SOLVED

change directory service account to group managed service account

%3CLINGO-SUB%20id%3D%22lingo-sub-3450110%22%20slang%3D%22en-US%22%3Echange%20directory%20service%20account%20to%20group%20managed%20service%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3450110%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3Ecurrently%20we%20are%20using%20a%20regular%20AD%20account%20for%20this.%20We%20want%20to%20change%20this%20group%20managed%20service%20account.%20What%20is%20the%20process%20for%20changing%20the%20directory%20service%20account%20to%20a%20group%20managed%20service%20account%3F%20Do%20i%20need%20to%20reinstall%20the%20agents%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3450110%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%20Defender%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESensor%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3450509%22%20slang%3D%22en-US%22%3ERe%3A%20change%20directory%20service%20account%20to%20group%20managed%20service%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3450509%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1278179%22%20target%3D%22_blank%22%3E%40skipster311-175%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENo%20need%20to%20reinstall%20the%20agents.%20Just%20create%20the%20gMSA%20in%20the%20domain%2C%20grant%20the%20computer%20accounts%20the%20permissions%20to%20retrieve%20its%20password%2C%20grant%20the%20gMSA%20the%20'Logon%20as%20a%20service'%20privilege%20on%20the%20servers%2C%20and%20add%20the%20gMSA%20in%20the%20portal.%3C%2FP%3E%0A%3CP%3EThis%20is%20all%20documented%20in%20our%20docs%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fdirectory-service-accounts%23how-to-create-a-gmsa-account-for-use-with-defender-for-identity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fdirectory-service-accounts%23how-to-create-a-gmsa-account-for-use-with-defender-for-identity%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Finstall-step2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Finstall-step2%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello

currently we are using a regular AD account for this. We want to change this group managed service account. What is the process for changing the directory service account to a group managed service account? Do i need to reinstall the agents ?

1 Reply
best response confirmed by skipster311-175 (Occasional Contributor)
Solution

@skipster311-175 

No need to reinstall the agents. Just create the gMSA in the domain, grant the computer accounts the permissions to retrieve its password, grant the gMSA the 'Logon as a service' privilege on the servers, and add the gMSA in the portal.

This is all documented in our docs: 

https://docs.microsoft.com/en-us/defender-for-identity/directory-service-accounts#how-to-create-a-gm... and https://docs.microsoft.com/en-us/defender-for-identity/install-step2