Configure Azure Active Directory Domain Services to support user profile synchronization for SharePoint Server

SharePoint Server includes a service to synchronize user profiles. This feature allows user profiles to be stored in a central location and accessible across multiple SharePoint sites and farms. To configure the SharePoint Server user profile service, the appropriate permissions must be granted in an Azure Active Directory Domain Services (Azure AD DS) managed domain. For more information, see user profile synchronization in SharePoint Server.

This article shows you how to configure Azure AD DS to allow the SharePoint Server user profile sync service.

Before you begin

To complete this article, you need the following resources and privileges:

Service accounts overview

In a managed domain, a security group named AAD DC Service Accounts exists as part of the Users organizational unit (OU). Members of this security group are delegated the following privileges:

  • Replicate Directory Changes privilege on the root DSE.
  • Replicate Directory Changes privilege on the Configuration naming context (cn=configuration container).

The AAD DC Service Accounts security group is also a member of the built-in group Pre-Windows 2000 Compatible Access.

When added to this security group, the service account for SharePoint Server user profile synchronization service is granted the required privileges to work correctly.

Enable support for SharePoint Server user profile sync

The service account for SharePoint Server needs adequate privileges to replicate changes to the directory and let SharePoint Server user profile sync work correctly. To provide these privileges, add the service account used for SharePoint user profile synchronization to the AAD DC Service Accounts group.

From your Azure AD DS management VM, complete the following steps:

Note

To edit group membership in a managed domain, you must be signed in to a user account that's a member of the AAD DC Administrators group.

  1. From the Start screen, select Administrative Tools. A list of available management tools is shown that were installed in the tutorial to create a management VM.

  2. To manage group membership, select Active Directory Administrative Center from the list of administrative tools.

  3. In the left pane, choose your managed domain, such as aaddscontoso.com. A list of existing OUs and resources is shown.

  4. Select the Users OU, then choose the AAD DC Service Accounts security group.

  5. Select Members, then choose Add....

  6. Enter the name of the SharePoint service account, then select OK. In the following example, the SharePoint service account is named spadmin:

    Add the SharePoint service account to the AAD DC Service Accounts security group