Client Support

info@ngcloudsecurity.com

Get Quoatation

Configure preferred data location for Microsoft 365 resources.

Leave a Comment / Microsoft Entra ID / By

In this topic, I will guide you through the process of configuring the preferred data location attribute in Microsoft Entra Connect Sync. This attribute is used to specify the geographical location, or region, of a user’s Microsoft 365 data when Multi-Geo capabilities are being utilized. The terms “region” and “geo” are used interchangeably to refer to the geographical location of the user’s data in Microsoft 365.

Supported Multi-Geo locations.

For a list of all geos supported by Microsoft Entra Connect see Microsoft 365 Multi-Geo availability

Enable synchronization of preferred data location

By default, Microsoft 365 resources for your users are located in the same geographical location as your Microsoft Entra tenant. This means that if the tenant is located in North America, then the users’ Exchange mailboxes will also be located in North America. However, for an organization that operates in multiple countries, this may not be the most optimal solution.

To address this issue, you can set the attribute ‘preferredDataLocation’ to define a user’s geographical location. This will allow you to have a user’s Microsoft 365 resources, such as their mailbox and OneDrive, in the same location as the user, while still maintaining one tenant for your entire organization.

Before you enable synchronization, there are a couple of things to keep in mind:

  • If you haven’t upgraded the Active Directory schema to 2019, you need to decide which on-premises Active Directory attribute to use as the source attribute. It should be a single-valued string type.
  • If you previously configured the preferredDataLocation attribute on existing synchronized User objects in Microsoft Entra ID using Microsoft Graph PowerShell, you must make sure to transfer the attribute values to the corresponding User objects in on-premises Active Directory.
  • Configure the source attribute for a couple of on-premises Active Directory User objects. This can be used for verification later.

Step 1: Disable sync scheduler and verify there is no synchronization in progress

To prevent any unintended modifications from being exported to Microsoft Entra ID, ensure that no synchronization occurs when you are in the process of updating synchronization rules. To disable the built-in sync scheduler, follow these steps:

  1. Launch a PowerShell session on the Microsoft Entra Connect server.
  2. Use this cmdlet to disable scheduled synchronization: Set-ADSyncScheduler -SyncCycleEnabled $false.
  • Start the Synchronization Service Manager by going to START > Synchronization Service.
  • Select the Operations tab, and confirm there is no operation with the status in progress.

Step 2: Refresh the schema for Active Directory

If you have recently updated your Active Directory schema to 2019 after installing Connect, you may notice that the Connect schema cache does not reflect the changes. To resolve this, you will need to refresh the schema from the wizard so that the updated schema will appear in the Connect UI. Here are the steps to follow:

1. Open the Microsoft Entra Connect wizard from your desktop.

2. Choose the “Refresh directory schema” option and click “Next.”

3. Enter your Microsoft Entra credentials and click “Next.”

4. On the “Refresh Directory Schema” page, make sure all forests are selected, and then click “Next.”

5. Once the refresh process is complete, close the wizard.

By following these steps, you will ensure that Connect is up-to-date with the latest Active Directory schema.

Step 3: Add the source attribute to the on-premises Active Directory Connector schema

This step is only required for those who are running Connect version 1.3.21 or older. If you are using version 1.4.18 or higher, you can skip to step 5.

Not all Microsoft Entra attributes are automatically imported into the on-premises Active Directory connector space. If you have selected an attribute that is not synchronized by default, you will need to import it. To add the source attribute to the list of imported attributes, follow these steps:

1. Go to the Connectors tab in the Synchronization Service Manager.

2. Right-click on the on-premises Active Directory Connector and select Properties.

3. In the pop-up dialog box, navigate to the Select Attributes tab.

4. Make sure that the source attribute you have selected is checked in the attribute list. If you are unable to locate your attribute, check the Show All checkbox.

5. Once you have made your selections, click OK to save the changes.

Step 4: Add preferredDataLocation to the Microsoft Entra Connector schema

Please note that this step is only necessary if you are running Connect version 1.3.21 or older. If you have version 1.4.18 or newer, you can skip to step 5. By default, the preferredDataLocation attribute is not imported into the Microsoft Entra Connector space. To add it to the list of imported attributes, please follow these steps:

1. Navigate to the Connectors tab in the Synchronization Service Manager.

2. Right-click on the Microsoft Entra connector and select Properties.

3. In the pop-up dialog box, go to the Select Attributes tab.

4. Select the preferredDataLocation attribute from the list.

5. Click OK to save your changes.

Step 5: Create an inbound synchronization rule

To allow the attribute value to flow from the source attribute in on-premises Active Directory to the metaverse, we need to create an inbound synchronization rule. Here are the steps to follow:

1. Open the Synchronization Rules Editor by going to START > Synchronization Rules Editor.

2. Set the search filter Direction to Inbound.

3. To create a new inbound rule, select Add new rule.

4. Under the Description tab, provide the following configuration:

Step 6: Create an outbound synchronization rule

To move attribute values from the metaverse to the preferredDataLocation attribute in Microsoft Entra ID, you need to create an outbound synchronization rule. Follow the steps below to create this rule:

1. Open the Synchronization Rules Editor.

2. Set the search filter to “Outbound” in the Direction field.

3. Click on “Add new rule.”

4. Go to the Description tab and provide the required configuration.

Step 7: Run full synchronization cycle.

In general, full synchronization cycle is required. This is because you have added new attributes to both the Active Directory and Microsoft Entra Connector schema, and introduced custom synchronization rules. Verify the changes before exporting them to Microsoft Entra ID. You can use the following steps to verify the changes, while manually running the steps that make up a full synchronization cycle.

  1. Run Full import on the on-premises Active Directory Connector:
    1. Go to the Connectors tab in the Synchronization Service Manager.
    1. Right-click the on-premises Active Directory Connector, and select Run.
    1. In the dialog box, select Full Import, and select OK.
    1. Wait for the operation to complete.
  • Run Full import on the Microsoft Entra Connector:
    • Right-click the Microsoft Entra Connector, and select Run.
    • In the dialog box, select Full Import, and select OK.
    • Wait for the operation to complete.
  • Verify the synchronization rule changes on an existing User object.

The source attribute from on-premises Active Directory, and preferredDataLocation from Microsoft Entra ID, have been imported into each respective connector space. Before proceeding with the full synchronization step, do a preview on an existing User object in the on-premises Active Directory Connector space. The object you picked should have the source attribute populated. A successful preview with preferredDataLocation populated in the metaverse is a good indicator that you have configured the synchronization rules correctly. For information about how to do a preview, see Verify the change.

  • Run Full Synchronization on the on-premises Active Directory Connector:
    • Right-click the on-premises Active Directory Connector, and select Run.
    • In the dialog box, select Full Synchronization, and select OK.
    • Wait for the operation to complete.
  • Verify Pending Exports to Microsoft Entra ID:
    • Right-click the Microsoft Entra Connector, and select Search Connector Space.
    • In the Search Connector Space dialog box:
    • Set Scope to Pending Export.
      b. Select all three check boxes, including Add, Modify, and Delete.
      c. To view the list of objects with changes to be exported, select Search. To examine the changes for a given object, double-click the object.
      d. Verify that the changes are expected.
  • Run Export on the Microsoft Entra Connector
    • Right-click the Microsoft Entra Connector, and select Run.
    • In the Run Connector dialog box, select Export, and select OK.
    • Wait for the operation to complete.

Step 8: Re-enable sync scheduler

Re-enable the built-in sync scheduler:

  1. Start a PowerShell session.
  2. Re-enable scheduled synchronization by running this cmdlet: Set-ADSyncScheduler -SyncCycleEnabled $true

Step 9: Verify the result

It is now time to verify the configuration and enable it for your users.

  1. Add the geo to the selected attribute on a user. The list of available geos can be found in this table.

Leave a Comment

Your email address will not be published. Required fields are marked *

Newsletter Form (#3)

Subscribe to our newsletter

Welcome to our Newsletter Subscription Center. Sign up in the newsletter form below to receive the latest news and updates from our company.