Azure AD Connect Permissions Requirement

Microsoft has pushed the security to Azure AD Connect, so you can’t just add “Enterprise Admins” membership in Active Directory and Global Admins in Office 365.

For Office 365 Global Admins work, but in on-premises AD we need to assign the following permissions.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account

Add AD Tools

Install-WindowsFeature RSAT-AD-Tools

Step 1 – Import or install Azure AD Connect module

Import-Module “C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1”

Get-Command -Module AdSyncConfig

Step 2 Configure AD DS Connector Account Permissions

Set-ADSyncBasicReadPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] [<CommonParameters>]

or

Set-ADSyncBasicReadPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [<CommonParameters>]

Step 3 Configure MS-DS-Consistency-Guid Permissions

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] [<CommonParameters>]

or

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [<CommonParameters>]

Step 4 Permissions for Password Hash Synchronization

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [<CommonParameters>]

or

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN <String> [<CommonParameters>]

Step 5 Permissions for Password Writeback

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] [<CommonParameters>]

or

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [<CommonParameters>]

Step 6 Permissions for Group Writeback

Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] [<CommonParameters>]

Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [<CommonParameters>]

Step 7 Permissions for Exchange Hybrid Deployment

Set-ADSyncExchangeHybridPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] [<CommonParameters>]

or

Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [<CommonParameters>]

Step 8 Permissions for Exchange Mail Public Folders (Preview)

Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] [<CommonParameters>]

or

Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN <String> [-ADobjectDN <String>] [<CommonParameters>]

Step 9 Restrict Permissions on the AD DS Connector Account

Set-ADSyncRestrictedPermissions [-ADConnectorAccountDN] <String> [-Credential] <PSCredential> [-DisableCredentialValidation] [-WhatIf] [-Confirm] [<CommonParameters>]

Example

$credential = Get-Credential

Set-ADSyncRestrictedPermissions -ADConnectorAccountDN ‘CN=ADConnectorAccount,CN=Users,DC=Contoso,DC=com’ -Credential $credential

Best Regards,
Prabhat Nigam
CEO | LAEXUG Foundation || CTO | Golden Five Consulting

Leave Comment

Your email address will not be published. Required fields are marked *