Azure AD Connectors Test

The Azure AD Connect sync engine processes identity information from different data repositories, such as Active Directory or a SQL Server database. The data repositories that are synchronized by sync engine are called connected data sources or connected directories (CD).

The sync engine encapsulates interaction with a connected data source within a module called a Connector. Each type of connected data source has a specific Connector. The Connector translates a required operation into the format that the connected data source understands. Connectors make API calls to exchange identity information (both read and write) with a connected data source.

To configure a Connector, you specify the object types that you want to synchronize and select the attributes to synchronize, which is known as an attribute inclusion list. These objects and attributes are held in a staging area called connector space.

When the identity management process is triggered, the sync engine evaluates the incoming identity information from a connected data source. When changes are detected, it either creates new staging objects or updates existing staging objects in the connector space for synchronization. In addition, the sync engine stores status information about all objects that it stages in the connector space. When new data is received, sync engine always evaluates whether the data has already been synchronized.

If a staging object is new or has changed recently, then the sync engine updates the metaverse to reflect changes that have occurred in the connector space. The metaverse is a storage area that contains the aggregated identity information from multiple connected data sources, providing a single global, integrated view of all combined objects.

Finally, sync engine pushes out / exports changes that are staged on staging objects and that are flagged as pending export.

If any connector fails to or takes too long to synchronize the identity objects and attributes it manages between on-premises and Azure AD, then administrators should be able to quickly spot those connectors and investigate the reasons for the same - is it because the connector is very busy? if so, why? is it because too many objects need to be exported? is it because many objects/attributes to be exported are not found in the metaverse? or is it because the objects/attributes are not linked to the metaverse? The Azure AD Connectors test answers these questions!

This test auto-discovers the connectors, and for each connector, reports the load level and synchronization status of that connector. Busy and idle connectors can thus be identified. Similarly, connectors that could not synchronize identity information can also be easily isolated. Additionally, the test sheds light on probable factors that could cause synchronization to fail or slow down - such factors include:

Poorly defined filtering rules, which can increase the number of objects to be exported
The presence of many Disconnector objects, which can increase the sync time and degrade the overall performance of the sync engine;
Issues in object/attribute flow between the Active Directory connector space and metaverse

Target of the Test: A Microsoft Azure Active Directory Connect

Agent deploying the test: An internal agent

Output of the test: One set of results for the each Connector configured

Configurable parameters for the test
Parameters	Description
Test Period	How often should the test be executed.
Host	The host for which the test is to be configured.
Port	Specify the port at which the Host listens
Detailed Diagnosis	To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled: The eG manager license should allow the detailed diagnosis capability Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.

Measures made by the test:

Measurement

Description

Measurement Unit

Interpretation

Connector run status

Indicates the current status of this connector.

The values that this measure reports and their corresponding numeric values are listed in the table below:

Measure Value	Numeric Value
Busy	1
Idle	0

You can use the detailed diagnosis of the test to view the details of the connector.

Note:

By default, this measure reports the Measure Values listed in the table above to indicate the run status of the connector. In the graph of this measure however, the same is represented using the numeric equivalents only.

Synchronization profile result

Indicates the result of the synchronization / run profile configured for this connector.

A Run Profile bundles the process steps of copying objects and their attribute values according to the sync rules between the staging areas and connected directories.

Different run profiles exist to optimize the performance of the provisioning engine.

The value of this measure indicates whether/not the synchronization / run profile configured for a connector successfully copied objects and their attributes to the staging areas. The measure values and their corresponding internal values are given in the table below:

Measure Value	Numeric Value
Success	1
Failure	0

Note:

By default, this measure reports the Measure Values listed in the table above to indicate the run profile result. In the graph of this measure however, the same is represented using the numeric equivalents only.

Projections

Indicates the number of projection operations performed for this connector by the sync engine.

Number

The Sync engine creates a new metaverse object based on a staging object and links them. This is called Provision or Projection.

Filtered connectors

Indicates the number of connector objects that have been filtered for synchronization.

Number

Within the sync engine namespace, the data flow is enabled by the link relationship between staging objects and metaverse objects. A staging object that is linked to a metaverse object is called a joined object (or connector object).

One can use filtering to reduce the objects to be synced and improve the overall performance and time of the synchronization. The value of this measure indicates the number of connector objects that have been chosen for synchronization using one/more filtering rules. For faster, efficient synchronization therefore, the value of this measure should be low.

If the value of this measure is equal to or close to that of the Joins measure, it hints at a potential slowness / delay in synchronization owing to the large number of objects that will have to be synced.

Filtered disconnectors

Indicates the number of disconnector objects that have been filtered for synchronization.

Number

Within the sync engine namespace, the data flow is enabled by the link relationship between staging objects and metaverse objects. A staging object that is not linked to a metaverse object is called a disjoined object (or disconnector object)

Typically, filtering rules are used to ensure that only important objects are synchronized, and unnecessary objects are excluded from export to Azure AD. Filtering helps reduce the number of objects to be synced, thereby improving performance and synchronization time. The value of this measure indicates the number of disconnector objects that have been chosen for synchronization using one/more filtering rules.

Many persistent disconnector objects in your Active Directory CS can cause longer sync times, because the provisioning engine must reevaluate each disconnector object for possible connection in the sync cycle. To minimize sync time therefore, it is best to reduce the number of disconnector objects to be exported.

This means that, ideally, the value of this measure should be low. A high value may result in prolonged sync cycles and poor synchronization performance. To avoid this, you should apply more aggressive filtering rules and place disconnector objects out of scope for import.

Disconnectors

Indicates the number of disconnector objects in this connector's connector space.

Number

This means that, ideally, the value of this measure should be low. A high value may result in prolonged sync cycles and poor synchronization performance. To avoid this, you should place disconnector objects out of scope for import using domain or OU filtering.

Once such filters are configured and applied, you can verify their effectiveness by checking the value of the Filtered disconnectors measure. If the value of the Disconnectors measure is close to that of the Filtered disconnectors measure, it is a clear indicator that filtering rules have not helped minimize the sync load. In such a situation, you are recommended to apply more aggressive filtering rules to bring the Filtered disconnectors number down. Alternatively, you can project/join the disconnector objects to the Metaverse and set the cloudFiltered attribute equal to True, to prevent provisioning of these objects in the Azure AD CS. .

Deleted connectors

Indicates the number of connector objects that are deleted.

Number

Joins

Indicates the number of joined objects or connector objects in this connector space.

Number

Before initiating synchronization, you may want to configure and apply filtering rules to make sure that only necessary connector objects are exported to Azure AD. So, prior to a sync, compare the value of the Filtered connectors measure with that of the Joins measure to know if filtering has helped reduce the connector object count that is ready for export. If the Filtered connectors count is equal or close to the Joins count, it is a clear indicator that filtering has not worked. You may want to impose more aggressive filtering rules to bring the object count down.

Connectors with attribute

Indicates the number of connector objects and attribute flows from the connector space of this Connector to metaverse.

Number

Connectors without attribute

Indicates the number of connector objects and attribute that failed to flow from the connector space of this Connector to metaverse.

Number

The value 0 is desired for this measure. A non-zero value is indicative of a sync failure. In this case, do the following:

Make sure that the object or attribute that could not be synced is present in the Active Directory Connector Space (ADCS).
If the object / attribute is present in ADCS, then proceed to check the inbound synchronization rules for provisioning. An object that is present in ADCS but missing in MV indicates that there were no scoping filters on any of the provisioning sync rules that applied to that object. Therefore, the object was not projected to MV. This issue might occur if there are disabled or customized sync rules.
Next, proceed to check the lineage of the ADCS object, and verify whether it is a Disconnect object and its lineage its empty. Also, look for errors in the object.
If there are no errors and the object is not a Disconnector, check whether the object/attribute is projected to Metaverse. If it is not, then a full sync cycle should fix the issue.

Metaverse object deletes

Indicates the number of metaverse objects that are deleted.

Number

A metaverse object remains as long as there is one sync rule in scope with Link Type set to Provision or StickyJoin. A StickyJoin is used when a Connector is not allowed to provision a new object to the metaverse, but when it has joined, it must be deleted in the source before the metaverse object is deleted.

When a metaverse object is deleted, all objects associated with an outbound sync rule marked for provision are marked for a delete.