Following my previous post about this feature in preview on Azure Active Directory allowing you to set up Join Workplace / Register Devices – see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=609, I ran into an issue. Registered devices are not synched between AD and AAD; devices registered on AD do not show up on Azure portal and device registered on AAD are not synched back on AD.
On the directory sync tool, it shows the following error
Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The partition filter criteria for management agent "Active Directory Connector" do not include an object with DN "CN=5111aac0-ceae-48fa-885b-cecf9f21bb17,CN=RegisteredDevices,DC=<removed>,DC=<removed>" and object classes msDS-Device.
Off course, there is no RegisteredDevices OU available for selection in the MA; it would have been to simple
So, the solution is anyway relatively simple
On the server where the Azure Active Directory Synchronization tool has been installed, open the FIM console (located within the directory "C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\" and run miisclient.exe)
Then go to the Management Agents tab and open the properties for your Active Directory Connector
Reach the Configure Directory Partitions section and open the Select containers for this partition and enter your AD admin credentials
Do not change any OU selection (except if you want to update your OU filtering in the same time); click on the Advanced button
Add the DN (Distinguished Name) of the RegisteredDevices container (should looks like CN=RegisteredDevices,DC=<domain>,DC=<top level>) in the Specify additional containers to add and ensure the Include container option is selected
Close all window and run a full synch, while still within the Management Agents tab
- Select Active Directory Connector and click Run\Full Import Full Sync
- Select Windows Azure Active Directory Connector and click Run\Full Import Full Sync
- Select Windows Azure Active Directory Connector and click Run\Export
- Select Active Directory Connector and run Run\Export
Et voila, all registered devices – from AD or AAD – are synched