Potentially dangerous approach - suggested revision

[Mike-Crowley]

Running Sync this aggressively is explicitly unsupported by Microsoft:

AllowedSyncCycleInterval. The shortest time interval between synchronization cycles allowed by Microsoft Entra ID. You cannot synchronize more frequently than this setting and still be supported.

ref: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-feature-scheduler#scheduler-configuration

However, I suspect this is due to somewhat predictable risk of outrunning their replication, which would be problematic on the import phase of the sync. E.g. You'd get error-exported-changes-not-reimported, and possible errors within Entra somewhere as well. Therefore, you could reduce the risk of your approach by using Invoke-ADSyncSingleObjectSync, and syncing only the new computers, and only outbound. This may also be faster in large environments, where Sync may take a long time to run through many connectors and/or a large metaverse.

If this is still an active project, and you'd like help coding out that approach, let me know.

[steve-prentice]

Hey Mike,

We've been running delta syncs for a few years in this style, but yep, completely aware it's not the best idea and is rather outside of what's supported!... but for us it's worked and we've left it alone.

That said, I love your idea, it sounds a far superior way to do things, so yes please to the offer of help. It'd be great to smarten this up a little! Especially if others are using this and like you say if they're in larger orgs it could be very useful to run more efficiently. Thanks. :-)

[Mike-Crowley]

Sounds good. I'll work it out and submit a PR when ready.

[Mike-Crowley]

@steve-prentice , It is not ready for a PR yet, but you can review a draft here: (EDIT) https://github.com/Mike-Crowley/autopilot/blob/Per-Device-Sync/SyncNewAutoPilotComputersandUsersToAAD_v2.ps1

Here is the function I've been using to test fake computer accounts. Please let me know if you think I've missed something by not actually running through the autopilot process.

# Create a test account with a self-signed cert
function New-TestComputer {
    $Prefix = "crowleytest"
    $DateSuffix = (get-date -Format hmm)
    $ADComputer_params = @{
        Path        = $BaseOu
        name        = $Prefix + $DateSuffix
        DNSHostName = $Prefix + $DateSuffix + (gcim Win32_ComputerSystem).Domain
        PassThru    = $true
    }    
    $NewComputer = New-ADComputer @ADComputer_params    
    $Cert = New-SelfSignedCertificate -Subject $NewComputer.ObjectGUID.Guid -CertStoreLocation Cert:\CurrentUser\My\ -NotBefore (Get-Date)
    Set-ADComputer $NewComputer.DistinguishedName  -Certificates @{Add = $Cert }
    del $Cert.PSPath    
}

New-TestComputer 

[Mike-Crowley]

@steve-prentice , would you like this pull request as an update to the existing ps1 file, or would you prefer a v2 file? I ask, because I re-wrote the entire thing.

[Mike-Crowley]

I figured a new version would be less presumptuous. Please see https://github.com/steve-prentice/autopilot/pull/5

[steve-prentice]

Hey @Mike-Crowley, that looks awesome, thank you so much for spending time on this! Loving the re-write... I've had a look and it looks spot on, a much better approach. I've not been able to test it yet, but will do soon I hope. :-) Thanks again. I'm a total newbie at GitHub, but I think you're suggestion of a V2 is probably for the best, people can hopefully use that, but fall back to V1 if they are curious etc. I'll go ahead and click Merge pull request and hope it's right! :-)

[steve-prentice]

Thanks again for your help, I'll go ahead and close this. 👍