30 C
Dubai
Thursday, November 21, 2024

Hardening Azure AD Connect Service Account

There are some scenarios where user used “Use Existing AD Account” and used a domain admin or Enterprise admin account where this account doesn’t require high privilege permissions.Lets see how to harden them by removing the enterprise admin or domain admin permission and provided only limited permissions only.

image

Once you remove Domain Admin Account or Enterprise Admin of this Service account. you can see AD Sync will fail because of permission issues.

image

Now lets see how to Add Required AD Sync permissions only for the service account.

Import the required Module  _ ADSyncConfig.psm1

Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

Verify the module is properly loaded or not.

 Get-Command -Module AdSyncConfig 
image

Now Add the ADSyncPasswordHashSyncPermissions for the service account. You can always use –ADConnectorAccountDomain if you have multiple Azure AD Account Domains.

 Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN  'ADAccountDN'
image

You can see its skipping AdminSDFolder by Default. So leave as it is.

image

Now Add the Exchange Hybrid Permissions if you are planning to have Exchange Hybrid.

 Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN  'ADAccountDN'
image

Provide ADSyncMsDsConsistencyGuidPermissions for the service account.

 Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN  'ADAccountDN'
image

This is a ideal scenario. which proper permission inheritance without password write back.

Refer below Microsoft Article if you wish to tighten the permissions even more further like disabling inheritance on the object and add required permissions only or add password write back permissions for the object like

 Set-ADSyncPasswordWritebackPermissions –ADConnectorAccountDN  'ADAccountDN'

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account

 

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?