Any suggestions? Export (0) Print
Expand All

Synchronize your directories

Published: June 8, 2012

Updated: June 20, 2015

Applies To: Azure, Office 365, Windows Intune

The first time you synchronize your directories, a copy of your local users and groups is written to Microsoft Azure Active Directory (Microsoft Azure AD). From then on, Active Directory synchronization checks for changes to your local Active Directory and updates Azure AD with those changes.

In this topic, you will run the Microsoft Azure Active Directory Sync tool Configuration Wizard, which creates an account in your local Active Directory and configures recurring synchronizations from your local Active Directory to Azure AD. You can also force synchronization at any time.

Depending on the version of the Directory Sync tool you have installed, the Microsoft Azure Active Directory Sync tool Configuration Wizard creates the MSOL_AD_SYNC or AAD_xxxxxxxxxxxx (where xxxxxxxxxxxx is a 12 alphanumeric string specific to your installation) account in your Active Directory forest, in the standard Users organizational unit in the Root Domain. Directory synchronization uses this service account to read and synchronize your local Active Directory information. The Configuration Wizard also sets up recurring synchronizations every three hours from your local Active Directory to Azure AD.

  • Do not move, remove or re-permission the MSOL_AD_SYNC or AAD_xxxxxxxxxxxx account. Moving or removing this account will cause synchronization failures.

  • After you have configured and synchronized the Directory Sync tool for a given cloud tenant organization, you cannot configure the same directory synchronization installation to populate other cloud tenants. If you have already installed and configured the Directory Sync tool and you have signed up for another Azure AD tenant organization, you must install a new instance of the Directory Sync tool.

To configure directory synchronization, follow these steps.

  1. To start the Configuration Wizard, do one of the following:

    • If you are setting up directory synchronization for the first time, on the last page of the Microsoft Azure Active Directory (Microsoft Azure AD) Sync Setup wizard, select the Start Configuration Wizard now check box, and then click Finish.

    • If you are updating the configuration of directory synchronization, click Start, click All Programs, click Microsoft Azure Active Directory (Microsoft Azure AD), click Directory Synchronization, and then click Directory Sync Configuration. For more information about updating the configuration of directory synchronization, see Manage directory synchronization.

  2. On the Microsoft Azure Active Directory (Microsoft Azure AD) Credentials page, type your cloud administrator credentials, and then click Next.

  3. On the Active Directory Credentials page, type your Active Directory Enterprise Admin Credentials, and then click Next.

    These enterprise administrator credentials are not saved. They are not persisted in the computer's memory after the service account is created.

  4. On the Exchange hybrid deployment page, you can activate the Exchange hybrid deployment features if you have Exchange Server 2010 SP1 installed. If you activate the Exchange hybrid deployment features, then the Directory Sync tool will write attribute data back into your on-premises Active Directory.

    To begin the first synchronization immediately, leave the Synchronize your directories now check box selected on the Finished page of the wizard.

If you don’t want to wait for the recurring synchronizations that occur every three hours, you can force directory synchronization at any time. For example, if an employee's employment is terminated, you may want to immediately disable or delete their Active Directory account in the cloud if the account was created there, or on-premises if the account was created locally, and then force directory synchronization to prevent that employee’s continued access to your email system and network resources. For more information, see the video How to force directory synchronization.

You can use the directory synchronization Windows PowerShell cmdlet to force synchronization. The cmdlet is installed when you install the Directory Sync tool.

  1. On the computer that is running the Directory Sync tool, start PowerShell, type Import-Module DirSync, and then press ENTER.

  2. Type Start-OnlineCoexistenceSync, and then press ENTER.

To verify that your local Active Directory users and groups have synced to Azure AD, either for the first time or in subsequent updates, see Verify directory synchronization.

See Also

© 2016 Microsoft