Forum Discussion

aaaaaaaanonymous's avatar
aaaaaaaanonymous
Copper Contributor
Nov 16, 2020

Azure ATP - AD gMSA services accounts to sensor affinity or lack of?

Hi We have multiple domains and using gMSA. MS advises there is a limitation of sharing gMSA across domains. As  a result each domain's sensor will use it's owns domains gMSA acct. We have 5 domains...
aaaaaaaanonymous's avatar
aaaaaaaanonymous
Copper Contributor
Nov 16, 2020

EliOfek  Thanks for your reply. Yes Full trust exist 1 root and 4 child. So are you saying If I add my sensor DCs from various domains into one group  that is PrincipalsAllowedToRetrieveManagedPassword ,  for 1 gMSA then it should work?  

my testing of multiple DC sensor servers from different domains into one group using 1 gMSA. When running Install-ADServiceAccount or Test-ADServiceAccount : results in errors.  is this the fault of the above 2 commands where it only sends request to it's own domain controllers but ATP sensor is smart enough to seek beyond its domain?

 

 

 

EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Nov 16, 2020

aaaaaaaanonymous 
Indeed in  our lab, Test-ADServiceAccount will also only work on the same domain, but the sensor still works across the forest if permissions were set correctly, I suggest to try.

  • aaaaaaaanonymous's avatar
    aaaaaaaanonymous
    Copper Contributor
    Nov 17, 2020

    EliOfek Thank you so much. 

    Was able to run off one single gMSA. Works well.

    So good to have someone from the R&D team here to help answer questions.

     

Resources