Forum Discussion

starbuck3k's avatar
starbuck3k
Brass Contributor
Oct 21, 2022

AAD shows source of the Directory Synchronization Service Account as "Windows Server AD". Why?

TLDR: Why does Azure AD show the "directory synchronization service account" created during the installation of Azure AD Connect with a source set to "Windows Server AD"?

 

In Azure AD, when I browse the synchronization account created during the installation of Azure AD Connect, the account "Source" shows as "Windows Server AD", as shown below:

 

 

To reproduce on your tenant:

- From the portal, select the Azure AD module.

- In 'Users', identify the on-prem directory synchronization service account (typically starts with "Sync_"),

- Copy the object identifier

- Return to the 'overview' blade

- In the "Overview" tab, paste the object identifier in the "Search your tenant" input box

- A popup should show the account, click on it

- The profile page of the account should show (p.s. if you know a better way to access this detailed profile page, I am interested 🙂

- Under "Identity", click "View more", two attributes appear (Directory synced, and Source). 

 

I would have guessed that the synchronization account would show its source set to "Azure Active Directory", but the interface indicates that this account was created in the Windows Server, then synced.

 

As I understood it, Azure AD Connect requests a GA account during installation in order to provision a synchronization account directly into Azure AD. If am I right, why would this account reside in the on-prem server as its "source"?

 

I could not find an explanation to this in the documentation, and I guess I am missing something to fully understand how AAD Connect works.

 

Any help will be greatly appreciated!

  • Shows as "Source Azure Active Directory" here... have you by any chance managed to soft-/hard-match it against some on-premises account? 🙂
    • starbuck3k's avatar
      starbuck3k
      Brass Contributor

      VasilMichev: thank you for your reply. I can't, I only have access to my customers' tenants. I noticed the same "source" at two different/independent locations, other tenants show it as a azure AD sourced account.

Resources