Jan 25 2018
- last edited on
Jul 27 2020
Microsoft posted this advisory in the Office 365 Admin message center.
The advisory wants customers with AAD Connect older than 1.1.654.0 to restrict the AD DS account used in AAD Connect. However, halfway in the article, Microsoft advises that this AD DS account be made a member of Enterprise Admins, Domain Admins and other groups with elevated privileges.
Looking for feedback/guidance from this group.
Jan 26 2018 12:19 AMSolution
Which part of the article are you referring to? The steps in the Lock down access to the AD DS account section detail which objects will have permission ON the account, not to which group it needs to belong.
Fellow MVPs have posted some more detailed instructions on how this should be applied: http://www.expta.com/2017/12/secure-aad-connect-new-build-116540-and.html