Back into one of my favorite topics, Azure AD Connect. It has been a while since I worked with AAD Connect (AADC). This blog post describes how V2 API endpoint can be deployed.
Why Use V2 API Endpoint?
The main advantage is for bigger organizations that have a huge number of objects to synced to the cloud. The biggest one I have worked with has +300k end-users and this will definitely decrease AAD-connector run profile times in such an environment.
The new endpoint supports the following:
- syncing groups with up to 250k members
- performance gains on export and import to Azure AD
Configuration
Before starting, you need to have version 1.5.30.0 or later in to use. In production mode many organizations have at least two AAD Connect servers, one is active and the other one is in staging mode.
Before moving forward, decide your migration path. When method is chosen following steps are needed
- AAD Connect installation
- V2 API endpoint activation
- Increase the group membership limit
AAD Connect installation
Nothing new in here, process looks same as it has looked for several years. At the end of the day you have version 1.4.45.0 in use.
V2 API Activation
To activate V2 API you first need to disable the sync scheduler
Set-ADSyncScheduler -SyncCycleEnabled $falseImport the new module
Import-Module 'C:\Program Files\Microsoft Azure AD Sync\Extensions\AADConnector.psm1'Set V2 API endpoint as active
Set-ADSyncAADConnectorExportApiVersion 2
Set-ADSyncAADConnectorImportApiVersion 2
Increase the group membership limit
The last step is to increase the group membership limit size via AAD Sync rules editor.
Currently, value is 50k members but can be increased up to 250k.
- Precedence: between 1-99
- Transformations: update the source value for the member transformation, replacing the 50000 with the value between 50001-250000. Microsoft recommends to start with a number of 100k, to understand the possible impact.
When the configuration is saved, enable the sync scheduler.
Set-ADSyncScheduler -SyncCycleEnabled $true
How It Looks In the Portal?
Even though, my environment doesn’t have many objects in sync scope there is seen huge drop in the AAD-connector sync profile run times.
Saw this one in Twitter from where you can see the impact in a larger organization organization.
Rollback
In case, where rollback is needed:
- Disable the sync scheduler
- Activate V2 endpoint
- Convert group sync rule back to 50000
- Re-enable the sync scheduler
Set-ADSyncScheduler -SyncCycleEnabled $false
Import-Module 'C:\Program Files\Microsoft Azure AD Sync\Extensions\AADConnector.psm1'
Set-ADSyncAADConnectorExportApiVersion 1
Set-ADSyncAADConnectorImportApiVersion 1
et-ADSyncScheduler -SyncCycleEnabled $trueFinal Throughts
Azure AD Connect V2 API endpoint is in public preview. The feature will definitely decrease the Azure AD connector profile run times that will be beneficial to bigger organizations.
And finally, when you are making changes to Azure AD Connect, remember backups and disaster recovery scenarios. My recommendation is to use staging server, it has save my day many times 🙂
Sam's Corner 
Hey Sami,
Regarding this part of above procedure:
“Set V2 API endpoint as active (two times, not sure why)” there is a typo, it should be like that:
Set-ADSyncAADConnectorExportApiVersion 2
Set-ADSyncAADConnectorImportApiVersion 2
instead of executing ‘Set-ADSyncAADConnectorExportApiVersion 2’ twice.
Hi Adam,
Sorry, that was my bad. Thank you for pointing this out.
I updated that section to the blog (the pic was correct but txt wasn’t). Seems that I definitely need to purchase glasses;)
Thanks,
Sami