✓ | ||||
| UMCallingLineIds | ✓ | ||||
| UMDialPlan | ✓ | ||||
| UMDtmfMap | ✓ | ✓ | ✓ | ||
| UpgradeDetails | ✓ | ||||
| UpgradeMessage | ✓ | ||||
| UpgradeRequest | ✓ | ||||
| UpgradeStage | ✓ | ||||
| UpgradeStageTimeStamp | ✓ | ||||
| UpgradeStatus | ✓ | ||||
| UseMapiRichTextFormat | ✓ | ||||
| UsePreferMessageFormat | ✓ | ||||
| UserAccountControl | ✓ | ||||
| UserCertificate | ✓ | ||||
| UserPrincipalName | ✓ | ||||
| UserSMimeCertificate | ✓ | ||||
| VoiceMailSettings | ✓ | ||||
| WebPage | ✓ | ||||
| WelcomeMessageEnabled | ✓ | ||||
| WhenChanged | ✓ | ✓ | ✓ | ✓ | |
| WhenChangedUTC | ✓ | ✓ | ✓ | ✓ | |
| WhenCreated | ✓ | ✓ | ✓ | ✓ | |
| WhenCreatedUTC | ✓ | ✓ | ✓ | ✓ | |
| WhenSoftDeleted | ✓ | ✓ | |||
| WindowsEmailAddress | ✓ | ✓ | ✓ | ||
| WindowsLiveID | ✓ | ||||
| YammerEmailAddress | ✓ | ||||
| Description | ✓ | ✓ | |||
| OperatingSystem | ✓ | ||||
| OperatingSystemVersion | ✓ | ||||
| ProfileType | ✓ | ||||
| EmailAddresses | ✓ | ✓ | ✓ |