| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.workload | ms.tgt_pltfrm | ms.devlang | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Azure Active Directory Domain Services: Enable support for SharePoint User Profile service | Microsoft Docs |
Configure Azure Active Directory Domain Services managed domains to support profile synchronization for SharePoint Server |
active-directory-ds |
mahesh-unnikrishnan |
stevenpo |
curtand |
938a5fbc-2dd1-4759-bcce-628a6e19ab9d |
active-directory-ds |
identity |
na |
na |
article |
03/06/2017 |
maheshu |
SharePoint Server includes a User Profile Service that is used for user profile synchronization. To set up the User Profile Service, appropriate permissions need to be granted on an Active Directory domain. For more information, see grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013.
This article explains how you can configure Azure AD Domain Services managed domains to deploy the SharePoint Server User Profile Sync service.
A security group called 'AAD DC Service Accounts' is available within the 'Users' organizational unit on your managed domain. You can see this group in the Active Directory Users and Computers MMC snap-in on your managed domain.
Members of this security group are delegated the following privileges:
- The 'Replicate Directory Changes' privilege on the root DSE of the managed domain.
- The 'Replicate Directory Changes' privilege on the Configuration naming context (cn=configuration container) of the managed domain.
This security group is also a member of the built-in group Pre-Windows 2000 Compatible Access.
You can add the service account used for SharePoint user profile synchronization to the AAD DC Service Accounts group. As a result, the synchronization account gets adequate privileges to replicate changes to the directory. This configuration step enables SharePoint Server user profile sync to work correctly.
