PowerShell: Report On-Premises Active Directory Accounts that are Synchronized with Azure AD Connect

Organizations that subscribe to Microsoft 365 and also have on-premises IT infrastructure, tend to synchronize accounts from their local Active Directory database(s) to the cloud. Hybrid accounts (synchronized) simplify things like user login and password management.

In the Microsoft 365 portal, you can discern which accounts have been synched from the local Active Directory by their icon. Unfortunately, the on-premises Active Directory database does not have an attribute that indicates when an account has been synched with the cloud. This can lead to confusion.

Azure AD Connect, the tool used to perform the synchronization, has numerous options and features. So many that it can become difficult to tell which accounts have been hybridized and which have not. An administrator may be left attempting to compare the accounts in each database manually.

I was assigned this task for an AD database with more than two-hundred accounts. It wasn’t feasible to compare them one by one. Lucky for me, my PowerShell skills were up to the task. Run the script below, from a system that has both the Active Directory and Azure AD PowerShell modules installed. The report it outputs will show you which on-premises accounts are synchronized to the cloud.

Import-Module ActiveDirectory
Connect-AzureAD

Get-ADUser -Filter {Enabled -EQ $True} -Properties *  | 
    Select-Object DisplayName, SamAccountName, UserPrincipalName, LastLogonDate,           
    @{N="AzureADSynced"; E={(Get-AzureADUser -ObjectID $_.UserPrincipalName |
    Select-Object -Property DirSyncEnabled).DirsyncEnabled}} | 
Export-Csv $env:userprofile\documents\On-Prem_CloudSynced_Accounts.csv