Configure a managed domain to support profile synchronization for SharePoint Server

SharePoint Server includes a User Profile Service that is used for user profile synchronization. To set up the User Profile Service, appropriate permissions need to be granted on an Active Directory domain. For more information, see grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013.

This article explains how you can configure Azure AD Domain Services managed domains to deploy the SharePoint Server User Profile Sync service.


Enable password hash synchronization to Azure AD Domain Services, before you complete the tasks in this article.

Follow the instructions below, depending on the type of users in your Azure AD directory. Complete both sets of instructions if you have a mix of cloud-only and synced user accounts in your Azure AD directory. You may not be able to carry out the following operations in case you are trying to use a B2B Guest account (example , your gmail or MSA from a different Identity provider which we allow) because we do not have the password for these users synced to managed domain as these are guest accounts in the directory. The complete information about these accounts including their passwords would be outside of Azure AD and as this information is not in Azure AD hence it does not even get synced to the managed domain.

The 'AAD DC Service Accounts' group

A security group called 'AAD DC Service Accounts' is available within the 'Users' organizational unit on your managed domain. You can see this group in the Active Directory Users and Computers MMC snap-in on your managed domain.

AAD DC Service Accounts security group

Members of this security group are delegated the following privileges:

  • The 'Replicate Directory Changes' privilege on the root DSE of the managed domain.
  • The 'Replicate Directory Changes' privilege on the Configuration naming context (cn=configuration container) of the managed domain.

This security group is also a member of the built-in group Pre-Windows 2000 Compatible Access.

AAD DC Service Accounts security group

Enable your managed domain to support SharePoint Server user profile sync

You can add the service account used for SharePoint user profile synchronization to the AAD DC Service Accounts group. As a result, the synchronization account gets adequate privileges to replicate changes to the directory. This configuration step enables SharePoint Server user profile sync to work correctly.

AAD DC Service Accounts - add members

AAD DC Service Accounts - add members