Merge pull request #52790 from mahesh-unnikrishnan/master

TrishaMc · web-flow · commit 124fa04d40e7 · 2018-09-19T16:31:01.000-07:00
New article on scoped sync.
diff --git a/articles/active-directory-domain-services/TOC.md b/articles/active-directory-domain-services/TOC.md
@@ -44,6 +44,7 @@
 ### [Create a group managed service account on a managed domain](active-directory-ds-create-gmsa.md)
 ### [Administer group policy on a managed domain](active-directory-ds-admin-guide-administer-group-policy.md)
 ### [Configure password polices on a managed domain](active-directory-ds-password-policy.md)
+### [Configure scoped synchronization from Azure AD to a managed domain](active-directory-ds-scoped-synchronization.md)
 ## [Select a virtual network](active-directory-ds-networking.md)
 ## Deploy applications
 ### [Configure support for profile synchronization for SharePoint Server](active-directory-ds-enable-sharepoint-profile-sync.md)
diff --git a/articles/active-directory-domain-services/active-directory-ds-scoped-synchronization.md b/articles/active-directory-domain-services/active-directory-ds-scoped-synchronization.md
@@ -0,0 +1,162 @@
+---
+title: 'Azure Active Directory Domain Services: Scoped synchronization | Microsoft Docs'
+description: Configure scoped synchronization from Azure AD to your managed domains
+services: active-directory-ds
+documentationcenter: ''
+author: mahesh-unnikrishnan
+manager: mtillman
+editor: curtand
+
+ms.assetid: 9389cf0f-0036-4b17-95da-80838edd2225
+ms.service: active-directory
+ms.component: domains
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: article
+ms.date: 09/19/2018
+ms.author: maheshu
+
+---
+# Configure scoped synchronization from Azure AD to your managed domain
+This article shows you how to configure only specific user accounts to be synchronized from your Azure AD directory to your Azure AD Domain Services managed domain.
+
+
+## Group-based scoped synchronization
+By default, all users and groups within your Azure AD directory are synchronized to your managed domain. If the managed domain is being used only by a few users, you may prefer to synchronize only those user accounts to the managed domain. Group-based scoped synchronization enables you to do so. When configured, only user accounts belonging to the groups you've specified are synchronized to the managed domain.
+
+
+## Get started: Install the required PowerShell modules
+
+### Install and configure Azure AD PowerShell
+Follow the instructions in the article to [install the Azure AD PowerShell module and connect to Azure AD](https://docs.microsoft.com/powershell/azure/active-directory/install-adv2?toc=%2fazure%2factive-directory-domain-services%2ftoc.json).
+
+### Install and configure Azure PowerShell
+Follow the instructions in the article to [install the Azure PowerShell module and connect to your Azure subscription](https://docs.microsoft.com/powershell/azure/install-azurerm-ps?toc=%2fazure%2factive-directory-domain-services%2ftoc.json).
+
+
+
+## Enable group-based scoped synchronization
+Complete the following steps to configure group-based scoped synchronization to your managed domain:
+
+1. Select the groups you want to sync and provide the display name of the groups you want synchronized to your managed domain.
+
+2. Save the script in the following section to a file called ```Select-GroupsToSync.ps1```. Execute the script like below:
+
+  ```powershell
+  .\Select-GroupsToSync.ps1 -groupsToAdd @(“GroupName1”, “GroupName2”)
+  ```
+
+3. Now, enable group-based scoped synchronization for the managed domain.
+
+  ```powershell
+  // Login to your Azure AD tenant
+  Login-AzureRmAccount
+
+  // Retrieve the Azure AD Domain Services resource.
+  $DomainServicesResource = Get-AzureRmResource -ResourceType "Microsoft.AAD/DomainServices"
+
+  // Enable group-based scoped synchronization.
+  $enableScopedSync = @{"filteredSync" = "Enabled"}
+
+  Set-AzureRmResource -Id $DomainServicesResource.ResourceId -Properties $enableScopedSync
+  ```
+
+## Disable group-based scoped synchronization
+Use the following PowerShell script to disable group-based scoped synchronization for your managed domain:
+
+```powershell
+// Login to your Azure AD tenant
+Login-AzureRmAccount
+
+// Retrieve the Azure AD Domain Services resource.
+$DomainServicesResource = Get-AzureRmResource -ResourceType "Microsoft.AAD/DomainServices"
+
+// Disable group-based scoped synchronization.
+$disableScopedSync = @{"filteredSync" = "Disabled"}
+
+Set-AzureRmResource -Id $DomainServicesResource.ResourceId -Properties $disableScopedSync
+```
+
+## Script to select groups to synchronize to the managed domain (Select-GroupsToSync.ps1)
+Save the following script to a file (```Select-GroupsToSync.ps1```). This script configures Azure AD Domain Services to synchronize selected groups to the managed domain. All user accounts belonging to the specified groups will be synchronized to the managed domain.
+
+```powershell
+param (
+    [Parameter(Position = 0)]
+    [String[]]$groupsToAdd
+)
+
+Connect-AzureAD
+$sp = Get-AzureADServicePrincipal -Filter "AppId eq '2565bd9d-da50-47d4-8b85-4c97f669dc36'"
+$role = $sp.AppRoles | where-object -FilterScript {$_.DisplayName -eq "User"}
+
+Write-Output "`n****************************************************************************"
+
+Write-Output "Total group-assignments need to be added: $($groupsToAdd.Count)"
+$newGroupIds = New-Object 'System.Collections.Generic.HashSet[string]'
+foreach ($groupName in $groupsToAdd)
+{
+    try
+    {
+        $group = Get-AzureADGroup -Filter "DisplayName eq '$groupName'"
+        $newGroupIds.Add($group.ObjectId)
+
+        Write-Output "Group-Name: $groupName, Id: $($group.ObjectId)"
+    }
+    catch
+    {
+        Write-Error "Failed to find group: $groupName. Exception: $($_.Exception)."
+    }
+}
+
+Write-Output "****************************************************************************`n"
+Write-Output "`n****************************************************************************"
+
+$currentAssignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId
+Write-Output "Total current group-assignments: $($currentAssignments.Count), SP-ObjectId: $($sp.ObjectId)"
+
+$currAssignedObjectIds = New-Object 'System.Collections.Generic.HashSet[string]'
+foreach ($assignment in $currentAssignments)
+{
+    Write-Output "Assignment-ObjectId: $($assignment.PrincipalId)"
+
+    if ($newGroupIds.Contains($assignment.PrincipalId) -eq $false)
+    {
+        Write-Output "This assignment is not needed anymore. Removing it! Assignment-ObjectId: $($assignment.PrincipalId)"
+        Remove-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -AppRoleAssignmentId $assignment.ObjectId
+    }
+    else
+    {
+        $currAssignedObjectIds.Add($assignment.PrincipalId)
+    }
+}
+
+Write-Output "****************************************************************************`n"
+Write-Output "`n****************************************************************************"
+
+foreach ($id in $newGroupIds)
+{
+    try
+    {
+        if ($currAssignedObjectIds.Contains($id) -eq $false)
+        {
+            Write-Output "Adding new group-assignment. Role-Id: $($role.Id), Group-Object-Id: $id, ResourceId: $($sp.ObjectId)"
+            New-AzureADGroupAppRoleAssignment -Id $role.Id -ObjectId $id -PrincipalId $id -ResourceId $sp.ObjectId
+        }
+        else
+        {
+            Write-Output "Group-ObjectId: $id is already assigned."
+        }
+    }
+    catch
+    {
+        Write-Error "Exception occured assigning Object-ID: $id. Exception: $($_.Exception)."
+    }
+}
+
+Write-Output "****************************************************************************`n"
+```
+
+## Next steps
+* [Understand synchronization in Azure AD Domain Services](active-directory-ds-synchronization.md)
