In this articles series, I will walk you thru step by step to install and configure Azure AD Sync tool to synchronize on prem identities with office 365. You can download the most recent version of Azure AD Sync from Microsoft Website. Let’s get started with part 1 of this series.


Azure Active Directory Sync is the new synchronization service that allow customers to do the following:

  • Synchronize multi-forest Active Directory environments without needing the complete feature set of Forefront Identity Manager 2010 R2.
  • Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes (only 7!)
  • Configuring multiple on-premises Exchange organizations to map to a single Azure Active Directory tenant

More details on Azure AD Sync tool can be found on Technet

In this article series, we’ll setup environment for synchronizing on premise users with Office 365 using Azure ADSync Tool and apply different filtering options to synchronize only the required users. Once it’s all done we will upgrade the Azure ADSync tool to the new Azure AD Connect Preview 2 tool.

Azure ADSync Requirements/Prerequisites:

  • Windows Server 2008, 2008R2, 2012, 2012R2
  • .Net framework 4.5 installed
  • PowerShell (preferably PS3 or better)
  • An account with local administrator privileges on your computer to install Azure AD Sync.

Azure AD Sync requires a SQL Server database to store identity data. By default a SQL Express LocalDB (a light version of SQL Server) is installed and the service account for the service is created on the local machine. SQL Server Express has a 10GB size limit that enables you to manage approximately 100.000 objects.



Service Accounts for Azure AD Sync Tool

We need 2 service accounts for Azure AD Sync installation as mentioned below.

  1. Local Active Directory user account
  2. Office 365 user account (Global Admin Rights)

On Premises Service Account to connect to AD DS:

On Prem service account is required to read the user information from local active directory. Additional permissions are required for Password Right Back and other optional features of Azure AD Sync tool. To create a service account on local active directory  –> logon to any writable Domain controller and follow the steps as mentioned below.

  • With an admin account, create a user account in AD for the AAD Sync service account.





  • Once the active directory account is created, login to Azure AD Sync server and add the newly created AD account to local admin groups on the AAD Sync server.


111 112


  • Log off the AAD Sync server and login to the Domain Controller to assign appropriate permissions to the AAD Sync Service Account.
    • On Prem service account required “Replicating Directory Changes” and “Replicating Directory Changes All” permissions in local active directory. To assign these permissions make sure that “Advanced Features” are enabled for the domain


121 122

  • Configure “Reset Password” and “Change Password” extended rights for the AAD Sync service account in Windows 2012 R2. To assign appropriate permissions Right Click on Domain name –> Properties –> Security.






  •  Additional rights that are required for the service account to use the write back feature.
Object Type Data source Attribute Permission / Access Right Inheritance
Contact proxyAddresses Write The child objects only
Group proxyAddresses Write The child objects only
User/InetOrgPerson msExchArchiveStatus Write The child objects only
msExchBlockedSendersHash Write The child objects only
msExchSafeRecipientsHash Write The child objects only
msExchSafeSendersHash Write The child objects only
msExchUCVoiceMailSettings Write The child objects only
msExchUserHoldPolicies Write The child objects only
proxyAddresses Write The child objects only

Office 365 Service Account:

Office 365 Service accounts is used to read & write the user information to office 365 Active directory (Azure Active Directory). Office 365 account needs to be a global admin and password expiry should be set to “NeverExpire” as best practice.

  • Create a user account on Office 365 and assign global admin rights to the account

1 2

  • Set Password to never expire using the PS Cmdlet Set-MsOlUser -UserPrincipalName -PasswordNeverExpires $True



This concludes part 1 of this multi-part article in which I’ve explained the pre-requisities for Azure AD Sync tool and permissions required on both side (local Active Directory and Office 365).

If you want to read the other Parts in this series, then please go to:

Riaz is a technology evangelist with over 8 years of extensive experience with expertise on Identity Management, Exchange Server, Office 365 and a bit of System Center. Riaz is currently working as Lead Consultant. His technical experience is followed by 8 years consulting positions advising both internal and external (local & International) stakeholders/customers on strategic technology selection and adoption along with delivery of solutions across a range of business units. He is a regional lead speaker for Microsoft Office 365 and also speaks in community forums.

Leave a Reply