Azure ATP Group Managed Service Account (gMSA)

%3CLINGO-SUB%20id%3D%22lingo-sub-1359377%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Group%20Managed%20Service%20Account%20(gMSA)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359377%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F173807%22%20target%3D%22_blank%22%3E%40Bryan%20Bishop%3C%2FA%3E%26nbsp%3BThe%20main%20requirement%20for%20the%20creation%20of%20the%20gMSA%20is%20indeed%20the%26nbsp%3B%3CSPAN%20class%3D%22hljs-parameter%22%3EPrincipalsAllowedToRetrieveManagedPassword%3C%2FSPAN%3E%26nbsp%3Battribute%20which%20points%20to%20%3CU%3Ea%3C%2FU%3E%20group%20that%20contains%20the%20computer%20accounts%20with%20the%20sensor%20installed%20(you%20can%20use%20the%20Domain%20Controller%20group%20or%20a%20dedicated%20group%20for%20that).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1345564%22%20slang%3D%22en-US%22%3EAzure%20ATP%20Group%20Managed%20Service%20Account%20(gMSA)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1345564%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3CBR%20%2F%3EWe%20are%20switching%20our%20service%20account%20for%20ATP%20to%20a%20gMSA.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20following%20the%26nbsp%3B%20gMSA%20guidance%20in%20this%20article%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-prerequisites%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-prerequisites%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20guidance%20for%20the%26nbsp%3Bfollowing%20gMSA%20properties%2C%20or%20any%20other%20gMSA%20properties%3A%3C%2FP%3E%3CP%3E-ServicePrincipalNames%20%3CSTRING%3E%3C%2FSTRING%3E%3C%2FP%3E%3CP%3E-KerberosEncryptionType%20AES128%2CAES256%3C%2FP%3E%3CP%3E-ManagedPasswordIntervalInDays%20xx%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20assume%20the%20PrincipalsAllowedToRetrieveManagedPassword%20will%20be%20set%20to%20the%20built-in%20Group%20%E2%80%9CDomain%20Controllers%E2%80%9D%2C%20correct%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1371324%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Group%20Managed%20Service%20Account%20(gMSA)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1371324%22%20slang%3D%22en-US%22%3EYes%2C%20that's%20why%20you%20should%20consider%20using%20dedicated%20groups%3CBR%20%2F%3E%3CBR%20%2F%3ERegarding%20the%20log%20in%20as%20a%20Service%20permission%2C%20you%20can%20view%20possible%20workaround%20in%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-advanced-threat-protection%2Fazure-atp-service-not-starting%2Fm-p%2F1368747%23M1175%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-advanced-threat-protection%2Fazure-atp-service-not-starting%2Fm-p%2F1368747%23M1175%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1371283%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Group%20Managed%20Service%20Account%20(gMSA)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1371283%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F215466%22%20target%3D%22_blank%22%3E%40Or%20Tsemah%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EThanks%20for%20the%20response.%26nbsp%3B%20%26nbsp%3BSomething%20else%20we%20found%20during%20testing.%26nbsp%3B%20%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20have%20read-only%20domain%20controllers%20so%20that%20is%20a%20different%20group%20that%20needs%20to%20be%20added%20to%20gmsa%20properties.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20had%20to%20grant%20the%20gMSA%20logon%20rights%20as%26nbsp%3B%20service%20to%20each%20domain%20controller.%26nbsp%3B%20%26nbsp%3BA%20standard%20account%26nbsp%3B%20did%20not%20require%20this%20OS%20right%20on%20the%20ADDS%20servers.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1372079%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Group%20Managed%20Service%20Account%20(gMSA)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1372079%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F215466%22%20target%3D%22_blank%22%3E%40Or%20Tsemah%3C%2FA%3E%26nbsp%3BThanks%2C%20that%20is%20probably%20the%20same%20issue%20we%20have%20with%20the%20logon%20rights.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDedicated%20groups%20work%20also.%26nbsp%3B%20The%20disadvantage%20for%20us%20is%20remembering%20to%20add%20the%20computers%20to%20that%20group%20as%20part%20of%20a%20ADDS%20server%20deployment.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1372671%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Group%20Managed%20Service%20Account%20(gMSA)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1372671%22%20slang%3D%22en-US%22%3EWe%20are%20also%20evaluating%20putting%20sensors%20on%20additional%20components%2C%20which%20is%20another%20(future)%20reason%20for%20dedicated%20groups%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1505982%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Group%20Managed%20Service%20Account%20(gMSA)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1505982%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F173807%22%20target%3D%22_blank%22%3E%40Bryan%20Bishop%3C%2FA%3E%26nbsp%3BWhat%20is%20the%20recommended%20approach%20with%20a%20gMSA%20account%20when%20you%20have%20multiple%20domains%20in%20the%20forest.%20Can%20we%20use%20single%20gMSA%20created%20in%20forest%20root%20domain%20to%20use%20on%20all%20the%20child%20domains%2C%20or%20would%20you%20need%20a%20gMSA%20for%20each%20domain%20in%20the%20forest%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hello, 
We are switching our service account for ATP to a gMSA.   

We are following the  gMSA guidance in this article: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequisites

 

Do you have any guidance for the following gMSA properties, or any other gMSA properties:

-ServicePrincipalNames <string[]>

-KerberosEncryptionType AES128,AES256

-ManagedPasswordIntervalInDays xx

 

 

I assume the PrincipalsAllowedToRetrieveManagedPassword will be set to the built-in Group “Domain Controllers”, correct?

 

 

Thank you

6 Replies
Highlighted

@Bryan Bishop The main requirement for the creation of the gMSA is indeed the PrincipalsAllowedToRetrieveManagedPassword attribute which points to a group that contains the computer accounts with the sensor installed (you can use the Domain Controller group or a dedicated group for that).

Highlighted

@Or Tsemah 
Thanks for the response.   Something else we found during testing.   

We have read-only domain controllers so that is a different group that needs to be added to gmsa properties.

We had to grant the gMSA logon rights as  service to each domain controller.   A standard account  did not require this OS right on the ADDS servers.


 

Highlighted
Yes, that's why you should consider using dedicated groups

Regarding the log in as a Service permission, you can view possible workaround in here: https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/azure-atp-service-not-starti...
Highlighted

@Or Tsemah Thanks, that is probably the same issue we have with the logon rights.

 

Dedicated groups work also.  The disadvantage for us is remembering to add the computers to that group as part of a ADDS server deployment.  

Highlighted
We are also evaluating putting sensors on additional components, which is another (future) reason for dedicated groups
Highlighted

@Bryan Bishop What is the recommended approach with a gMSA account when you have multiple domains in the forest. Can we use single gMSA created in forest root domain to use on all the child domains, or would you need a gMSA for each domain in the forest?