SOLVED

Admin role for password sync

Highlighted
New Contributor

Hi,

 

I'm working with a customer who wants to do a password sync with azure ad. I'm wondering what is the best role to grant the customer. They shouldn't be able to change anything but should be able to see users, groups etc. The users are all in different office 365 groups.

I granted the customer the password admin role but I couldn't do an export of the office 365 groups with the users via powershell. The same for service admin. If I grant them both password and service admin roles they can do an export of the groups with the users.

Should I grant them both service and password admin roles?

 

Thanks

6 Replies
Highlighted
Are you referring to Password Sync through Azure AD Connect? If not, can you describe more what you're trying to accomplish?
Highlighted

Unless you have specifically blocked this, any user in the tenant will be able to login with PowerShell and list all users/groups. You don't need an admin role for that. But yeah, the question is what exactly are you trying to achieve?

Highlighted

I guess I'm wondering which role is the best for someone to look after password sync via ad connect without providing them global admin permissions. Hope that makes sense.

 

Thanks.

Highlighted

There's nothing on O365 side to "look at" with regards to password sync. All the relevant events/details are on the machine running AAD Connect, in the event logs (and some generic info in the MIIS Client).

Highlighted
I'd agree with Vasil on that. However, if this user needs to modify the Azure AD Connect configuration at any time (outside of the MIIS Client), they will need to pass an authentication screen in Azure AD Connect which requires global admin credentials. This is designed to ensure that no changes are made to your tenant without a global admin authorizing them. No way around that as of today.
Highlighted
Solution

When you install and configure AAD Connect, it needs credential with Global Admin rights. Using those rights, AAD Connect creates a user named Sync_[server]_[randomstring]@[yourtenant].onmicrosoft.com which is used to perform the actual sync.

 

The sync user has "Directory Synchronization Accounts" role (rights). However, you cannot give this particular role using Office 365 admin center, you need to use PowerShell:

Add-MsolRoleMember -RoleName "Directory Synchronization Accounts" -RoleMemberEmailAddress <UPN> 

 To see the accounts currently having the role:

Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Directory Synchronization Accounts").ObjectId