Forum Discussion
Azure ATP Group Managed Service Account (gMSA)
Hello, We are switching our service account for ATP to a gMSA. We are following the gMSA guidance in this article: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequ...
Or Tsemah
Thanks for the response. Something else we found during testing.
We have read-only domain controllers so that is a different group that needs to be added to gmsa properties.
We had to grant the gMSA logon rights as service to each domain controller. A standard account did not require this OS right on the ADDS servers.
Yes, that's why you should consider using dedicated groups
Regarding the log in as a Service permission, you can view possible workaround in here: https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/azure-atp-service-not-starting/m-p/1368747#M1175
Regarding the log in as a Service permission, you can view possible workaround in here: https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/azure-atp-service-not-starting/m-p/1368747#M1175
Or Tsemah Thanks, that is probably the same issue we have with the logon rights.
Dedicated groups work also. The disadvantage for us is remembering to add the computers to that group as part of a ADDS server deployment.
- We are also evaluating putting sensors on additional components, which is another (future) reason for dedicated groups