Azure AD Connect Password Reset

Periodic password reset steps for expring AD connect accounts.

Relevance

Last Review: January 4, 2022

Product(s): Delta Methodology

Author(s): Kyle Vang

Delta

A cyberist created this article using the patented Delta Method by modernizing a typical approach.

Summary

Many security auditors require Azure Active Directory Connect (AAD Connect) passwords to expire with reset every 30 - 90 days. After resetting passwords for AADConnect connector related accounts on Microsoft 365 and your local on-premises Active Directory, you must manually input the updated new passwords into the Synchronization Service Manager.

Requirements

  • Administrative Access to Microsoft 365 and your Domain
  • Knowledge of how AADConnect works
  • Knowledge of password reset on premise AD and M365
  • PowerShell
  • 15 to 30 minutes effort

Identify and Reset M365 Connector Account

  1. Log into your device that has AADConnect install with Administrative privileges.
  2. Search and Open the Synchronization Service Manager application.
  3. Click on the Connectors Tab
  4. You will have two connectors, one referencing your internal domain and the other referencing the onmicrosoft.com domain for your Microsoft 365 tenant.
  5. Right click on the connector with your internal domain and select Properties.
  6. Click on Connectivity to view the M365 account.
  7. Reset the M365 account in your M365 tenant and reinput the new password into step 5 and 6.
  8. To reset Microsoft 365 accounts, log into your tenant as a privileged account portal.office.com.

Identify and Reset local AD Connector Account

  1. Log into your device that has AADConnect install with Administrative privileges.
  2. Search and Open the Synchronization Service Manager application.
  3. Click on the Connectors Tab
  4. You will have two connectors, one referencing your internal domain and the other referencing the onmicrosoft.com domain for your Microsoft 365 tenant.
  5. Right click on the omicrosoft.com domain and go to Properties.
  6. Click on Connect to Active Directory Forest.
  7. Reset the on-premises AD account that is used to authenticate to your local domain connector and input the new password on steps 5 and 6.
  8. To reset local on-premises AD accounts, reset from Active Directory Users and Computers using a privileged account.

Identify and Reset Local Service AAD Account

  1. Log into your AAD Connect device and open Services as admin
  2. earch for Microsoft Azure AD Sync
  3. Click on the Connectors Tab
  4. Make note of the service account and reset the account’s password in AD Users and Computers
  5. Input the new password into the Microsoft Azure AD Sync service in the Log On tab
  6. Restart the Microsoft Azure AD Sync service

Follow-up

Perform a delta sync using an elevated PowerShell from the AADConnect device Start-ADSyncSyncCycle -PolicyType Delta

Check for errors in Synchronization Service Manager, Operations tab and resolve any errors.