Skip to main content

How to reset the Azure AD Connector account in Azure AD Connect? There are some problems with synchronizing to Azure AD, and we identified that we have to reset the Azure AD Connector account. In this article, you will learn how to change or reset the Azure AD Connector account in Azure AD Connect by creating a new account or reinitializing the account without downtime.

 

Azure AD Connect accounts

Before you start and change the Azure AD Connector account, go through the article Find Azure AD Connect accounts and make yourself familiar with the Azure AD Connect accounts that are being used.

How to change Azure AD Connector account

There are two methods to change the Azure AD Connector account:

  • Change Azure AD Connector account: Create a new Azure AD user account and configure that in Azure AD Connect.
  • Reset Azure AD Connector account: This will reset the password for the service account and update it both in Azure AD and the sync engine.

Method 1. Change Azure AD Connector account

Create Azure AD Connector account

Follow the steps below to create a new user account in Azure AD and give it the least privileges.

  1. Sign in to Microsoft 365 admin center.
  2. Go to Users > Active users.
  3. Click on Add a user.
  4. Fill in the account basics.
  5. Click Next.

Choose the onmicrosoft.com domain and not the domain you added to the Microsoft tenant. That’s because domains can change, and it will give you issues with authentications, and syncing will not work. The onmicrosoft.com domain will always be active, and it’s the default configuration when installing Azure AD Connect.

In our example, the Azure AD Connector account is svc-adconnector@exoip365.onmicrosoft.com.

Change Azure AD Connector account create account
  1. Select Create user without product license.
  2. Click Next.
Change Azure AD Connector account  without product license
  1. Click on Roles to expand the section.
  2. Select Admin center access.
Change Azure AD Connector account roles
  1. Click on Show all by category to expand its section.
  2. Select the checkbox Hybrid Identity Administrator
  3. Click Next.

Read more about the Azure AD built-in roles.

Change Azure AD Connector account Hybrid Identity Administrator
  1. Review the account and click on Finish adding.
Change Azure AD Connector account review

Configure Azure AD Connector account

  1. Sign in to the Azure AD Connect server.
  2. Start Synchronization Service Manager.
  3. Click on Connectors.
  4. Select the Microsoft domain (.onmicrosoft.com).
  5. Click on Properties.

In our example, it’s the Microsoft domain exoip365.onmicrosoft.com – AAD.

Change Azure AD Connector account connectors
  1. Click on Connectivity.
  2. Fill in the Azure AD Connector account credentials you created in the previous step.
  3. Click OK.

Note: If the credentials are incorrect, you will get an error because it will immediately check against Azure AD.

Change Azure AD Connector account connectivity
  1. Click OK.
  1. Click OK.
  1. Last time on OK.

Force sync Azure AD Connect

Now that the Azure AD Connector account has been successfully changed,force sync Azure AD Connect and verify that the sync works.

PS C:\> Start-ADSyncSyncCycle -PolicyType Initial

Result
------
Success

Go to the Azure AD Connect synchronization service manager and verify that there are no errors and that the sync status is a success.

Change Azure AD Connector account synchronization service manager

Method 2. Reset Azure AD Connector account

You have to use the cmdlet Add-ADSyncAADServiceAccount to reinitialize the Azure AD Connector account. The cmdlet resets the account password and makes it available to the Azure AD Connect synchronization service.

Note: Nothing will happen to the other Azure AD connect accounts when running the cmdlet, and only the Azure AD Connector account will reinitialize.

Reinitialize Azure AD Connector account

Go through the below steps to reinitialize the Azure AD Connector account with PowerShell:

  1. Sign in to the Azure AD Connect server.
  2. Start Windows PowerShell as administrator.
  3. Import the module ADSync.
PS C:\> Import-Module ADSync
  1. Run the Add-ADSyncAADServiceAccount cmdlet.
PS C:\> Add-ADSyncAADServiceAccount
  1. The password prompt appears.
  2. Fill in the Microsoft 365 global administrator account credentials.
  3. Click on OK.
  1. The modern authentication window appears.
  2. Fill in the Microsoft 365 global administrator account again.
  3. Click Sign in.

The command is successfully run.

Verify Azure AD Connector account

  1. Sign in to the Azure AD Connect server.
  2. Start Synchronization Service Manager.
  3. Click on Connectors.
  4. Select the Microsoft domain (.onmicrosoft.com).
  5. Click on Properties.
  6. Click on Connectivity.
  7. Verify that the UserName starts with Sync_ and the Azure AD Connect server hostname.

In our example, Azure AD Connect is installed on Windows Server DC01-2019. So the UserName starts with Sync_DC01-2019_.

Change Azure AD Connector account connectivity

Force sync Azure AD Connect

Now that the Azure AD Connector account has been successfully reinitialized, force sync Azure AD Connect and verify that the sync works.

PS C:\> Start-ADSyncSyncCycle -PolicyType Initial

Result
------
Success

Go to the Azure AD Connect synchronization service manager and verify that there are no errors and that the sync status is a success.

That’s it!

Leave a Reply