Admin role for password sync

Hi, I'm working with a customer who wants to do a password sync with azure ad. I'm wondering what is the best role to grant the customer. They shouldn't be able to change anything but should be a...

office 365

Nestori Syynimaa
Jul 05, 2018
When you install and configure AAD Connect, it needs credential with Global Admin rights. Using those rights, AAD Connect creates a user named Sync_[server]_[randomstring]@[yourtenant].onmicrosoft.com which is used to perform the actual sync.

The sync user has "Directory Synchronization Accounts" role (rights). However, you cannot give this particular role using Office 365 admin center, you need to use PowerShell:
Add-MsolRoleMember -RoleName "Directory Synchronization Accounts" -RoleMemberEmailAddress <UPN>
To see the accounts currently having the role:
Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Directory Synchronization Accounts").ObjectId

Noel Lawlor

Copper Contributor

Jul 04, 2018

I guess I'm wondering which role is the best for someone to look after password sync via ad connect without providing them global admin permissions. Hope that makes sense.

Thanks.

Nestori Syynimaa

MVP

Jul 05, 2018

When you install and configure AAD Connect, it needs credential with Global Admin rights. Using those rights, AAD Connect creates a user named Sync_[server]_[randomstring]@[yourtenant].onmicrosoft.com which is used to perform the actual sync.

The sync user has "Directory Synchronization Accounts" role (rights). However, you cannot give this particular role using Office 365 admin center, you need to use PowerShell:

Add-MsolRoleMember -RoleName "Directory Synchronization Accounts" -RoleMemberEmailAddress <UPN>

To see the accounts currently having the role:

Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Directory Synchronization Accounts").ObjectId

Forum Discussion

Admin role for password sync

Resources