Active Directory & Office 365 Reporting Tool

Azure AD Connect Force Sync PowerShell/ Synchronization Service Manager. As a default, the synchronization cycle in Azure AD is executed every 30 minutes. However, sometimes, as an Azure administrator, you may need to make urgent changes to on-premises AD objects and want them synchronized immediately with Azure AD. 

For instance, forcing a sync is necessary, if you’ve recently made changes to a user’s proxyAddresses, such as adding an email alias, and you’d like the user to utilize the alias right away. When faced with such an instance, the option of waiting 30 minutes till the next synchronization cycle is not a viable idea.

In such a scenario, Azure provides you with two methods of manually resynchronizing the data: either using PowerShell commands or through a synchronization manager.

Let us start with an illustration of Azure Active Directory Sync.

Azure Active Directory Sync

There are two types of sync in Azure Active Directory Connect: delta sync and full sync. A delta syncs synchronizes only the latest changes while a full sync is only necessary when changing Azure AD Connect configuration. In its default configuration, the Azure AD Connect Tool automatically syncs data at predefined intervals. For this, it uses two schedules, one for password changes and one for all other objects (users, computers, groups). By default, Azure AD syncs passwords every 2 minutes and syncs object changes every 30 minutes.
Executing this command is necessary to get a view of the default sync schedule of your machine:


For example, after executing this command on my machine, we see that the next sync schedule is a Delta sync that runs at 11:45.

Let’s enumerate the above Azure AD sync scheduler settings.

Azure AD sync scheduler settings

AllowedSyncCycleInterval: It specifies Azure AD’s minimum synchronization interval. This is the maximum supported synchronization frequency.

CurrentlyEffectiveSyncCycleInterval: This displays the schedule currently in effect.

CustomizedSyncCycleInterval: Configure this parameter, if you want the scheduler to operate at a frequency other than the default 30 minutes.

NextSyncCyclePolicyType: It’s either Delta or Initial. Specifies whether the next run should merely process delta changes or do a full import and sync. The latter would reprocess any new or updated rules.

NextSyncCycleStartTimeInUTC: This specifies the start time of the next sync cycle.

PurgeRunHistoryInterval: Displays the time operation logs should be kept. Review these logs in the synchronization service manager. The default storage time is 7 days.

SyncCycleEnabled: This specifies whether the scheduler is conducting the import, sync, and export processes as part of its normal operation.

MaintenanceEnabled: This setting shows, if the maintenance process is enabled. It makes updates to the certificates/keys and deletes operations log.

StagingModeEnabled: Indicates whether staging mode is enabled. When this setting is enabled, it disables exports but allows import and synchronization.

SchedulerSuspended: This setting is set by Connect during an upgrade to temporarily block the scheduler from running.

Now let’s see how to force a delta sync by using PowerShell:

Run Azure AD Connect Reports with InfraSOS. Fix Sync Errors

Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.

Forcing a Delta sync on Azure AD

As illustrated above, a delta sync synchronizes all the changes made since the last sync. Forcing a delta sync is crucial, for example, when you have made key changes to users in your Active Directory, and you’d like the changes to reflect immediately. Carrying out a delta sync, for example, speeds up the sync of a new user to Microsoft 365, enabling the assignment of licenses immediately. 

The following cmdlet must be executed to trigger a Delta Sync in Azure AD:

					Start-ADSyncSyncCycle -PolicyType Delta

A success message in PowerShell window indicates that the command was carried out correctly. However, if there is already a sync running, you’ll get the following error: 

					Sync is already running. Cannot start a new run till this one completes.

It is important to note that the Start-AdSyncSyncCycle command has to be run on the server where the Azure AD Connect tool is installed. However, without even logging in to the server, PowerShell gives administrators the ability to start the sync remotely by executing the following command:

					# Replace LazyServer01 with the computername of the server that has 
# Azure AD Connect installed on it

Invoke-Command -ComputerName LazySrvLab02 -ScriptBlock {
  Start-ADSyncSyncCycle -PolicyType Delta

You should see the following success message, if the command was executed successfully:

Forcing a Full Azure AD sync

You rarely need to do a full Azure Active Directory sync as and Azure AD administrator. A full Azure AD sync takes a lot of time to sync as it goes through all the Active Directory objects and synchronizes them again. The only use case that you need to do a full synchronization is when you change the Azure AD Connect configuration.
However, in case you’d like to run a full Azure AD sync, then use this policy type initial PowerShell command:

					Start-ADSyncSyncCycle -PolicyType Initial

Forcing a sync with the Synchronization Service Manager

Alternatively, you can use the Azure Synchronization Service Manager to force a sync on Azure. In addition to allowing you to manually begin and end synchronization, the pre-installed Azure AD Connect service manager is used to troubleshoot synchronization errors.

To perform a Delta or full sync with the Synchronization Service Manager, please follow these instructions:
1. Launch the Synchronization Service from the Windows Start menu (located under Azure AD Connect).
2. Click on connectors.
3. Then click on the local connector.
4. Click on the Run button on the sidebar.
5. Based on your preference, select either Delta or full Synchronization, and then confirm your selection by clicking Ok.

Modifying the default sync schedule

Azure allows you to make modifications to the sync intervals in the Azure synchronization manager. The default synchronization setting is 30 minutes. Changes to the Azure AD sync time are made with the Set-ADSyncScheduler PowerShell command. 

However, it is important to note that there are upper and lower limits for the Azure AD Sync schedule. For example, the Sync schedule has to run at least once every 7 days. Additionally, the sync cycle only runs once every 30 minutes. Now, with these constraints in mind, let’s use the Set-ADSyncScheduler cmdlet to change the schedule to once every 2 hours: 

					# Run every hour
Set-ADSyncScheduler -CustomizedSyncCycleInterval 02:00:00

# Run once per day
Set-ADSyncScheduler -CustomizedSyncCycleInterval 2.0:0:0

Executing a delta sync after this will ensure that these adjustments are fully applied and activated.

Disabling the Azure AD Sync scheduler

Sometimes, as an Azure AD administrator, you might need to disable the Azure AD Connect sync scheduler. For example, disabling the synchronization manager is necessary, if you have to make many changes to the on-premises Azure AD. Temporarily disable the scheduler and let it kick in later when you are done. To do so, you need to execute the following commands:

					 Set-ADSyncScheduler -SyncCycleEnabled $false


To enable the scheduler, run the following cmdlet:

					 Set-ADSyncScheduler -SyncCycleEnabled $true


Thank you for reading Azure AD Connect Force Sync PowerShell/ Synchronization Service Manager. We shall conclude. 

Azure AD Connect Force Sync Using PowerShell or Synchronization Service Manager (Conclusion)

By default, the sync interval in Azure AD is 30 minutes. However, we can change it or force it when necessary. You can force a sync on Azure either through the GUI (the synchronization manager) or via PowerShell. This article is meant to equip you with the know-how of forcing a sync on your on-premises Active Directory environment by either method.

In the vast majority of situations, a delta sync is sufficient. It enables you to swiftly synchronize the most recent updates from your local AD to Azure AD. Therefore, it is not always necessary to perform a full sync after making modifications to your Azure AD. Furthermore, because passwords are synced every 2 minutes, you do not need to force any synchronization after making such changes. 


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Josiah Mutuma

Josiah Mutuma

Josiah is a tech security expert and has been a writer for over 5 years. Follow this blog to learn more on Microsoft and Cyber security.

Leave a comment

Your email address will not be published. Required fields are marked *