Find Microsoft Entra Connect Service Accounts: Three Identities, Three Locations

Microsoft Entra Connect uses three different service accounts, each in a different place. When troubleshooting permission errors or stuck syncs, knowing which account does what — and where to look for it — saves real time. This post walks the locations for all three.

The three accounts at a glance

Account	Role	Format	Where to find
AD DS Connector	Reads/writes on-prem AD	`MSOL_xxxx`	Sync Service Mgr > Connectors > on-prem domain > Properties
ADSync Service	Runs the Windows service	`NT SERVICE\ADSync` or `DOMAIN\ADSync_xxx`	`services.msc` > Microsoft Azure AD Sync > Log On
Entra Connector (cloud)	Pushes changes to Entra ID	`Sync_HOST_xxx@tenant.onmicrosoft.com`	Sync Service Mgr > Connectors > cloud connector OR M365 Admin > Health

1. Find the AD DS Connector account

This account allows the Sync Server to read users from on-premises AD and write back information (passwords, etc.) if writeback is enabled.

Method 1 — Synchronization Service Manager (recommended)

Sign in to the Entra Connect server
Start menu > search for Synchronization > click Synchronization Service
Click Connectors tab at the top
Find your on-prem domain connector (e.g., infotechninja.local)
Right-click > Properties
Left menu: Connect to Active Directory Forest
Look at the User name field

Synchronization Service Manager on the Entra Connect server with Connectors tab open showing the on-premises domain connector for infotechninja.local, Properties dialog open on Connect to Active Directory Forest revealing the AD DS Connector account name (typically MSOL_xxxx) — On the Entra Connect server: open **Synchronization Service** manager > Connectors tab > right-click your on-prem domain (e.g., `infotechninja.local`) > Properties > **Connect to Active Directory Forest**. The User name field reveals the AD DS Connector account — usually `MSOL_xxxx` if Express install auto-created it.

If the username starts with MSOL_ (e.g., MSOL_1234abcd), Entra Connect auto-created it during install. This is the standard Express-install pattern.

Method 2 — Entra Connect Configuration Viewer

Microsoft Entra Connect wizard launched from the desktop showing the welcome screen with Configure button visible — Method 2 alternative: launch Microsoft Entra Connect from the desktop. Welcome screen with Configure button.

Open the Microsoft Entra Connect wizard from the desktop.

Entra Connect wizard Tasks page with View or export current configuration option being selected — Configure > **View or export current configuration**.

Click Configure.

Configuration export Next button after selecting view current configuration — Next.

Select View or export current configuration > Next.

Entra Connect Configuration export view listing all current settings with the ACCOUNT property highlighted showing the AD DS Connector account name — Configuration export view shows all current settings. Look for the **ACCOUNT** property — same AD DS Connector account name as Method 1.

Look for the ACCOUNT property in the configuration list. Same account name as Method 1 — just a different way to find it.

2. Find the ADSync Service account

This account runs the background Windows Service (Microsoft Azure AD Sync) and connects to the SQL LocalDB / SQL Server backing the configuration database.

Sign in to the Entra Connect server
Win+R > services.msc
Find Microsoft Azure AD Sync service
Right-click > Properties
Click Log On tab
Look at the This account field

services.msc snap-in with the Microsoft Azure AD Sync service Properties dialog open on the Log On tab showing the This account field that reveals the ADSync Service Account (NT SERVICE\\ADSync for Express, DOMAIN\\ADSync... for Custom installs) — `services.msc` > **Microsoft Azure AD Sync** > Properties > **Log On** tab. The *This account* field shows the ADSync Service Account. Two common values: `NT SERVICE\ADSync` (Virtual Service Account, used by Express install) or `DOMAIN\ADSync_xxxx` (domain user, created by Custom install).

Two common values:

NT SERVICE\ADSync — Virtual Service Account. Standard for Express installs. Auto-managed, no password to track.
DOMAIN\ADSync_xxxx — Domain user account, created during Custom install for environments that prefer named identities.

3. Find the Microsoft Entra Connector (cloud) account

This is the cloud-only identity used by the Sync Engine to push changes from your on-prem server up to Microsoft Entra ID.

Method 1 — Synchronization Service Manager

Open Synchronization Service Manager on the server
Connectors tab
Select the cloud connector (named with your tenant address: infotechninja.onmicrosoft.com)
Right-click > Properties
Left menu: Connectivity
Look at the UserName field

Synchronization Service Manager Connectors tab with the cloud connector tenant.onmicrosoft.com selected, Properties open on Connectivity showing the UserName field with the Sync_HOSTNAME_xxxx@infotechninja.onmicrosoft.com cloud connector account — Cloud connector account: Sync Service Manager > Connectors > the cloud connector (named `infotechninja.onmicrosoft.com`) > Properties > **Connectivity**. UserName shows the `Sync_HOSTNAME_xxxx@infotechninja.onmicrosoft.com` account.

This is the cloud connector account — usually starts with Sync_.

Method 2 — Microsoft 365 Admin Center (no RDP needed)

Sign in to Microsoft 365 Admin Center as Global Admin
Left nav > Health
Select Directory sync status
Look for the Directory sync service account field

Microsoft 365 Admin Center Health > Directory sync status page showing the Directory sync service account field with the Sync_xxx account name visible, the cloud-side way to find this account without needing on-prem RDP” /><figcaption>Method 2 alternative: M365 Admin Center > Health > <strong>Directory sync status</strong> > <em>Directory sync service account</em> field. Same Sync_ account name — visible from cloud without RDP to the server.</figcaption></figure>
<p>Same <code>Sync_xxx</code> account name — visible from the cloud without needing RDP to the server. Useful when troubleshooting from outside the on-prem network.</p>
<h2>Naming conventions</h2>
<p>The cloud connector account follows the format:</p>
<pre><code>Sync_<ServerHostname>_<RandomString>@<tenant>.onmicrosoft.com
e.g., Sync_ECSRV01_a1b2c3d4e5f6@infotechninja.onmicrosoft.com</code></pre>
<p>Properties of this account:</p>
<ul>
<li>Complex auto-generated password</li>
<li>Password never expires</li>
<li>Password rotated automatically by Entra Connect itself</li>
<li><strong>Never modify manually</strong> — will break sync</li>
</ul>
<h2>When each account breaks — the failure modes</h2>
<h3>AD DS Connector account locked or password expired</h3>
<p>Symptom: sync runs report “stopped-server” or “permission-issue” errors. On-prem reads fail. Fix: unlock or reset the password (if it’s a domain account), or recreate via Entra Connect Custom configuration if it was an MSOL_ account that got corrupted.</p>
<h3>ADSync Service account can’t log on</h3>
<p>Symptom: Microsoft Azure AD Sync service won’t start. Event Viewer shows logon failures. Fix: verify the password in services.msc > Log On tab, OR if it’s a Virtual Service Account, check that Network Service permissions on relevant folders are intact.</p>
<h3>Entra Connector token expired or rotated badly</h3>
<p>Symptom: cloud writes fail with auth errors. New Sync runs error out. Fix: re-run Entra Connect wizard with fresh Global Admin credentials — this generates a new Sync_ account or refreshes the existing one’s tokens.</p>
<h2>Things that bite people in this part</h2>
<h3>Modified the Sync_ account manually</h3>
<p>Most common breakage. Admin tries to “clean up” the cloud Sync_ account, changes its password, or assigns roles to it. Sync breaks. Recovery: Connect-MgGraph + delete the bad account + re-run Entra Connect to recreate.</p>
<h3>MSOL_ account treated as a regular service account</h3>
<p>The MSOL_ AD account is auto-managed by Entra Connect. Don’t add it to admin groups, don’t scope special permissions to it manually — the connector handles permissions automatically based on what’s configured.</p>
<h3>Lost track of which account is which</h3>
<p>This post is the answer. Three accounts, three locations. Bookmark.</p>
<h2>What’s next</h2>
<p>For deeper Entra Connect topics — HA setup, password writeback, SSO — see other posts in the <a href=

Tags: #Entra Connect #Microsoft Entra ID #Service Account #Troubleshooting