Saturday , May 30 2020

Hardening Azure AD Connect Service Account

There are some scenarios where user used “Use Existing AD Account” and used a domain admin or Enterprise admin account where this account doesn’t require high privilege permissions.Lets see how to harden them by removing the enterprise admin or domain admin permission and provided only limited permissions only.

image

Once you remove Domain Admin Account or Enterprise Admin of this Service account. you can see AD Sync will fail because of permission issues.

image

Now lets see how to Add Required AD Sync permissions only for the service account.

Import the required Module  _ ADSyncConfig.psm1

Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

Verify the module is properly loaded or not.

 Get-Command -Module AdSyncConfig 
image

Now Add the ADSyncPasswordHashSyncPermissions for the service account. You can always use –ADConnectorAccountDomain if you have multiple Azure AD Account Domains.

 Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN  'ADAccountDN'
image

You can see its skipping AdminSDFolder by Default. So leave as it is.

image

Now Add the Exchange Hybrid Permissions if you are planning to have Exchange Hybrid.

 Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN  'ADAccountDN'
image

Provide ADSyncMsDsConsistencyGuidPermissions for the service account.

 Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN  'ADAccountDN'
image

This is a ideal scenario. which proper permission inheritance without password write back.

Refer below Microsoft Article if you wish to tighten the permissions even more further like disabling inheritance on the object and add required permissions only or add password write back permissions for the object like

 Set-ADSyncPasswordWritebackPermissions –ADConnectorAccountDN  'ADAccountDN'

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account

 

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Office Server and Services MVP , Publisher of Azure365pro.com. Specialized in Office365 / Microsoft Exchange / Virtualization , Sathesh is an Messaging Expert supporting/Designing/Deploying many medium size businesses to large enterprises when it comes to Corporate messaging and Virtualization Infrastructure

Check Also

Export all Teams Channels and all members in Office 365

In some situations like if we wish to study a new environment or restructure a …

Leave a Reply

Your email address will not be published.