07-03-2018 02:24 AM
07-03-2018 02:24 AM
I'm working with a customer who wants to do a password sync with azure ad. I'm wondering what is the best role to grant the customer. They shouldn't be able to change anything but should be able to see users, groups etc. The users are all in different office 365 groups.
I granted the customer the password admin role but I couldn't do an export of the office 365 groups with the users via powershell. The same for service admin. If I grant them both password and service admin roles they can do an export of the groups with the users.
Should I grant them both service and password admin roles?
07-03-2018 08:09 AM
07-03-2018 09:51 AM
Unless you have specifically blocked this, any user in the tenant will be able to login with PowerShell and list all users/groups. You don't need an admin role for that. But yeah, the question is what exactly are you trying to achieve?
07-04-2018 01:28 AM
I guess I'm wondering which role is the best for someone to look after password sync via ad connect without providing them global admin permissions. Hope that makes sense.
07-04-2018 10:12 AM
There's nothing on O365 side to "look at" with regards to password sync. All the relevant events/details are on the machine running AAD Connect, in the event logs (and some generic info in the MIIS Client).
07-05-2018 06:35 AM
07-05-2018 07:21 AMSolution
When you install and configure AAD Connect, it needs credential with Global Admin rights. Using those rights, AAD Connect creates a user named Sync_[server]_[randomstring]@[yourtenant].onmicrosoft.com which is used to perform the actual sync.
The sync user has "Directory Synchronization Accounts" role (rights). However, you cannot give this particular role using Office 365 admin center, you need to use PowerShell:
Add-MsolRoleMember -RoleName "Directory Synchronization Accounts" -RoleMemberEmailAddress <UPN>
To see the accounts currently having the role:
Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Directory Synchronization Accounts").ObjectId