Hey everyone, I recently discovered that the account currently syncing our Active Directory to Entra is a domain admin account, which doesn't seem ideal. I've set up a new account called svc-entra-sync with a strong password that won't expire, but I need some guidance on what permissions this account needs to properly sync all the necessary Organizational Units (OUs). Once I assign the right permissions, is it just a matter of updating the account information in the Entra Connect sync service settings? Would I need to perform a full sync afterward? I got concerned after seeing a bunch of Defender alerts related to non-domain controller Active Directory replication linking back to the sync account. In my previous job, the AD sync account was automatically created when Entra Connect was installed using an MSOL account. Any insights would be appreciated! Thanks!
5 Answers
To get the svc-entra-sync account set up correctly, make sure it has the necessary group memberships like ADSyncAdmins and ADSyncOperators. After that, you just need to run the setup with the new credentials again.
Actually, you don’t need a specific user account to run the sync service since the credentials aren’t stored. A global admin can kick off the sync whenever necessary. We use cloud-only accounts for managing our tenant, and that works perfectly for us.
If you’re looking for an optimal setup, consider doing a swing migration to a new installation of Azure AD Connect. This way, it can set itself up following the latest best practices without the hassle of manual configurations.
Have you considered switching to Entra Cloud Sync and using a Group Managed Service Account (gMSA)? It simplifies a lot of things and can enhance security.
In my experience, I’d suggest doing a fresh install of the latest version of Azure AD Connect. It’ll automatically create the sync account and manage the password for you. Plus, if you're not using the most recent release now, you’ll eventually need to upgrade, so it could save you some trouble down the line.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures