Changes to Azure AD Connect service account

My AAD Connect service account password needed to be changed recently, which caused some issues.

When changing the password, you need to update the password two places:

  1. Microsoft Azure AD sync service (ADSync)
  2. Synchronization Service

I wasn’t aware of #2, which caused incomplete sync to occur. The symptom was new users from onprem not being added to Azure AD, while existing users and groups we’re not being updated. In addition, my service account got locked out on some occasions, specifically when I forced syncs during troubleshooting.

To remedy the Synchronization Service, do the following:

  1. Open Synchronization Service GUI
  2. Click “Connectors” (top of window)
  3. Right click the connector for your on-prem AD
  4. Select “Connect to Active Directory Forest”
  5. Type in updated user information (typically just an updated password)

You can test the sync by running the Powershell command:

This will run a delta sync of your on-prem AD objects to AAD.

Convert Azure AD users from Guest to Member

“Why on earth would you do this”, may be the first thing you ask? Well, if your organization has multiple Azure AD (AAD) directories, perhaps due to security requirements, or mergers or acquisitions; it may be a good idea adding guest users from other AAD directories as members.

First of all, the main difference between a Guest and a Member is in the lookup rights to the domain. A guest can typically not look up users and groups like a Member user can. A member would need this for self service reasons, and to look up contact information for other users, while you’d typically not want a guest to do that.

In order to convert the user, you currently have to use Powershell. Ypou need to have the AzureAD module installed on your computer.

  1. Log into your Azure AD tenant:
  2. Convert the user

    You may want to search up the user using just the Get-AzureADUser first.