Home

Office 365 MFA with Azure AD Sync Tool Service Account

%3CLINGO-SUB%20id%3D%22lingo-sub-53970%22%20slang%3D%22en-US%22%3EOffice%20365%20MFA%20with%20Azure%20AD%20Sync%20Tool%20Service%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-53970%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20recently%20started%20looking%20at%20the%20security%20state%20of%20our%20O365%20tenant%20with%20the%20Secure%20Score%20tool%20(%3CA%20href%3D%22https%3A%2F%2Fsecurescore.office.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurescore.office.com%3C%2FA%3E).%20%26nbsp%3BOne%20of%20the%20suggestions%20to%20raise%20the%20score%20is%20to%20enable%20MFA%20for%20all%20Global%20Admin%20accounts.%20%26nbsp%3BHowever%2C%20the%20Azure%20AD%20sycn%20tool%20has%20a%20user%2Fservice%20account%20that%20requires%26nbsp%3Bthe%26nbsp%3BGlobal%20Admin%20role%20to%20be%20assigned%20to%20it%20(as%20noted%20in%20the%20first%20referenced%20link%20below).%20%26nbsp%3BAdditionally%2C%20other%20Office365%20admin%20roles%20are%20not%20permitted%20the%20directory%20sync%20access%20(as%20noted%20in%20the%20second%20link%20below).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESeeing%20as%20how%20the%20sync%20is%20an%20automated%20process%2C%20there%20is%20no%20way%20that%20I%20know%20of%20to%20build%20approving%20a%20login%20with%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20unable%20to%20locate%20any%20articles%20around%20the%20Azure%20AD%20sync%20tool%2C%20nor%20a%20way%20to%20add%20an%20exception%20to%20the%20Secure%20Score%20portal%20for%20this%20user%20account.%20%26nbsp%3BHas%20anyone%20come%20across%20a%20solution%20for%20either%20adding%20MFA%20to%20a%20service%20account%20or%20creating%20an%20exception%20for%20a%20service%20account%20to%20the%20Secure%20Score%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-accounts-permissions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAAD%20Connect%20Permissions%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-assign-admin-roles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAAD%20Administrator%20Roles%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-53970%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54117%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20MFA%20with%20Azure%20AD%20Sync%20Tool%20Service%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54117%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%26nbsp%3Bclarification%20on%20that.%20%26nbsp%3BWe%20are%20using%20the%20AAD%20Connect%20tool%20thankfully.%20I've%20removed%20the%20GA%20role%20from%20the%20account%20question.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54001%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20MFA%20with%20Azure%20AD%20Sync%20Tool%20Service%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54001%22%20slang%3D%22en-US%22%3EThe%20AAD%20Connect%20Global%20Admins%20account%20is%20only%20required%20when%20you%20run%20the%20wizard.%20AAD%20Connect%20creates%20itself%20a%20service%20account%20that%20does%20not%20have%20Global%20Admins%20rights%2C%20rather%20is%20a%20member%20of%20the%20special%20role%2C%20%22Directory%20Synchronization%20Accounts%22.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you're%20still%20using%20AADSync%20with%20a%20Global%20Admins%20service%20account%2C%20time%20to%20upgrade!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-53996%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20MFA%20with%20Azure%20AD%20Sync%20Tool%20Service%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-53996%22%20slang%3D%22en-US%22%3EThe%20Global%20Admin%20rights%20are%20only%20required%20to%20create%20the%20service%20account%2C%20they%20shouldn't%20be%20required%20after%20that.%3C%2FLINGO-BODY%3E
Chris Hauret
New Contributor

We have recently started looking at the security state of our O365 tenant with the Secure Score tool (https://securescore.office.com).  One of the suggestions to raise the score is to enable MFA for all Global Admin accounts.  However, the Azure AD sycn tool has a user/service account that requires the Global Admin role to be assigned to it (as noted in the first referenced link below).  Additionally, other Office365 admin roles are not permitted the directory sync access (as noted in the second link below).

 

Seeing as how the sync is an automated process, there is no way that I know of to build approving a login with MFA.

 

I have been unable to locate any articles around the Azure AD sync tool, nor a way to add an exception to the Secure Score portal for this user account.  Has anyone come across a solution for either adding MFA to a service account or creating an exception for a service account to the Secure Score?

 

AAD Connect Permissions

AAD Administrator Roles

 

3 Replies
The Global Admin rights are only required to create the service account, they shouldn't be required after that.
The AAD Connect Global Admins account is only required when you run the wizard. AAD Connect creates itself a service account that does not have Global Admins rights, rather is a member of the special role, "Directory Synchronization Accounts".

If you're still using AADSync with a Global Admins service account, time to upgrade!

Thanks for the clarification on that.  We are using the AAD Connect tool thankfully. I've removed the GA role from the account question.