This morning when a password was reset for a user in Active Directory, the user’s Office 365 account ended up being deleted for some reason. When we restored his Office 365 mailbox, he was able to login, but his account now shows as In Cloud. I created a test user to further investigate and they are showing as “In Cloud” in Office 365 instead of “Synced with Active Directory”. Not only that, but I was unable to sign into the Outlook of this test user with the password I created in AD. My thought at this point is that Office 365 is not actually synced with Active Directory.<\/p>\n
So, my questions at this point are: how do I tell which OUs are set to actually sync and how do I check if they are syncing if DirSync is showing no errors? What usually causes this and what should be done to avoid this situation in the future?<\/p>\n
I went into the DC and Azure AD Connect looks to have never been setup from what I can see and I am unable to access the Synchronization Service Manager as it gives an error message when I connect with the service either not being on or my account not being a member of the required security group. My boss is under the impression that access to Office 365 should just tie to the security group, but it seems like there is an issue.<\/p>","upvoteCount":1,"answerCount":23,"datePublished":"2018-08-27T18:10:40.000Z","author":{"@type":"Person","name":"seeyoujs","url":"https://community.spiceworks.com/u/seeyoujs"},"acceptedAnswer":{"@type":"Answer","text":"
Ah, I’ve run into that before. I believe the solution was to run this in PS:<\/p>\n
Start-ADSyncSyncCycle -PolicyType Delta<\/p>\n
But, if that doesn’t work, definitely open a ticket. The O365 support people are, in my experience, very helpful.<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:56:02.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/19","author":{"@type":"Person","name":"DragonsRule","url":"https://community.spiceworks.com/u/DragonsRule"}},"suggestedAnswer":[{"@type":"Answer","text":"
This morning when a password was reset for a user in Active Directory, the user’s Office 365 account ended up being deleted for some reason. When we restored his Office 365 mailbox, he was able to login, but his account now shows as In Cloud. I created a test user to further investigate and they are showing as “In Cloud” in Office 365 instead of “Synced with Active Directory”. Not only that, but I was unable to sign into the Outlook of this test user with the password I created in AD. My thought at this point is that Office 365 is not actually synced with Active Directory.<\/p>\n
So, my questions at this point are: how do I tell which OUs are set to actually sync and how do I check if they are syncing if DirSync is showing no errors? What usually causes this and what should be done to avoid this situation in the future?<\/p>\n
I went into the DC and Azure AD Connect looks to have never been setup from what I can see and I am unable to access the Synchronization Service Manager as it gives an error message when I connect with the service either not being on or my account not being a member of the required security group. My boss is under the impression that access to Office 365 should just tie to the security group, but it seems like there is an issue.<\/p>","upvoteCount":1,"datePublished":"2018-08-27T18:10:40.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/1","author":{"@type":"Person","name":"seeyoujs","url":"https://community.spiceworks.com/u/seeyoujs"}},{"@type":"Answer","text":"\n\n
<\/div>\n
SeeYouJS:<\/div>\n
\nSo, my questions at this point are: how do I tell which OUs are set to actually sync and how do I check if they are syncing if DirSync<\/p>\n<\/blockquote>\n<\/aside>\n
Are you using Dirsync? That may be the issue. That was deprecated years ago. You should be using AADConnect.<\/p>","upvoteCount":1,"datePublished":"2018-08-27T18:19:26.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/2","author":{"@type":"Person","name":"DragonsRule","url":"https://community.spiceworks.com/u/DragonsRule"}},{"@type":"Answer","text":"
I think I misspoke. I do show AAD Connect Status where it shows the latest directory sync status, so I am assuming that is what we actually had. Before, when I did see an error (unrelated), I believe it said DirSync error, so that may be where some of my confusion is coming from.<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:21:52.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/3","author":{"@type":"Person","name":"seeyoujs","url":"https://community.spiceworks.com/u/seeyoujs"}},{"@type":"Answer","text":"\n\n
<\/div>\n
SeeYouJS:<\/div>\n
\nI went into the DC and Azure AD Connect looks to have never been setup from what I can see and I am unable to access the Synchronization Service Manager as it gives an error message when I connect with the service either not being on or my account not being a member of the required security group. My boss is under the impression that access to Office 365 should just tie to the security group, but it seems like there is an issue.<\/p>\n<\/blockquote>\n<\/aside>\n
Oh. I would open a ticket with O365 support. They will remote in and help you get it properly configured.<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:22:29.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/4","author":{"@type":"Person","name":"DragonsRule","url":"https://community.spiceworks.com/u/DragonsRule"}},{"@type":"Answer","text":"
The Home Page of the O365 Portal will show if you are using AADConnect. The box at the upper left with show the AADConnect status and if there is a problem. If the upper left box just says “Active Users” that means you are not using AADConnect.<\/p>\n
Some place to start.<\/p>","upvoteCount":1,"datePublished":"2018-08-27T18:23:56.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/5","author":{"@type":"Person","name":"da-schmoo","url":"https://community.spiceworks.com/u/da-schmoo"}},{"@type":"Answer","text":"
I checked the O365 Portal page and do show an AADConnect status.<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:25:07.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/6","author":{"@type":"Person","name":"seeyoujs","url":"https://community.spiceworks.com/u/seeyoujs"}},{"@type":"Answer","text":"
And what’s that status say? How long since last sync?<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:25:55.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/7","author":{"@type":"Person","name":"DragonsRule","url":"https://community.spiceworks.com/u/DragonsRule"}},{"@type":"Answer","text":"
It says 25 minutes ago and hasn’t had any errors or anything in the AAD Connect Status section at all today.<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:27:07.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/8","author":{"@type":"Person","name":"seeyoujs","url":"https://community.spiceworks.com/u/seeyoujs"}},{"@type":"Answer","text":"
Ok, in that case you’ll want to delve into the settings. You are probably correct that it’s not configured for the OUs you think it is.<\/p>\n
Connectors, click your domain, Properties, Configure Directory, Containers.<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:29:28.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/9","author":{"@type":"Person","name":"DragonsRule","url":"https://community.spiceworks.com/u/DragonsRule"}},{"@type":"Answer","text":"
Are you running this tool to see the status?<\/p>\n
“C:\\Program Files\\Microsoft Azure AD Sync\\UIShell\\miisclient.exe”<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:29:50.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/10","author":{"@type":"Person","name":"da-schmoo","url":"https://community.spiceworks.com/u/da-schmoo"}},{"@type":"Answer","text":"\n\n
<\/div>\n
Da_Schmoo:<\/div>\n
\nAre you running this tool to see the status?<\/p>\n
“C:\\Program Files\\Microsoft Azure AD Sync\\UIShell\\miisclient.exe”<\/p>\n<\/blockquote>\n<\/aside>\n
This is what I meant, btw, in my post above. Once you’ve opened that, you would navigate as I listed.<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:34:54.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/11","author":{"@type":"Person","name":"DragonsRule","url":"https://community.spiceworks.com/u/DragonsRule"}},{"@type":"Answer","text":"
Thank you! I am unable to access the Synchronization Service Manager as it gives an error message when I connect with the service either not being on or my account not being a member of the required security group.<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:36:37.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/12","author":{"@type":"Person","name":"seeyoujs","url":"https://community.spiceworks.com/u/seeyoujs"}},{"@type":"Answer","text":"
You want to make sure you’re accessing it from the correct server - doesn’t have to be on a DC.<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:38:48.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/13","author":{"@type":"Person","name":"da-schmoo","url":"https://community.spiceworks.com/u/da-schmoo"}},{"@type":"Answer","text":"\n\n
<\/div>\n
SeeYouJS:<\/div>\n
\nThank you! I am unable to access the Synchronization Service Manager as it gives an error message when I connect with the service either not being on or my account not being a member of the required security group.<\/p>\n<\/blockquote>\n<\/aside>\n
Your user ID does need to be in the proper security group or it won’t work, that’s for sure.<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:39:25.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/14","author":{"@type":"Person","name":"DragonsRule","url":"https://community.spiceworks.com/u/DragonsRule"}},{"@type":"Answer","text":"
Figured out which account through AAD Connect on the server. I am now logged in as that and am able to access it. Am going to be going through the steps shortly.<\/p>","upvoteCount":1,"datePublished":"2018-08-27T18:42:28.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/15","author":{"@type":"Person","name":"seeyoujs","url":"https://community.spiceworks.com/u/seeyoujs"}},{"@type":"Answer","text":"
Looks like the correct containers are checked. Hmmmm…trying to figure out how the users in that OU are getting set to In-Cloud then.<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:46:29.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/16","author":{"@type":"Person","name":"seeyoujs","url":"https://community.spiceworks.com/u/seeyoujs"}},{"@type":"Answer","text":"
AADConnect is one way - items in AD get moved to O365. If you create something new in O365 it will be cloud only.<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:48:15.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/17","author":{"@type":"Person","name":"DragonsRule","url":"https://community.spiceworks.com/u/DragonsRule"}},{"@type":"Answer","text":"
Absolutely! In this case, I created it in AD though and showed that.<\/p>\n
I am checking the Server Manager and am showing the following error over and over:<\/p>\n
\"The management agent “domain.name” completed run profile “Delta Import” with a delta import or delta synchronization step type. The rules configuration has changed since the last full synchronization.<\/p>\n
User Action
Will do! Should I backup anything? Are there any anticipated issues when forcing a full sync?<\/p>","upvoteCount":0,"datePublished":"2018-08-27T18:58:34.000Z","url":"https://community.spiceworks.com/t/ad-users-are-in-cloud-instead-of-syncing-with-ad-now/669986/20","author":{"@type":"Person","name":"seeyoujs","url":"https://community.spiceworks.com/u/seeyoujs"}}]}}
seeyoujs
August 27, 2018, 6:10pm
1
This morning when a password was reset for a user in Active Directory, the user’s Office 365 account ended up being deleted for some reason. When we restored his Office 365 mailbox, he was able to login, but his account now shows as In Cloud. I created a test user to further investigate and they are showing as “In Cloud” in Office 365 instead of “Synced with Active Directory”. Not only that, but I was unable to sign into the Outlook of this test user with the password I created in AD. My thought at this point is that Office 365 is not actually synced with Active Directory.
So, my questions at this point are: how do I tell which OUs are set to actually sync and how do I check if they are syncing if DirSync is showing no errors? What usually causes this and what should be done to avoid this situation in the future?
I went into the DC and Azure AD Connect looks to have never been setup from what I can see and I am unable to access the Synchronization Service Manager as it gives an error message when I connect with the service either not being on or my account not being a member of the required security group. My boss is under the impression that access to Office 365 should just tie to the security group, but it seems like there is an issue.
1 Spice up
Are you using Dirsync? That may be the issue. That was deprecated years ago. You should be using AADConnect.
1 Spice up
seeyoujs
August 27, 2018, 6:21pm
3
I think I misspoke. I do show AAD Connect Status where it shows the latest directory sync status, so I am assuming that is what we actually had. Before, when I did see an error (unrelated), I believe it said DirSync error, so that may be where some of my confusion is coming from.
SeeYouJS:
I went into the DC and Azure AD Connect looks to have never been setup from what I can see and I am unable to access the Synchronization Service Manager as it gives an error message when I connect with the service either not being on or my account not being a member of the required security group. My boss is under the impression that access to Office 365 should just tie to the security group, but it seems like there is an issue.
Oh. I would open a ticket with O365 support. They will remote in and help you get it properly configured.
da-schmoo
August 27, 2018, 6:23pm
5
The Home Page of the O365 Portal will show if you are using AADConnect. The box at the upper left with show the AADConnect status and if there is a problem. If the upper left box just says “Active Users” that means you are not using AADConnect.
Some place to start.
1 Spice up
seeyoujs
August 27, 2018, 6:25pm
6
I checked the O365 Portal page and do show an AADConnect status.
And what’s that status say? How long since last sync?
seeyoujs
August 27, 2018, 6:27pm
8
It says 25 minutes ago and hasn’t had any errors or anything in the AAD Connect Status section at all today.
Ok, in that case you’ll want to delve into the settings. You are probably correct that it’s not configured for the OUs you think it is.
Connectors, click your domain, Properties, Configure Directory, Containers.
da-schmoo
August 27, 2018, 6:29pm
10
Are you running this tool to see the status?
“C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe”
This is what I meant, btw, in my post above. Once you’ve opened that, you would navigate as I listed.
seeyoujs
August 27, 2018, 6:36pm
12
Thank you! I am unable to access the Synchronization Service Manager as it gives an error message when I connect with the service either not being on or my account not being a member of the required security group.
da-schmoo
August 27, 2018, 6:38pm
13
You want to make sure you’re accessing it from the correct server - doesn’t have to be on a DC.
Your user ID does need to be in the proper security group or it won’t work, that’s for sure.
seeyoujs
August 27, 2018, 6:42pm
15
Figured out which account through AAD Connect on the server. I am now logged in as that and am able to access it. Am going to be going through the steps shortly.
1 Spice up
seeyoujs
August 27, 2018, 6:46pm
16
Looks like the correct containers are checked. Hmmmm…trying to figure out how the users in that OU are getting set to In-Cloud then.
AADConnect is one way - items in AD get moved to O365. If you create something new in O365 it will be cloud only.
seeyoujs
August 27, 2018, 6:50pm
18
Absolutely! In this case, I created it in AD though and showed that.
I am checking the Server Manager and am showing the following error over and over:
"The management agent “domain.name” completed run profile “Delta Import” with a delta import or delta synchronization step type. The rules configuration has changed since the last full synchronization.
User Action
Ah, I’ve run into that before. I believe the solution was to run this in PS:
Start-ADSyncSyncCycle -PolicyType Delta
But, if that doesn’t work, definitely open a ticket. The O365 support people are, in my experience, very helpful.
seeyoujs
August 27, 2018, 6:58pm
20
Will do! Should I backup anything? Are there any anticipated issues when forcing a full sync?
