Forum Discussion

Noel Lawlor's avatar
Noel Lawlor
Copper Contributor
Jul 03, 2018
Solved

Admin role for password sync

Hi,   I'm working with a customer who wants to do a password sync with azure ad. I'm wondering what is the best role to grant the customer. They shouldn't be able to change anything but should be a...
office 365
  • Nestori Syynimaa's avatar
    Nestori Syynimaa
    Jul 05, 2018

    When you install and configure AAD Connect, it needs credential with Global Admin rights. Using those rights, AAD Connect creates a user named Sync_[server]_[randomstring]@[yourtenant].onmicrosoft.com which is used to perform the actual sync.

     

    The sync user has "Directory Synchronization Accounts" role (rights). However, you cannot give this particular role using Office 365 admin center, you need to use PowerShell:

    Add-MsolRoleMember -RoleName "Directory Synchronization Accounts" -RoleMemberEmailAddress <UPN> 

     To see the accounts currently having the role:

    Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Directory Synchronization Accounts").ObjectId

     

VasilMichev's avatar
VasilMichev
MVP
Jul 03, 2018

Unless you have specifically blocked this, any user in the tenant will be able to login with PowerShell and list all users/groups. You don't need an admin role for that. But yeah, the question is what exactly are you trying to achieve?

  • Noel Lawlor's avatar
    Noel Lawlor
    Copper Contributor
    Jul 04, 2018

    I guess I'm wondering which role is the best for someone to look after password sync via ad connect without providing them global admin permissions. Hope that makes sense.

     

    Thanks.

    • Nestori Syynimaa's avatar
      Nestori Syynimaa
      MVP
      Jul 05, 2018

      When you install and configure AAD Connect, it needs credential with Global Admin rights. Using those rights, AAD Connect creates a user named Sync_[server]_[randomstring]@[yourtenant].onmicrosoft.com which is used to perform the actual sync.

       

      The sync user has "Directory Synchronization Accounts" role (rights). However, you cannot give this particular role using Office 365 admin center, you need to use PowerShell:

      Add-MsolRoleMember -RoleName "Directory Synchronization Accounts" -RoleMemberEmailAddress <UPN> 

       To see the accounts currently having the role:

      Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Directory Synchronization Accounts").ObjectId

       

    • VasilMichev's avatar
      VasilMichev
      MVP
      Jul 04, 2018

      There's nothing on O365 side to "look at" with regards to password sync. All the relevant events/details are on the machine running AAD Connect, in the event logs (and some generic info in the MIIS Client).

      • Max Fritz's avatar
        Max Fritz
        Iron Contributor
        Jul 05, 2018
        I'd agree with Vasil on that. However, if this user needs to modify the Azure AD Connect configuration at any time (outside of the MIIS Client), they will need to pass an authentication screen in Azure AD Connect which requires global admin credentials. This is designed to ensure that no changes are made to your tenant without a global admin authorizing them. No way around that as of today.

Resources