During the installation of Active Roles’ Synchronization Services, particularly the Back-Sync between Azure Active Directory and on-prem. Active Directory, a critical Powershell script needs to be executed to set up the relevant permissions in the synchronization. The script makes certain assumptions of the Powershell environment that in practice may not be present. If they are not, the script will fail, and the Back-Sync cannot be configured correctly.
The problem is outside the scope of Active Roles’ documentation or Knowledge Base. The Back-Sync script assumes that the NuGet package is installed in the PowerShell environment as it makes calls to this package.
Review of the script highlighted the assumptions of the PowerShell environment and made evident the undocumented dependencies. Three were identified:
- The MS-Online module needs to be installed and imported in the script for cmdlets such as connect-msolservice to be run.
- The MS-Online module is not exposed unless NuGet package is installed
- The NuGet package cannot be installed if the ServicePoint Manager class does not host or support TLS 1.2 interoperability.
Processed as:
- Expose the TLS 1.2 interoperability class to the ServicePoint Manager of Powershell.
- Install the NuGet package for Powershell.
- Install and import the MS-Online module into the script.
Not all deployments go to plan as documented. It is sometimes necessary to pause and look for solutions and experience outside of the Product itself to tools and skills that are not incorporated in the products themselves.