Azure AD Connect: Configure preferred data locations for your Microsoft 365 - Microsoft Entra resources (2023)

The purpose of this topic is to walk you through configuring the preferred data location property in Azure Active Directory (Azure AD) connection sync. When someone uses multi-geo in Microsoft 365, you can use this attribute to determine the geographic location of the user's Microsoft 365 data. (ConditionsareaIgeographyCan be used interchangeably. )

Multiple geographic locations supported

For a list of all geographies supported by Azure AD Connect, seeMicrosoft 365 availability in multiple geographies

Enable synchronization of preferred data locations

By default, your users' Microsoft 365 resources are co-located with their Azure AD tenant. For example, iftenantThe user's Exchange mailbox located in North America is also located in North America. For international organizations, this may not be the best choice.

By setting propertiesPreferred data location, you can determine the geographic location of the user. You can place a user's Microsoft 365 resources, such as mailboxes and OneDrive, in the same geographic region as the user and still have a single tenant for the entire organization.

Azure AD Connect supports synchronization

Azure AD Connect supports synchronizationPreferred data locationAttributesuserObjects version 1.1.524.0 and later. Specifically:

• Object type schemauserExtended in Azure AD Connector to includePreferred data locationAttributes. The type of this attribute is a single-valued string.
• Object type schemaPeopleExtended in the Metaverse to includePreferred data locationAttributes. The type of this attribute is a single-valued string.

by default,Preferred data locationSync is not enabled. This feature is suitable for large organizations. The Active Directory schema in Windows Server 2019 has an attributemsDS - preferred data locationYou should use for this purpose. If you haven't updated your Active Directory schema and are unable to do so, you must identify the attribute to reserve Microsoft 365 geographies for users. Every organization will be different.

Before enabling sync:

• If the Active Directory schema has not been upgraded to the 2019 version, decide which local Active Directory attribute to use as the source attribute. It should look like thissingle-valued string.

• If you have previously set upPreferred data locationexisting propertiessynchronized user objectWhen using Azure AD PowerShell in Azure AD, move the attribute value to the appropriate oneuserObjects in local Active Directory.

  important

  Azure AD Connect removes existing attribute values ​​in Azure AD during synchronization if those values ​​are not being carried backPreferred data locationthe attribute is enabled.

  See Also

  Security details for Azure Active Directory Pass-through Authentication - Microsoft EntraAzure AD Connect: Troubleshoot pass-through authentication - Microsoft EntraWhat is Azure AD Connect version 2.0? - Microsoft PortalTotal Identity Compromise: Microsoft's Incident Response Course on Securing Active Directory

• Now configure the source attributes for at least a few local Active Directory user objects. You can use it later for verification.

The following sections describe the steps to enable synchronizationPreferred data locationAttributes.

Step 1: Disable the sync scheduler and check if there are any syncs in progress

To avoid exporting unintended changes to Azure AD, ensure that no sync occurs when updating sync rules. To disable the built-in sync scheduler:

1. Start a PowerShell session on the Azure AD Connect server.
2. Disable scheduled sync by running this cmdlet:set ADSyncScheduler -SyncCycleEnabled $false.
3. to beginSync Service Managergo throughbeginning>synchronization service.
4. to chooseworkconfirm status No actionduring.

Step 2: Refresh the Active Directory schema

If you updated the Active Directory schema to 2019 and installed Connect before extending the schema, the Connect schema cache does not contain the updated schema. Then you need to refresh the schema from the wizard to display it in the UI.

1. Run the Azure AD Connect wizard from your desktop.
2. Choose an optionRefresh the catalog schemathen clickNext.
3. Enter your Azure AD credentials and clickNext.
4. existRefresh the catalog schemamake sure All Forests is selected and click the buttonNext.
5. Close the wizard when finished.

Step 3: Add the source attributes to the local Active Directory connector schema

This step is only required if you are using Connect version 1.3.21 or earlier. If you are using version 1.4.18 or later, skip to step 5.
Not all Azure AD attributes are imported into the on-premises Active Directory connector. If you choose to use a service that isn't synced by default, you'll need to import it. Add the source property to the list of imported properties:

1. to chooseConnectorSync tabs in Service Manager.
2. Right-click on the local Active Directory connector and selectCharacteristic.
3. In the dialog box that appears, navigate toselect attributesLabel.
4. Make sure the selected source attribute is selected in the list of attributes. If you don't see your property, please selectshow allcheck box.
5. To save, selectOK.

Step 4: AddPreferred data locationTo the Azure AD connector schema

This step is only required if you are using Connect version 1.3.21 or earlier. If you are using version 1.4.18 or later, skip to step 5.
by default,Preferred data locationAttributes are not imported into the Azure AD connector space. Add this to the list of import properties:

1. to chooseConnectorSync tabs in Service Manager.
2. Right-click on the Azure AD connector and selectCharacteristic.
3. In the dialog box that appears, navigate toselect attributesLabel.
4. to choosePreferred data locationproperties in the list.
5. To save, selectOK.

Step 5: Create an inbound sync rule

Inbound sync rules allow attribute values ​​to flow from source attributes in the local Active Directory to the Metaverse.

1. to beginSynchronization rules editorgo throughbeginning>Synchronization rules editor.

2. set the search filterdirectionbecomeentry.

3. To create a new inbound rule, selectadd a new rule.

4. poddescribetab, providing the following configurations:

   See Also

   How to join QNAP NAS to Microsoft Active Directory (AD)?Managed Instance - List - REST API (Azure SQL Database)Managed Instance - List by Resource Group - REST API (Azure SQL Database)

   Attributes	value	Detail
   Name	name	For example, "From AD - User preferred data location"
   describe	Provide a custom description
   connection layout	Select the on-premises Active Directory connector
   object type of the connected system	user
   The type of the Metaverse object	People
   link type	join
   priority	Select a number from 1-99	1-99 are reserved for custom sync rules. Do not select a value that is used by another sync rule.

5. To holdrange filterEmpty to include all objects. You may need to adjust scope filters based on your Azure AD Connect deployment.

6. go toConversion taband implement the following transformation rules:

   type of flow	target attribute	source	apply once	merge type
   direct	Preferred data location	Select source properties	irresistible	renew

7. To create an inbound rule, selectAdd to.

Step 6: Create an outbound sync rule

Outbound sync rules allow property values ​​to flow from the metaverse toPreferred data locationAttributes in Azure AD:

1. go toSynchronization rules editor.

2. set the search filterdirectionbecomeoutgoing.

3. to chooseadd a new rule.

4. poddescribetab, providing the following configurations:

   Attributes	value	Detail
   Name	name	For example, "Out to Azure AD - User data preferred location"
   describe	enter a description
   connection layout	Select the Azure AD connector
   object type of the connected system	user
   The type of the Metaverse object	People
   link type	join
   priority	Select a number from 1-99	1-99 are reserved for custom sync rules. Do not select a value that is used by another sync rule.

5. go torange filtertab and add a Scope filter group with two clauses:

   Attributes	operator	value
   source object type	equal	user
   Cloud proficient	Precautions	true

   The scope filter determines which Azure AD objects this outbound sync rule applies to. In this example, we use the same scope filter from the OOB (out of the box) "Out to Azure AD - User Identity" sync rule. Prevents the application of synchronization rulesuserObjects not synchronized with local Active Directory. You may need to adjust scope filters based on your Azure AD Connect deployment.

6. go totransformationtab and implement the following transformation rules:

   type of flow	target attribute	source	apply once	merge type
   direct	Preferred data location	Preferred data location	irresistible	renew

7. closeAdd toCreate outbound rules.

Step 7: Run a full sync cycle

A full sync cycle is usually required. This is due to the addition of new attributes to the Active Directory and Azure AD connector schema and the introduction of custom synchronization rules. Validate changes before exporting them to Azure AD. You can follow the steps below to verify your changes while manually completing the steps that make up a full sync cycle.

1. actionfull importOn the local Active Directory connector:

   1. go toConnectorSync tabs in Service Manager.

   2. Right-clickOn-premises Active Directory connectorand chooseaction.

   3. In the dialog box, selectfull importand chooseOK.

   4. Wait for the operation to complete.

      notes

      You can skip a full import on the on-premises Active Directory connector if the source attribute is already in the list of imported attributes. In other words, you don't need to make any changes to step 2 earlier in this article.

2. actionfull importIn the Azure AD connector:

   1. Right-clickAzure AD Connectorand chooseaction.
   2. In the dialog box, selectfull importand chooseOK.
   3. Wait for the operation to complete.

3. Check for existing sync rule changesuserIntention.

   Source attributes from on-premises Active Directory andPreferred data locationFrom Azure AD imported into each applicable connector area. Before proceeding with a full synchronization, make a copy of the existing oneuserObjects in the local Active Directory connector space. The selected object should have the source property filled in. successful announcementPreferred data locationThe population in the Metaverse is a good indicator that you have the sync rules set up correctly. For information on previewing, seeverify the changes.

4. actionfull synchronizationOn the local Active Directory connector:

   1. Right-clickOn-premises Active Directory connectorand chooseaction.
   2. In the dialog box, selectfull synchronizationand chooseOK.
   3. Wait for the operation to complete.

5. for verificationbe exportedto Azure AD:

   1. Right-clickAzure AD Connectorand chooseSearch the connector space.

   2. insideSearch the connector spacedialog:

      A. putrangecomebe exported.
      b. Select all three check boxes, inclAdd, modify and delete.
      C. To list the objects with changes to be exported, selectsearch.To check changes for an object, double-click it.
      d. Verify that the changes are as expected.

6. actionExitexistAzure AD Connector

   1. Right-clickAzure AD Connectorand chooseaction.
   2. insideRun the connectordialog, selectExitand chooseOK.
   3. Wait for the operation to complete.

Step 8: Re-enable the sync schedule

Re-enable the built-in sync scheduler:

1. Start a PowerShell session.
2. Re-enable scheduled sync by running this cmdlet:ustaw ADSyncScheduler -SyncCycleEnabled $true

Step 9: Check the results

It's time to verify the configuration and enable it for users.

1. Adds geography to selected user attributes. A list of available geographies can be found in this table.
   
2. Wait while the attributes are synced to Azure AD.
3. Using Exchange Online PowerShell, verify that the mailbox zone is set up correctly.
   
   Assuming the tenant has been marked as eligible for this feature, the mailbox will be moved to the correct geographic location. This can be verified by looking at the name of the server where the mailbox is located.

next step

Learn more about multiple geographies in Microsoft 365:

• Sessions with multiple Ignite geographies
• Multi-Geo w OneDrive
• Multi-Geo w SharePoint Online

Learn more about the configuration model in Sync Engine:

• Read more about configuring models inLearn more about declarative configuration.
• Read more about Expression LanguageUnderstanding declarative configuration expressions.

Topics overview:

• Azure AD Connect sync: Understanding and customizing sync
• Integrate on-premises identities with Azure Active Directory