Azure Active Domain Services Synchronisation Report
Currently, it is not possible to get accurate information from AADDS about what and when attributes are synchronised from Azure AD to Azure ADDS. It would be most helpful if customers could query on a per user or per directory basis to find out what attributes were synced and at what time (including password changes)
Erin Greenlee commented
Here is a full list of the attributes synchronized to AAD-DS: https://docs.microsoft.com/azure/active-directory-domain-services/synchronization#attribute-mapping-for-user-accounts
For specific attributes being synchronized, the sync engine treats attributes as a part of a user object. So when user Joe is synchronized to AAD-DS, all of Joe's attributes are updated to be the latest version of Joe in AAD.
You do raise an interesting scenario; in the meantime you can leverage your health dashboard's last sync time on the Azure portal. The date shown is the most recent time your managed domain has reached a steady state where there were no more updates sent from AAD to AAD-DS.
Thanks for the feedback here. It was originally for the following use case(s)
- For troubleshooting and being able to see exactly when attributes have been synced between the 2 directories. I know internally MS have a report on this
- The second one was round a ticket I raised (119052025000811) as per the attached file.
Mike Stephens commented
Interesting. Thank you for the feedback. What's the use case? I'm going to take a guess at troubleshooting, right? As I view a managed service, that should be the responsbility of the service to ensure users, groups, and password hashes are synced properly and timely. Given the current sync operation, I can understand the request. What if the sync engine just worked? Would you still need a report like this? Why?
Senior Program Manager
IAM Core | Domain Services