- article
Learn more about the accounts used and created, and the permissions required to install and use Azure AD Connect.
Konto dla Azure AD Connect
Azure AD Connect uses three accounts toSynchronization informationZ lokalnego Windows Server Active Directory (Windows Server AD) do Azure Active Directory (Azure AD):
AD DS Connector account: Used to read and write information to Windows Server AD using Active Directory Domain Services (AD DS).
ADSync account: Used to start synchronization services and access SQL Server databases.
An Azure AD Connector account: Used to save information to Azure AD.
The following accounts are also needed for thisinstallAzure AD connection:
local administrator account: An administrator who installs Azure AD Connect and has local administrator permissions on the computer.
AD DS enterprise administrator account: Optionally used to create the required AD DS Connector account.
An Azure AD global administrator account: Used to create an Azure AD Connector account and configure Azure AD. You can view the Global Administrator and Hybrid Administrator accounts in the Azure portal. LookList Azure AD role assignments.
SQL SA account (optional): Used to create ADSync databases when using the full version of SQL Server. The SQL Server instance can be local or remote to the Azure AD Connect installation. This account can be the same account as the enterprise administrator account.
Database provisioning can now be performed out of band by a SQL Server admin and then installed by an Azure AD Connect admin provided the account has database owner (DBO) permissions. For more information, seeInstall Azure AD Connect with delegated SQL administrator privileges.
important
As of version 1.4.###.#, you can no longer use the enterprise administrator account or the domain administrator account as the AD DS connector account. If the account you are trying to enter is an enterprise administrator or domain administratorUse an existing accountthe wizard displays an error message and cannot continue.
notes
You can manage the administrative accounts used in Azure AD ConnectEnterprise access model.Organizations can use the enterprise access model to host administrative accounts, workstations, and groups in environments with stronger security controls than in production environments. For more information, seeEnterprise access model.
The global administrator role is not required after initial setup. After installation, the only account required is the Directory Sync Account role account. We recommend changing the role to one with lower privileges instead of deleting the Global Administrator account. Completely deleting the account can be problematic if you need to run the wizard again. You can add permissions if you want to use the Azure AD Connect wizard again.
Azure AD Connect installation
The Azure AD Connect setup wizard provides two paths:
- Quick montage: In Azure AD Connect Express Setup, the wizard requires more permissions to easily configure the installation. The wizard creates users and sets permissions so you don't have to.
- Custom settings: In Azure AD Connect custom configuration, you have more choices and options in the wizard. However, in some situations it is important to make sure that you have the right permissions yourself.
Quick montage
For express installation, enter the following information in the installation wizard:
- AD DS enterprise administrator credentials
- Azure AD global administrator credentials
AD DS enterprise administrator credentials
The AD DS Enterprise Administrator account is used to configure Windows Server AD. These credentials are only used during installation. Enterprise administrators, not domain administrators, should ensure that Windows Server AD permissions can be set across all domains.
When upgrading from DirSync, the AD DS Enterprise administrator credentials are used to reset the password for the account used by DirSync. Azure AD Global Administrator credentials are also required.
Azure AD global administrator credentials
The Azure AD Global Administrator account credentials are only used during setup. This account is used to create an Azure AD Connector account that syncs changes to Azure AD. This account also has sync enabled as a feature in Azure AD.
For more information, seeglobal admin.
Permissions required for quick AD DS Connector account setup
Create a read-write AD DS connector account in Windows Server AD. The account is created with the following permissions during express installation:
| allow | Do |
|---|---|
| - Replicate directory changes - copy directory change all | Password hash synchronization |
| read/write all user attributes | Import and exchange mixes |
| Read/Write all iNetOrgPerson properties | Import and exchange mixes |
| Read/write all attribute groups | Import and exchange mixes |
| read/write all properties | Import and exchange mixes |
| Reset your password | I'm getting ready to enable password writeback |
Quick Install Wizard
During express installation, the wizard creates accounts and settings for you.
The following table summarizes the Quick Setup wizard pages, collected credentials, and their purpose:
| wizard page | collected credentials | permission required | Intention |
|---|---|---|---|
| not applicable | The user who ran the setup wizard. | Local server administrator. | It is used to create the ADSync service account used to run the synchronization service. |
| Connect to Azure AD | Azure AD directory credentials. | Global administrator role in Azure AD. | - Used to enable synchronization in the Azure AD directory. - Used to create an Azure AD connector account for Azure AD continuous sync operations. |
| Connect to AD DS | Windows Server AD credentials. | A member of the Enterprise Admins group in Windows Server AD. | Used to create and grant permissions to an AD DS Connector account in Windows Server AD. This created account is used to read and write directory information during synchronization. |
Custom settings
For a custom setup installation, you have more choices and options in the wizard.
Custom Settings Wizard
The following table summarizes the custom setup wizard pages, collected credentials, and their purpose:
| wizard page | collected credentials | permission required | Intention |
|---|---|---|---|
| not applicable | The user who ran the setup wizard. | - Local server administrator. - When using a full instance of SQL Server, you must be a system administrator (sysadmin) on SQL Server. | By default, it creates a local account that is used as the Sync Engine service account. This account is only created if no account is specified by the administrator. |
| Install Sync Service, Service Account Options | Windows Server AD or local user account credentials. | Users and permissions are given by the installation wizard. | If the administrator specifies an account, that account will be used as the service account for the sync service. |
| Connect to Azure AD | Azure AD directory credentials. | Global administrator role in Azure AD. | - Used to enable synchronization in the Azure AD directory. - Used to create an Azure AD connector account for Azure AD continuous sync operations. |
| link your directory | Windows Server AD credentials for each forest connected to Azure AD. | Permissions depend on the features enabled and can be found inCreate an AD DS Connector account. | This account is used to read and write directory information during synchronization. |
| ADFS server | The wizard collects credentials for each server in the list when the logon credentials of the user running the wizard are insufficient to connect. | Domain administrator account. | Used when installing and configuring the Active Directory Federation Services (AD FS) server role. |
| Web Application Proxy | The wizard collects credentials for each server in the list when the logon credentials of the user running the wizard are insufficient to connect. | Local administrator on the destination computer. | Used when installing and configuring the Web Application Proxy (WAP) role. |
| Proxy credentials | Federation Services Trust Credentials (credentials used by the proxy server to register trust certificates from the Federation Services (FS). | A domain account that is the local administrator of the AD FS server. | Pre-registration of FS-WAP trust certificates. |
| AD FS account pageUse the domain user account option | Windows Server AD user account credentials. | domain user. | The Azure AD user account that provides the credentials is used as the AD FS login account. |
Create an AD DS Connector account
important
Named new PowerShell moduleADSyncConfig.psm1Introduced with build 1.1.880.0 (released August 2018). This module provides a set of cmdlets to help you configure the correct Windows Server AD permissions for your Azure AD DS Connector account.
For more information, seeAzure AD Connect: Configure AD DS Connector account permissions.
specified accountlink your directoryPages must be created in Windows Server AD as regular user objects (VSA, MSA, or gMSA are not supported) prior to installation. Azure AD Connect version 1.1.524.0 and later has an option for the Azure AD Connect wizard to create an AD DS connector account to connect to Windows Server AD.
The specified account must also have the required permissions. The installation wizard does not verify permissions, any problems are detected only during the synchronization process.
What permissions you need depends on which optional features are enabled. If you have multiple domains, you must grant permissions to all domains in the forest. If you don't enable any of these features, the permissions of the default domain user will suffice.
| function | right |
|---|---|
| MS-DS-ConsistencyGuid Capabilities | writing permissionMS-DS-ConsistencyGuidproperties are documented inDesign concept - using MS-DS-ConsistencyGuid as sourceAnchor. |
| Password hash synchronization | - Replicate directory changes - copy directory change all |
| Exchange hybrid deployment | Write access to properties documented inreplace hybrid writebackFor users, groups and contacts. |
| Exchange public mail folders | Read access to properties documented inExchange public mail foldersfor public folders. |
| write back the password | Write access to properties documented inIntroduction to password managementfor users. |
| device write off | Permissions granted using a PowerShell script as described indevice write off. |
| group write back | lets replyMicrosoft 365 Groupsto the forest where Exchange is installed. |
Permissions required to upgrade
When upgrading from one version of Azure AD Connect to a newer version, you need the following permissions:
| main | permission required | Intention |
|---|---|---|
| The user who ran the setup wizard | local server administrator | Used to update binaries. |
| The user who ran the setup wizard | Member of ADSyncAdmins | Used to change synchronization rules and other configurations. |
| The user who ran the setup wizard | If you are using a full instance of SQL Server: Sync Engine Database DBO (or similar) | Used to make changes at the database level, such as updating a table with a new column. |
important
A regression bug was introduced in Azure AD Connect version 1.1.484. This error requires system administrator privileges to upgrade the SQL Server databases. The bug was fixed in version 1.1.647. You must have system administrator privileges to upgrade to this version. In this case, DBO permissions are not enough. If you try to upgrade Azure AD Connect without system administrator privileges, the upgrade will fail and Azure AD Connect will stop working properly.
Details of the created account
The following sections provide more information about accounts created in Azure AD Connect.
AD DS Connector account
When using express configuration in Windows Server AD, an account is created for synchronization. The created account is in the forest root domain in the Users container. account name starts withMSOL_.The account is created with a long, complex password that does not expire. If your domain has a password policy, make sure your account allows long and complex passwords.
If you are using a custom setup, it is your responsibility to create an account before starting the installation. LookCreate an AD DS Connector account.
ADSync account
Sync services can run on different accounts. you can run it undervirtual service account(VSA), aA group-managed service account(gMSA), aIndependent hosting service(sMSA) or regular user account. For a clean install, the supported options changed with the April 2017 release of Azure AD Connect. These additional options are not available when upgrading from an earlier version of Azure AD Connect.
| account type | installation options | describe |
|---|---|---|
| VSA | Express and customs, April 2017 and later | This option is used for all express install installations, except for installations on domain controllers. For custom settings, this is the default option. |
| gMSA | Custom, April 2017 and newer | If you're using a remote instance of SQL Server, we recommend using gMSA. |
| user's account | Express and customs, April 2017 and later | Prefix user accountsAAD_Created during installation only when Azure AD Connect is installed on Windows Server 2008 and on a domain controller. |
| user's account | Express and Customs, March 2017 and earlier | Local accounts with a prefixAAD_Created during installation. For a custom installation, you can specify a different account. |
If you're using Azure AD Connect from March 2017 or earlier, don't reset your service account password. For security reasons, Windows destroys the encryption keys. This account cannot be changed to any other account without reinstalling Azure AD Connect. If you upgrade to April 2017 or later, you can change the password for the service account, but not for the account you are using.
important
Service accounts can only be set up during initial installation. The service account cannot be changed after installation is complete.
The following table describes the default, recommended, and supported sync service account options.
legend:
- bold= Default option and recommended option in most cases.
- italics= is the recommended option if not the default option.
- 2008 = Default when installing on Windows Server 2008
- No bold = supported options
- local account = local user account on the server
- domain account = domain user account
- sMSA =Self-managed service account
- gMSA =A group-managed service account
| local database Express | Local database/local SQL server habit | Remote SQL server habit | |
|---|---|---|---|
| domain-joined machine | VSA Local Accounts (2008) | VSA Local Accounts (2008) local account domain account sMSA, gMSA | gMSA domain account |
| domain controller | domain account | gMSA domain account sMSA | gMSA domain account |
VSA
VSA is a special type of account that has no password and is managed by Windows.
VSA is intended for use in scenarios where the sync engine and SQL Server reside on the same server. If you are using a remote SQL server, we recommend using gMSA instead of VSA.
VSA functionality requires Windows Server 2008 R2 or later. If you installed Azure AD Connect on Windows Server 2008, the installation goes back to useuser's accountinstead of VSA.
gMSA
If you're using a remote instance of SQL Server, we recommend using gMSA. For more information about preparing Windows Server AD for gMSA, seeOverview of Group Managed Service Accounts.
To use this option, enterInstall the required componentspage, selectUse an existing service accountand chooseA managed service account.
You can also usesMSAIn this case. However, sMSA can only be used on the local machine and there is no benefit to using sMSA instead of the default VSA.
sMSA functionality requires Windows Server 2012 or later. If you need to use an earlier version of the OS and use a remote SQL server, you must useuser's account.
user's account
The local service account is created by the setup wizard (unless you specify which account to use in your custom settings). This account starts withAAD_and used to run the actual sync service. If you install Azure AD Connect on a domain controller, the account will be created in the domain. ThisAAD_A service account must be in a domain if:
- You are using a remote server running SQL Server.
- You are using a proxy server that requires authentication.
TenAAD_Service accounts are created with long, complex passwords that don't expire.
This account is used to securely store passwords for other accounts. Passwords are stored in the database in encrypted form. The encryption key private key is protected by cryptographic service key encryption using the Windows Data Protection API (DPAPI).
If you're using a full instance of SQL Server, the service account is the DBO of the database created for the sync engine. For any other permissions, the service will not work as expected. A SQL Server login is also created.
The account also receives permissions to files, registry keys, and other objects related to the sync engine.
An Azure AD Connector account
Create an Azure AD account to use the sync service. You can recognize this account by its display name.
The name of the server where the account is used can be identified in the second part of the username. In the figure above, the server is named DC1. If you have staging servers, each server will have its own account.
Server accounts are created with long, complex passwords that do not expire. This account is given the special role of Directory Sync Account with permissions only to perform Directory Sync tasks. This special built-in role cannot be granted outside of the Azure AD Connect wizard. The Azure portal shows that this account has a user role.
Azure AD has a limit of 20 sync service accounts. To get a list of existing Azure AD accounts in your Azure AD instance, run the following Azure AD PowerShell cmdlet:Get-AzureADDirectoryRole | gdzie {$_.DisplayName -eq "DirectorySync Account"} | Get-AzureADDirectoryRoleMember
To remove unused Azure AD accounts, run the following Azure AD PowerShell cmdlets:Delete-AzureADUser-ObjectId
notes
Before using these PowerShell commands, you must haveAzure Active Directory PowerShell dla modułu Graphand connect to your Azure AD instance usingConnect-AzureAD.
For more information on how to manage or reset your Azure AD Connect account password, seeManage Azure AD Connect accounts.
Related articles
For more information on Azure AD Connect, see the following articles:
| topic | associate |
|---|---|
| Pobierz Azure AD Connect | Pobierz Azure AD Connect |
| Install using express settings | Azure AD Connect express installation |
| Install with custom settings | Azure AD Connect custom installation |
| Upgrade from DirSync | Upgrade from Azure AD Sync (DirSync) |
| After installation | Verify the installation and assign licenses |
next step
learn more aboutIntegrate on-premises identities with Azure Active Directory.