Synchronize your directories
Published: June 8, 2012
Updated: February 20, 2014
Applies To: Office 365, Windows Azure, Windows Intune
The first time you synchronize your directories, a copy of your local users and groups is written to Windows Azure Active Directory (Windows Azure AD). From then on, Active Directory synchronization checks for changes to your local Active Directory and updates Windows Azure AD with those changes.
In this topic, you will run the Windows Azure Active Directory Sync tool Configuration Wizard, which creates an account in your local Active Directory and configures recurring synchronizations from your local Active Directory to Windows Azure AD. You can also force synchronization at any time.
Depending on the version of the Directory Sync tool you have installed, the Windows Azure Active Directory Sync tool Configuration Wizard creates the MSOL_AD_SYNC or AAD_xxxxxxxxxxxx (where xxxxxxxxxxxx is a 12 alphanumeric string specific to your installation) account in your Active Directory forest, in the standard Users organizational unit in the Root Domain. Directory synchronization uses this service account to read and synchronize your local Active Directory information. The Configuration Wizard also sets up recurring synchronizations every three hours from your local Active Directory to Windows Azure AD.
To configure directory synchronization, follow these steps.
To start the Configuration Wizard, do one of the following:
If you are setting up directory synchronization for the first time, on the last page of the Windows Azure Active Directory (Windows Azure AD) Sync Setup wizard, select the Start Configuration Wizard now check box, and then click Finish.
If you are updating the configuration of directory synchronization, click Start, click All Programs, click Windows Azure Active Directory (Windows Azure AD), click Directory Synchronization, and then click Directory Sync Configuration. For more information about updating the configuration of directory synchronization, see Manage directory synchronization.
- If you are setting up directory synchronization for the first time, on the last page of the Windows Azure Active Directory (Windows Azure AD) Sync Setup wizard, select the Start Configuration Wizard now check box, and then click Finish.
On the Windows Azure Active Directory (Windows Azure AD) Credentials page, type your cloud administrator credentials, and then click Next.
On the Active Directory Credentials page, type your Active Directory Enterprise Admin Credentials, and then click Next.
Note These enterprise administrator credentials are not saved. They are not persisted in the computer's memory after the service account is created.
On the Exchange hybrid deployment page, you can activate the Exchange hybrid deployment features if you have Exchange Server 2010 SP1 installed. If you activate the Exchange hybrid deployment features, then the Directory Sync tool will write attribute data back into your on-premises Active Directory.
Note To begin the first synchronization immediately, leave the Synchronize your directories now check box selected on the Finished page of the wizard.
If you don’t want to wait for the recurring synchronizations that occur every three hours, you can force directory synchronization at any time. For example, if an employee's employment is terminated, you may want to immediately disable or delete their Active Directory account in the cloud if the account was created there, or on-premises if the account was created locally, and then force directory synchronization to prevent that employee’s continued access to your email system and network resources. For more information, see the video How to force directory synchronization.
You can use the directory synchronization Windows PowerShell cmdlet to force synchronization. The cmdlet is installed when you install the Directory Sync tool.
On the computer that is running the Directory Sync tool, navigate to the directory synchronization installation folder. By default, it is located here: %programfiles%\Microsoft Online Directory Sync or %programfiles%\Windows Azure Active Directory Sync (the location depends on the version you have installed).
Double-click DirSyncConfigShell.psc1 to open a Windows PowerShell window with the cmdlets loaded.
In the Windows PowerShell window, type Start-OnlineCoexistenceSync, and then press ENTER.
To verify that your local Active Directory users and groups have synced to Windows Azure AD, either for the first time or in subsequent updates, see Verify directory synchronization.