2. Create client application in Azure for the AD Synctool

Note: Please make sure you meet the requirements found here.
We recommend creating the required Azure AD application via PowerShell. Therefore, PowerShell will create the application and displays the required information.

The sync tool requires you to create an application for it in Azure.
This can be done very easily by a script in PowerShell.
We will explain how to do this in this article.

  • Start PowerShell ISE as Admin.
  • Copy the script from the section below and paste it in PowerShell.
  • Let it run.
  • Fill in the Admin credentials of the corresponding Office 365 tenant.
  • Save and copy all the related information.
    The important information from the script is:
    • Tenant ID
    • Tenant Name
    • Client ID
    • Client Secret Key

This information is needed for the next step.


The PowerShell Script as described above:

#Set TLS communication to only 1.2. Other is not supported.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$Credentials = Get-Credential
Login-AzureRmAccount $Credentials # Convert the password for W365 format
$SecurePassword = $Credentials.Password
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
$W365Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) $o365user = $Credentials.UserName
$o365password = "$W365Password"

# Get the tenantname from Microsoft
Connect-MsolService -Credential $Credentials
$TenantName = (Get-MsolDomain | Where-Object {$_.Name -like '*.onmicrosoft.com'}).Name.Split('.')[0]

#Fill parameters oAuth2 application
$Operation = "add" #
$Name="Workspace365 AAD Sync" # Name of the application which is created in the Azure AD.
[Parameter(Mandatory=$True)][string[]]$ReplyUrl=@("https://AADSynctool.com") # Check if we are in the correct AD Tenant
$adTenant = ""
if ( $Tenant -like "*.*") {
$adTenant = $Tenant
} else {
$adTenant = "$Tenant.onmicrosoft.com"
$authority = "https://login.microsoftonline.com/$adTenant"
$authorizationEndpoint = "" # Get the AAD tenant ID. The below url can be accessed anonymously
$resp = Invoke-WebRequest $url
if ( $resp.StatusCode -ne "200") {
write-error "Non-existing AAD tenant name - $adtenant"
exit 2
$json = ($resp.Content | ConvertFrom-Json)
$tenantId = $json.authorization_endpoint.Split("/")[3]
$authorizationEndpoint = $json.authorization_endpoint # Get the Graph headers
function GetGraphAuthHeader() { $clientId = "1950a258-227b-4e31-a9cf-717495945fc2" # Set well-known client ID for AzurePowerShell
$resourceAppIdURI = "https://graph.windows.net/" # Resource we want to use
# Create Authentication Context tied to Azure AD Tenant
$creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $o365user,$o365password
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# Acquire token
$authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId, $creds)
$authHeader = $authResult.CreateAuthorizationHeader()
$headers = @{"Authorization" = $authHeader; "Content-Type"="application/json"}
return $headers
function DisplayApplication($app) {
write-output "Tenant: $adtenant"
write-output "TenantID: $tenantID"
write-output "Authorization Endpoint: $authorizationEndpoint"
write-output "Client ID is the ApplicationId"
function AddApplication() {
# Create a client secret based on a guid
$clientSecret = [System.Guid]::NewGuid().toString()
$SecureClientSecret = ConvertTo-SecureString -String $clientSecret -AsPlainText -Force
if ( $app -ne $null ) {
write-output "Application already exists. ObjectID $($app.ObjectID)"
} else {
write-output "Creating Application $Name"
Try { $keyDuration = (Get-Date).AddYears(5).ToString('MM-dd-yyyy')
$app = New-AzureRmADApplication -DisplayName $Name -HomePage $AppUrl -IdentifierUris $AppUrl -ReplyUrls $ReplyUrl -Password $SecureClientSecret -EndDate "$keyDuration 00:00:00" } Catch { $keyDuration = (Get-Date).AddYears(5).ToString('dd-MM-yyyy')
$app = New-AzureRmADApplication -DisplayName $Name -HomePage $AppUrl -IdentifierUris $AppUrl -ReplyUrls $ReplyUrl -Password $SecureClientSecret -EndDate "$keyDuration 00:00:00"
write-output "Adding oAuth2 permissions to the application so app can service oAuth2 authentications"
# Add "permissions to other applications" via the Graph API. No Azure Powershell exists (yet)
$headers = GetGraphAuthHeader
$url = "https://graph.windows.net/$adTenant/applications/$($app.ObjectID)?api-version=1.6"
$postData = "{`"requiredResourceAccess`": [
`"resourceAppId`": `"00000002-0000-0000-c000-000000000000`",
`"resourceAccess`": [
`"id`": `"311a71cc-e848-46a1-bdf8-97ff7156d8e6`",
`"type`": `"Scope`"
`"id`": `"78c8a3c8-a07e-4b9e-af1b-b5ccab50a175`",
`"type`": `"Role`"
write-output $url
$result = Invoke-RestMethod -Uri $url -Method "PATCH" -Headers $headers -Body $postData
DisplayApplication $app
write-output "ClientSecret: $clientSecret"
Write-Host "Please go to the Azure portal -> Active Directory -> App registrations -> Workspace365 AAD Sync -> API Permissions -> Click the `"Grant admin consent...`" button on the bottom" -ForegroundColor Cyan
} # Create the switch for the Operations
switch ( $Operation.ToLower() )
"add" { AddApplication }
default { Write-Host "Operation must be get, add, delete, update" }
Have more questions? Submit a request