When installing Azure AD Connect, part of the configuration is creating a user named MSOL_ID to replicate a portion or all active directories with Azure AD. Securing the AD connect sync password is important as this account is sensitive, it should be protected. Part of this protection is changing this account password.

This post will take you through how to change the AD Connect synchronization account (MSOL_).

Prerequisits

  • AD Connect installed and configured
  • Access to the server hosting the AD Connect.

This tutorial uses Windows Server 2019 as Domain Controller and hosting the Azure AD Connect

Its not recommended to host Azure AD Connect on the Domain Controller, so keep Azure AD Connect on a seperate server.

The on-premise domain name is Test.local and the Azure AD tenant name is Powershellonline.onmicrosoft.com

How to Change AD Connect Sync Account Password

First, you need to log in to the server hosting Azure AD Connect.

  • Click on Start and then click on AD Connect Services
Azure AD Connect Synchronization Service
Azure AD Connect Synchronization Service
  • Click on the Synchronization Service

From the Synchronization Service Manager window, click on Connectors

Synchronization Service Manager
Synchronization Service Manager
  • After clicking on the connector, a list of the on-premise domain and Azure AD domain presented.
Synchronization Service Manager, Connector tab
Synchronization Service Manager, Connector tab
  • Select on your on-premise domain, in this tutorial, its Test.local and click on Properties from the Action panel
Synchronization Service Manager, Connector tab, Properties
Synchronization Service Manager, Connector tab, Properties
  • From the new window, click on Connect to Active Directory Forst
Connect to Active Directory Forest
Connect to Active Directory Forest

If you don’t know the password for this account, reset the password from Active Directory. Make sure its a complex password and type the password in the password field.

  • Type the new password in the password field and click OK.

Click OK on the warning message

Warning Message after changing the password.
Warning Message after changing the password.

Confirm Password Changes and Functionality.

To confirm that all changes are successful and AD Connect is working as expected. Start a sync cycle. Open PowerShell and type the following code.

Start-ADSyncSyncCycle -PolicyType Delta

You should get success

Success for password change and ADSync
Success for password change and ADSync

Also, you can confirm by checking the Synchronization Service operations log and confirm the success sync.

Success Sync after password change
Success Sync after password change

Possible Issues that can break the integration

Make sure that the accounts used for integration are excluded from Conditional Access Policies.

Check the sign-in log for the accounts used for integration.

Run the Start-ADSyncSyncCycle -PolicyType Initial

Hope this helps.

Posts you might like

Rate this post