This is an update post to earlier post which can be found from here AAD Connect Device Writeback Feature.
- AAD Premium
- Devices must be located at same forest as users
- Only one device registration configuration object can be added to the on-premises AD DS forest.
- Not supported at multi-user-forest scenario
- W2012R2 ADFS
- Install AAD Connect – recommendation to use latest version
After AAD Connect installation perform following tasks:
- Open powershell and run following commands with Enterprise Admin rights
- Import-module ‘C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1’
- Initilalize-ADSyncDeviceWriteback -domainname <your-domain-name> -AdConnectorAccount <your-connector-account>
What the tool actually does (from Technet)
- If not existent, it creates and configures new containers and objects under CN=Device Registration Configuration,CN=Services,CN=Configuration,[forest-dn]
- If not existent, it creates and configures new containers and objects under CN=RegisteredDevices,[domain-dn]. Device objects will be created in this container.
- Sets necessary permissions on the Azure AD Connector account, to manage devices on your Active Directory.
- Only needs to run on one forest, even if Azure AD Connect is being installed on multiple forests.
- DomainName: Active Directory Domain where device objects will be created. Note: All devices for a given Active Directory forest will be created in a single domain.
- AdConnectorAccount: Active Directory account that will be used by Azure AD Connect to manage objects in the directory. This is the account used by Azure AD Connect sync to connect to AD. If you installed using express settings, it is the account prefixed with MSOL_.
2. Enable device write-back in AAD Connect
Run the AAD Connect.exe and select “Customize Synchronization Options”
If you have run AdSyncPrep device write-back is not grayed out and it can be selected.
On the final page you will see domain where devices will be written
NOTE! Confirm that service account has necessary permissions to created AD containers and registeredDevices container is at your AAD Connect sync scope
3. Verify synchronization of devices
After everything is at place you should see registered devices written back to local Active Directory.
If device writeback isn’t working great troubleshooting guidance is found from Azure documentation (at the end of the page)