IT Knowledge Base

User Tools

Site Tools


Contact me at for any feedback or suggestions.

My other sites:

Search all my sites:


Azure AD Connect

Note: All information below is specifically regarding Office 365. This may
change in the future.

Setting up AD Sync for Office 365

Todo: This page needs cleanup

  • Settings / Services & add-ins / Directory Synchronization
  • Go to the DirSync Readiness Wizard
  • Select at least 51 seats so that it says “Directory synchronization is a good solution for you”
  • Setup / Extend Your Setup / Advanced Setup
  • Select the link: “Continue without installing app”
  • Under “Make my own selections”, choose “Sync users and passwords from an on-premises directory” and “No migration or users will move their own
  • email”
  • Start the “Health, readiness, and connectivity checks”
  • Start the setup for “Active Directory synchronization with password synchronization”
  • Go through the documentation. Add UPN suffix in local AD for the primary email domain e.g. (not yourinternaldomain.local)
  • Activate Active Directory Synchronisation
  • Install and run IdFix DirSync Error Remediation tool, fix any errors found. Note: Any account with error “topleveldomain” probably means their
  • UPN is domain.local and they'll need it changed to match their email address on Office 365
  • Download Azure Active Directory Connect, but do not blindly run the installer, read the next section first.

  1. First, create a new OU called “Office 365 Users” beneath the OU where all of your users currently exist. Don't move anyone here yet though (very important!)
  2. Install pre-requisites for Azhure AD Sync. If asked to reboot, you can say “no” until after all of the pre-requisites have been installed
    1. PowerShell 3 (part of the Windows Management Framework 3
    2. Windows Management Framework 4 (ps I think you really do need both, 3 and 4)
    3. .NET 4.5.1 here's 4.5.2
    4. After installing these pre-requisites, you'll need to reboot before it will let you install Azhure AD Sync
  3. During the configuration, before clicking finish, untick ‘Sync my directories’ to avoid the initial sync
  4. When it asks for passwords, for Azure use the admin account that you log in to the Office 365 Portal with, and for the AD account use the customer's “Services” account with non-expiring password. Note this account must be a member of Enterprise Admins
  5. Open the Synchronisation Service Manager miisclient.exe (Note that if you get "Unable to connect to the Synchronization Service" error when you try to open Miisclient.exe in the Azure Active Directory Sync installation folder then chances are good that you can fix it by just running the ADSync setup again (desktop icon “Azure AD Connect”))
  6. Under Connectors, open the connector for “Active Directory Domain Services”
  7. Under 'Configure Directory Partitions’, on the right side of the screen, click the ‘Containers’ button
  8. Enter the password for the Services account with non-expiring password
  9. Now select the OUs that you wish to synchronise (the “SBS Users” OU created above)
  10. Now you can put staff into the Office 365 OU
  11. Before running the first sync, you'll want to change the UPN for all users in that OU, so that it matches the email address for that user (i.e. rather than username@internaldomain.local)
  12. Now force a full sync - Force a Full Sync using DirSync
  13. In the Office 365 Portal, go to Settings > Services & Add-ins > Directory Synchronisation. There you can go to DirSync Management
  14. Check the sync schedule: Get-ADSyncScheduler
  15. Enable it: Set-ADSyncScheduler -SyncCycleEnabled $True
  16. If you got a message about password sync being disabled, run the setup again (desktop icon “Azure AD Connect”) and enable password sync. To be safe, say not to enable the schedule immediately, and double check that msExchMailboxGuid is still excluded from sync, before enabling the schedule again. Check in DirSync Management in the Office 365 Portal to confirm that password sync is now enabled
  17. Azure AD Connect on Domain Controller - additional steps required

Sync when there are existing accounts in Office 365

In most cases it should soft-match based on the primary SMTP address. (see
How to use SMTP matching to match on-premises user accounts to Office 365 user accounts for directory synchronization) If it doesn't, see this page for some ideas:
How to Map OnPrem Active Directory users to existing Office365 Users « Software Development and Infrastructure in the Cloud

  • Make sure the UPN in AD is set correctly - it should match the logon name in Office 365
  • Make sure the primary address matches in both sides
  • Check in Office 365 if they have any aliases. If they do, you'll need to add the ProxyAddress attribute
  • Configure a test case with just one account first, ie create a new OU that is sync'd, eg “Office 365 Users”

Notes on ProxyAddress:

  • All email addresses in ProxyAddresses attribute will be added as either the logon/email address or an alias
  • The logon/email address will be based on the UPN. The is regardless of what the SMTP: ProxyAddress is set to
  • If the UPN doesn't match a domain in Office 365, eg company.local, their logon will be

Password Sync

When Password Sync is enabled, the cloud password for a synchronized user is set to “never expires”. This means that the password synchronized to the cloud is still valid after the on-premises password expires Separate from Password Expiration is the “Account Expires” attribute on an on-premises Active Directory account. The “accountExpires” attribute is not synchronized by DirSync, so Office 365 has no awareness of this expiration value
Some gotchas

azure_ad_connect.txt · Last modified: 2018/05/30 14:03 by Dan Mundy