Azure AD Connect Password Reset
Periodic password reset steps for expring AD connect accounts.
Relevance
Last Review: January 4, 2022
Product(s): Delta Methodology
Author(s): Kyle Vang
Delta
A cyberist created this article using the patented Delta Method by modernizing a typical approach.
Summary
Many security auditors require Azure Active Directory Connect (AAD Connect) passwords to expire with reset every 30 - 90 days. After resetting passwords for AADConnect connector related accounts on Microsoft 365 and your local on-premises Active Directory, you must manually input the updated new passwords into the Synchronization Service Manager.
Requirements
- Administrative Access to Microsoft 365 and your Domain
- Knowledge of how AADConnect works
- Knowledge of password reset on premise AD and M365
- PowerShell
- 15 to 30 minutes effort
Identify and Reset M365 Connector Account
- Log into your device that has AADConnect install with Administrative privileges.
- Search and Open the Synchronization Service Manager application.
- Click on the Connectors Tab
- You will have two connectors, one referencing your internal domain and the other referencing the onmicrosoft.com domain for your Microsoft 365 tenant.
- Right click on the connector with your internal domain and select Properties.
- Click on Connectivity to view the M365 account.
- Reset the M365 account in your M365 tenant and reinput the new password into step 5 and 6.
- To reset Microsoft 365 accounts, log into your tenant as a privileged account portal.office.com.
Identify and Reset local AD Connector Account
- Log into your device that has AADConnect install with Administrative privileges.
- Search and Open the Synchronization Service Manager application.
- Click on the Connectors Tab
- You will have two connectors, one referencing your internal domain and the other referencing the onmicrosoft.com domain for your Microsoft 365 tenant.
- Right click on the omicrosoft.com domain and go to Properties.
- Click on Connect to Active Directory Forest.
- Reset the on-premises AD account that is used to authenticate to your local domain connector and input the new password on steps 5 and 6.
- To reset local on-premises AD accounts, reset from Active Directory Users and Computers using a privileged account.
Identify and Reset Local Service AAD Account
- Log into your AAD Connect device and open Services as admin
- earch for Microsoft Azure AD Sync
- Click on the Connectors Tab
- Make note of the service account and reset the account’s password in AD Users and Computers
- Input the new password into the Microsoft Azure AD Sync service in the Log On tab
- Restart the Microsoft Azure AD Sync service
Follow-up
Perform a delta sync using an elevated PowerShell from the AADConnect device Start-ADSyncSyncCycle -PolicyType Delta
Check for errors in Synchronization Service Manager, Operations tab and resolve any errors.