Using Group managed service accounts (gMSA) with Azure ATP


Hey everyone,

Based on customer feedback and to improve overall security and compliance requirements, we will soon be introducing the option to use a more secure Group managed service account (gMSA) to connect Azure ATP sensors to your Active Directory forests alongside the existing standard read-only AD account.


While we are getting ready with this release and the documentation on how to enable it, we strongly recommend verifying your Azure ATP sensors are updating correctly and that no "Sensor outdated" health alert has triggered.

As you might already know, we recently introduced a change to how we manage sensor versions which means that, when connected to the Azure ATP cloud service, every existing or newly deployed sensor will update to the latest version either automatically or after the delayed sensor update period (72 hours) has passed if that option is configured.


One final note to consider is that gMSA accounts are supported on Windows server version 2012 and higher, which mean that if you still have domain controllers hosted on Windows server 2008 R2, you should keep at least one standard AD account in addition to any new gMSA account on your Directory services configuration screen.

6 Replies

This is amazing news! Thank you very much!

@Or Tsemah 

Is this option available in all Tenants?  We provisioned our tenant last week and the gMSA option is not there to select.

@dobieg2002  This is a known bug that only happens to new tenants.

2 options:

1. Open a support ticket and the support engineer will create an internal request to turn this option on for you manually in the backend (make sure to give them your workspace id).

2. Wait for the version that will be deployed next week, which will auto fix the issue for everyone.



@Or Tsemah What is the recommended approach with a gMSA account when you have multiple domains in the forest. Can we use single gMSA created in forest root domain to use on all the child domains, or would you need a gMSA for each domain in the forest?

@JohanHeyneke , if you have full trust between all those domains, and all the DCs in the forest are granted permission to pull this gmsa account's password, then yes, you can work with a single gmsa.

@Eli Ofek Thanks for the quick response. This is great news.