- Article
Learn about the accounts used and created and the permissions required to install and use Azure AD Connect.
Accounts used for Azure AD Connect
Azure AD Connect uses three more accountssynchronize informationdesde Windows Server Active Directory (Windows Server AD) hasta Azure Active Directory (Azure AD):
AD DS-konto connector: Used to read and write information to Windows Server AD through Active Directory Domain Services (AD DS).
ADSync service account: Used to run the synchronization service and access the SQL Server database.
Azure AD Connector-konto: Used to write information to Azure AD.
You will also need the following accounts toinstallAzure AD connection:
local administrator account– The administrator who installs Azure AD Connect and who has local administrator rights on the computer.
AD DS Enterprise Administrator account– Optionally used to create the required AD DS Connector account.
Azure AD-Konto Global Administrator- Used to create the Azure AD Connector account and to configure Azure AD. You can view the Global Administrator and Hybrid Identity Administrator accounts in the Azure portal. SeeList Azure AD role assignments.
SQL SA account (optional): Used to create the ADSync database when using the full version of SQL Server. The SQL Server instance can be local or remote to the Azure AD Connect installation. This account can be the same account as the Enterprise Administrator account.
SQL Server administrator can now provision the database out of band and then deploy it by Azure AD Connect administrator if the account has Database Owner (DBO) permissions. For more information, seeInstall Azure AD Connect with SQL Delegated Admin Permissions.
Important
Starting with build 1.4.###.#, you can no longer use an enterprise administrator account or domain administrator account as the AD DS connector account. If you are trying to enter an account that is a Company Admin or Domain Admin forUse an existing account, the wizard displays an error message and cannot continue.
Use
You can manage the administrative accounts used in Azure AD Connect by using aenterprise access model. An organization can use an enterprise access model to host administrative accounts, workstations, and groups in an environment that has more stringent security controls than a production environment. For more information, seeEnterprise access model.
The global administrator role is not required after the initial configuration. After configuration, the only account required is the DirSync Accounts role account. Rather than delete the account that has the Global Administrator role, we recommend that you change the role to a role that has a lower permission level. Complete account removal can cause problems if you ever need to run the wizard again. You can add permissions if you need to use the Azure AD Connect wizard again.
Installation of Azure AD Connect
The Azure AD Connect setup wizard offers two paths:
- quick setup: In the Azure AD Connect Express setup, the wizard requires various permissions so that you can easily configure your installation. The wizard creates users and sets permissions so you don't have to.
- custom settings- In the Azure AD Connect custom configuration, you have more options and options in the wizard. However, for some scenarios it's important to make sure you have the correct permissions.
quick setup
In the express configuration, enter this information in the installation wizard:
- AD DS Enterprise administrator credentials
- Azure AD global administrator credentials
AD DS Enterprise administrator credentials
The AD DS Enterprise Administrator account is used to configure Windows Server AD. These credentials are only used during installation. The company administrator, not the domain administrator, must ensure that Windows Server AD permissions can be set on all domains.
If you upgrade from DirSync, the AD DS Enterprise administrator credentials are used to reset the password for the account that DirSync used. Azure AD global administrator credentials are also required.
Azure AD global administrator credentials
The credentials for the Azure AD global administrator account are only used during setup. The account is used to create the Azure AD connector account that syncs changes to Azure AD. The account also allows synchronization as a feature of Azure AD.
For more information, seeglobal admin.
AD DS Connector account requires express configuration permissions
The AD DS Connector account is created to read and write to Windows Server AD. The account has the following permissions when it is created during the Quick Settings installation:
| Permission | i used to |
|---|---|
| - Replicate folder changes - Replicate all folder changes | Password Hash Synchronization |
| Read/write all properties User | Hybrid import and exchange |
| Read/write all properties in NetOrgPerson | Hybrid import and exchange |
| Read/write all Group properties | Hybrid import and exchange |
| Read/Write all properties Contact | Hybrid import and exchange |
| Reset your password | Preparing to enable password writeback |
Quick Setup Guide
In an express setup installation, the wizard creates some accounts and settings for you.
The following table summarizes the pages of the Quick Setup Wizard, the credentials collected, and what they are used for:
| wizard side | Collected credentials | required permissions | Aim |
|---|---|---|---|
| N / A | The user running the installation wizard. | Local server administrator. | It is used to create the ADSync service account used to run the synchronization service. |
| Connect to Azure AD | Azure AD directory credentials. | Global administrator role in Azure AD. | - Used to enable synchronization on the Azure AD directory. - Used to create the Azure AD connector account that is used for ongoing synchronization operations in Azure AD. |
| Connect to AD DS | Windows Server AD credentials. | Member of the Enterprise Administrators group in Windows Server AD. | It is used to create the AD DS connector account in Windows Server AD and grant it permissions. This created account is used to read and write catalog information during synchronization. |
custom settings
In a custom setup installation, you have more options and options in the wizard.
The custom setup wizard
The following table summarizes the pages of the custom configuration wizard, the credentials collected, and what they are used for:
| wizard side | Collected credentials | required permissions | Aim |
|---|---|---|---|
| N / A | The user running the installation wizard. | - Local server administrator. - If you are using a full instance of SQL Server, the user must be a SQL Server sysadmin. | It is used by default to create the local account used as the Sync Engine service account. The account is created only when the administrator does not specify an account. |
| Install synchronization services, service account option | Windows Server AD or local user account credentials. | The user and permissions are granted by the installation wizard. | If the administrator specifies an account, that account is used as the service account for the synchronization service. |
| Connect to Azure AD | Azure AD directory credentials. | Global administrator role in Azure AD. | - Used to enable synchronization on the Azure AD directory. - Used to create the Azure AD connector account that is used for ongoing synchronization operations in Azure AD. |
| Connect your folders | Windows Server AD credentials for each forest connected to Azure AD. | The permissions depend on the features you enable and can be found atCreate the AD DS connector account. | This account is used to read and write catalog information during synchronization. |
| AD FS Servers | For each server in the list, the wizard collects credentials when the login credentials of the user running the wizard are insufficient to connect. | The domain administrator account. | It is used during the installation and configuration of the Active Directory Federation Services (AD FS) server role. |
| web application proxy server | For each server in the list, the wizard collects credentials when the login credentials of the user running the wizard are insufficient to connect. | Local administrator on the target machine. | It is used during the installation and configuration of the Web Application Proxy (WAP) server feature. |
| Proxy Trusted Credentials | Federation Service trusted credentials (the credentials that the proxy uses to enroll in a trusted Federation Services (FS) certificate). | The domain account that is a local administrator of the AD FS server. | Initial registration of the certificate of trust FS-WAP. |
| AD FS service account sideUse a domain user account option | The user account information for Windows Server AD. | A domain user. | The Azure AD user account whose credentials are provided is used as the login account for the AD FS service. |
Create the AD DS connector account
Important
A new PowerShell module calledADSyncConfig.psm1it was introduced with build 1.1.880.0 (released August 2018). The module contains a collection of cmdlets that help you configure the correct Windows Server AD permissions for the Azure AD DS Connector account.
For more information, seeAzure AD Connect: Konfigurer AD DS Connector-kontotilladelse.
The account you specifyConnect your foldersThe page must be created in Windows Server AD as a regular user object (VSA, MSA, or gMSA is not supported) before installation. Azure AD Connect version 1.1.524.0 and later have the option to allow the Azure AD Connect wizard to create the AD DS Connector account used to connect to Windows Server AD.
The account you specify must also have the necessary permissions. The installation wizard does not check permissions and problems are only detected during the synchronization process.
The permissions you need depend on the optional features you enable. If you have multiple domains, permissions must be granted for all domains in the forest. If you don't enable any of these features, the default domain user permissions are sufficient.
| Feature | permissions |
|---|---|
| ms-DS-ConsistencyGuid function | Write permissions forms-DS-ConsistenciaGuiddocumented property inDesign Concepts: Using ms-DS-ConsistencyGuid as sourceAnchor. |
| Password Hash Synchronization | - Replicate folder changes - Replicate all folder changes |
| Exchange Hybrid Deployment | Write permissions for the attributes documented inHybrid Rewrite Exchangefor users, groups and contacts. |
| Exchange Mail Public Folder | Read permissions for the attributes documented inExchange Mail Public Folderto public folders. |
| password rewrite | Write permissions for the attributes documented inGet started with password managementFor the users |
| Device Rewrite | Permissions granted with a PowerShell script as described inDevice Rewrite. |
| group rewrite | Allows you to rewriteMicrosoft 365 Groupsto a forest that has Exchange installed. |
Permissions are required to update
When you upgrade from one version of Azure AD Connect to a new version, you need the following permissions:
| Principal | required permissions | Aim |
|---|---|---|
| The user running the installation wizard | local server administrator | It is used to update binaries. |
| The user running the installation wizard | Member of ADSyncAdmins | It is used to make changes to synchronization rules and other settings. |
| The user running the installation wizard | If you are using a full instance of SQL Server: Sync Engine Database DBO (or similar) | It is used to make changes at the database level, such as updating tables with new columns. |
Important
In build 1.1.484, a regression bug was introduced in Azure AD Connect. The error requires system administrator permissions to update the SQL Server database. The bug was fixed in build 1.1.647. To update to this build, you must have sysadmin permissions. In this scenario, the DBO permissions are not enough. If you try to update Azure AD Connect without system administrator permissions, the update will fail and Azure AD Connect will no longer work correctly.
Account information created
The following sections give you more information about the accounts created in Azure AD Connect.
AD DS-konto connector
If you use Express Settings, an account used for synchronization is created in Windows Server AD. The created account is located in the forest root domain in the user container. The account name has the prefixMSOL_. The account is created with a long and complex password that does not expire. If you have a password policy on your domain, make sure that long and complex passwords are allowed for this account.
If you use custom configurations, you are responsible for creating the account before beginning the installation. SeeCreate the AD DS connector account.
ADSync service account
The synchronization service can run under different accounts. It can work under onevirtual service account(USA), andgroup managed service account(gMSA), it isindependently managed service(sMSA), or a regular user account. The supported options changed with the April 2017 release of Azure AD Connect when performing a fresh installation. If you're upgrading from a previous version of Azure AD Connect, these other options aren't available.
| Account type | installation option | Description |
|---|---|---|
| VSA | Express and custom, April 2017 and later | This option is used for all out-of-the-box installations, except for installations on a domain controller. For custom settings, this is the default setting. |
| gMSA | Custom, April 2017 and later | If you are using a remote instance of SQL Server, we recommend that you use a gMSA. |
| User account | Express and custom, April 2017 and later | A user account with the prefixAAD_It is only created during setup when Azure AD Connect is installed on Windows Server 2008 and when it is installed on a domain controller. |
| User account | Express and Custom, March 2017 and earlier | A local account with the prefixAAD_created during installation. In a custom installation, you can specify a different account. |
If you're using Azure AD Connect with a build of March 2017 or earlier, don't reset the service account password. Windows destroys encryption keys for security reasons. You can't change the account to any other account without reinstalling Azure AD Connect. If you upgrade to a release from April 2017 or later, you can change the password for the service account, but you can't change the account being used.
Important
You can only configure the service account on first installation. You cannot change the service account after the installation is complete.
The following table describes the default, recommended, and supported settings for the synchronization service account.
Legend:
- Outstanding= The default settings and, in most cases, the recommended settings.
- Italic= The recommended option when it is not the default setting.
- 2008 = The default setting when installing on Windows Server 2008
- No bold = a supported option
- Local account = Local user account on the server
- Domain account = Domain user account
- sMSA =independently managed service account
- gMSA =group managed service account
| local database Express | Local Database/Local SQL Server Habit | remote sql server Habit | |
|---|---|---|---|
| domain joined machine | VSA Local Account (2008) | VSA Local Account (2008) local account domain account sMSA, gMSA | gMSA domain account |
| domain controller | domain account | gMSA domain account SMS | gMSA domain account |
VSA
A VSA is a special type of account that does not have a password and is managed by Windows.
VSA is designed to be used with scenarios where the Sync Engine and SQL Server are on the same server. If you are using external SQL Server, we recommend that you use a gMSA instead of a VSA.
The VSA feature requires Windows Server 2008 R2 or later. If you install Azure AD Connect on Windows Server 2008, the installation falls back to using auser accountinstead of a VSA.
gMSA
If you are using a remote instance of SQL Server, we recommend that you use a gMSA. For more information on how to prepare Windows Server AD for gMSA, seeGroup-managed service accounts overview.
To use this option, you mustInstall the necessary componentspage, selectUse an existing service accountand then selectManaged service account.
you can also use oneSMSIn this stage. However, you can only use an sMSA on the local computer, and there is no advantage to using an sMSA instead of the standard VSA.
The sMSA feature requires Windows Server 2012 or later. If you must use an older version of an operating system and you are using an external SQL Server, you must use auser account.
User account
The installation wizard creates a local service account (unless you specify the account to use for custom configuration). The account has the prefixAAD_and is used for the actual sync service to run as. If you install Azure AD Connect on a domain controller, the account is created in the domain. ThatAAD_the service account must be located in the domain if:
- You are using an external server that is running SQL Server.
- You are using a proxy that requires authentication.
HeAAD_The service account is created with a long and complex password that does not expire.
This account is used to securely store the passwords for the other accounts. Passwords are stored encrypted in the database. The private keys for the encryption keys are protected with the encryption services secret key encryption using the Windows Data Protection API (DPAPI).
If you are using a full instance of SQL Server, the service account is the DBO of the database created for the synchronization engine. The service does not work as expected with other permissions. A SQL Server login is also created.
The account also has permissions to files, registry keys, and other objects related to the sync engine.
Azure AD Connector-konto
An account is created in Azure AD for use by the sync service. You can identify this account by its display name.
The name of the server on which the account is used can be identified in the second part of the username. In the figure above, the server name is DC1. If you have staging servers, each server has its own account.
A server account is created with a long and complex password that does not expire. The account is assigned a special role in Dir-Sync accounts that can only perform Dir-Sync tasks. This particular built-in role cannot be assigned outside of the Azure AD Connect wizard. The Azure portal displays this account with the user role.
Azure AD has a limit of 20 sync service accounts. To get the list of existing Azure AD service accounts in your Azure AD instance, run the following Azure AD PowerShell cmdlet:Get-AzureADDirectoryRole | hvor {$_.DisplayName -eq "Dir-Sync Accounts"} | Get-AzureADDirectoryRoleMember
To remove unused Azure AD service accounts, run the following Azure AD PowerShell cmdlet:Remove-AzureADUser -ObjectId
Use
Before you can use these PowerShell commands, you must installAzure Active Directory PowerShell for Graphical Moduleand connect to your Azure AD instance usingConnect-AzureAD.
For more information on how to manage or reset your Azure AD Connect account password, seeManage Azure AD Connect account.
Related Posts
For more information about Azure AD Connect, see these articles:
| Subject | Link |
|---|---|
| Descargar Azure AD Connect | Descargar Azure AD Connect |
| Install using quick settings | Azure AD Connect quick setup |
| Install using custom settings | Custom installation of Azure AD Connect |
| Update from DirSync | Update from the Azure AD Synchronization (DirSync) tool |
| After installation | Confirm installation and assign licenses |
Next step
learn more aboutto integrate your on-premises identities with Azure Active Directory.