38 C
Dubai
Monday, August 8, 2022
spot_img

Hardening Azure AD Connect Service Account

There are some scenarios where user used “Use Existing AD Account” and used a domain admin or Enterprise admin account where this account doesn’t require high privilege permissions.Lets see how to harden them by removing the enterprise admin or domain admin permission and provided only limited permissions only.

image

Once you remove Domain Admin Account or Enterprise Admin of this Service account. you can see AD Sync will fail because of permission issues.

image

Now lets see how to Add Required AD Sync permissions only for the service account.

Import the required Module  _ ADSyncConfig.psm1

Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

Verify the module is properly loaded or not.

 Get-Command -Module AdSyncConfig 
image

Now Add the ADSyncPasswordHashSyncPermissions for the service account. You can always use –ADConnectorAccountDomain if you have multiple Azure AD Account Domains.

 Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN  'ADAccountDN'
image

You can see its skipping AdminSDFolder by Default. So leave as it is.

image

Now Add the Exchange Hybrid Permissions if you are planning to have Exchange Hybrid.

 Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN  'ADAccountDN'
image

Provide ADSyncMsDsConsistencyGuidPermissions for the service account.

 Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN  'ADAccountDN'
image

This is a ideal scenario. which proper permission inheritance without password write back.

Refer below Microsoft Article if you wish to tighten the permissions even more further like disabling inheritance on the object and add required permissions only or add password write back permissions for the object like

 Set-ADSyncPasswordWritebackPermissions –ADConnectorAccountDN  'ADAccountDN'

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account

 

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Specialized in Microsoft Azure - Office 365 / Microsoft Exchange; conducted numerous projects worldwide in designing, supporting, and implementing messaging and virtualization infrastructure for medium-sized and large enterprises. Further, I am a Cloud Architect and Technical Advisor for various start-ups.

Related Articles

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here