- Article
Learn about the accounts used and created and the permissions required to install and use Azure AD Connect.
Accounts used for Azure AD Connect
Azure AD Connect uses three accounts toinformation synchronizationfrom internal Windows Server Active Directory (Windows Server AD) to Azure Active Directory (Azure AD):
AD DS connector account: Used to read and write information to Windows Server AD using Active Directory Domain Services (AD DS).
ADSync service account: Used to run the synchronization service and access the SQL Server database.
Azure AD Connector account: Used to write information to Azure AD.
You also need the following accounts tosetting upAzure AD Connect:
Local administrator account: The administrator who installs Azure AD Connect and who has local administrator rights on the computer.
AD DS Enterprise administrator account: Optionally used to create the required AD DS Connector account.
Azure AD global administrator account: Used to create the Azure AD Connector account and configure Azure AD. You can see the Global Administrator and Hybrid Identity Administrator accounts in the Azure portal. I seeRegister your Azure AD role assignments.
SQL SA account (optional): Used to create the ADSync database when using the full version of SQL Server. The SQL Server instance can be local or remote to your Azure AD Connect installation. This account can be the same account as the Enterprise Administrator account.
Database provisioning can now be run out of zone by the SQL Server administrator and then installed by the Azure AD Connect administrator if the account has database owner (DBO) rights. For more information, seeInstall Azure AD Connect using administrator rights with SQL delegation.
Great
Starting in version 1.4.###.#, you can no longer use an Enterprise Administrator account or a Domain Administrator account as the AD DS Connector account. If you attempt to enter an account that is an Enterprise Administrator or Domain Administrator forUse an existing account, the wizard displays an error message and you cannot continue.
Note
You can manage the administrator accounts used in Azure AD Connect using acorporate access model. An organization can use an enterprise access model to host administrative accounts, workstations, and groups in an environment that has stronger security controls than a production environment. For more information, seeEnterprise access model.
The Global Administrator role is not required after initial setup. After setup, the only account required is the Directory Synchronization Accounts role account. Instead of removing the account that has the Global Administrator role, we recommend that you change the role to a role that has a lower level of privileges. Completely removing the account may cause problems if you need to run the wizard again. You can add permissions if you need to use the Azure AD Connect wizard again.
Install Azure AD Connect
The Azure AD Connect setup wizard offers two paths:
- Express settings: In the Azure AD Connect express settings, the wizard requires more permissions so that it can easily configure your installation. The wizard creates users and sets permissions so you don't have to.
- Custom settings: In Azure AD Connect custom settings, you have more choices and options in the wizard. However, for some scenarios, it's important to make sure you have the correct permissions yourself.
Express settings
In the express settings, enter this information in the installation wizard:
- AD DS Enterprise administrator credentials
- Azure AD Global Administrator credentials
AD DS Enterprise administrator credentials
The AD DS Enterprise Administrator account is used to configure Windows Server AD. These credentials are only used during installation. The Enterprise Administrator, not the Domain Administrator, should ensure that permissions in Windows Server AD can be set in all domains.
If you upgrade from DirSync, your AD DS Enterprise administrator credentials are used to reset the password for the account that DirSync used. Azure AD Global Administrator credentials are also required.
Azure AD Global Administrator credentials
Credentials for the Azure AD Global Administrator account are only used during installation. The account is used to create the Azure AD Connector account that synchronizes changes to Azure AD. The account also enables synchronization as a feature in Azure AD.
For more information, seeGlobal Administrator.
The AD DS Connector account required permissions for express communication settings
The AD DS Connector account is created to read and write to Windows Server AD. The account has the following permissions when created during the quick setup installation:
| Permission | Used for |
|---|---|
| - Copy directory changes - Playing the directory changes everything | Password hash synchronization |
| Read/Write all User properties | Introduction and exchange of hybrids |
| Read/write all iNetOrgPerson properties | Introduction and exchange of hybrids |
| Read/Write all properties Group | Introduction and exchange of hybrids |
| Read/Write all Contact properties | Introduction and exchange of hybrids |
| Reset password | Preparing to enable password recording |
Express Setup Wizard
In a quick setup, the wizard creates some accounts and settings for you.
The following table is a summary of the express settings wizard pages, the credentials collected and what they are used for:
| Wizard page | Credentials collected | Permits required | Purpose |
|---|---|---|---|
| N/A | The user running the setup wizard. | Administrator of the local server. | Used to create the ADSync service account used to run the synchronization service. |
| Sign in to Azure AD | Azure AD directory credentials. | Global administrator role in Azure AD. | - Used to enable synchronization in the Azure AD directory. - Used to create the Azure AD Connector account used for continuous synchronization operations in Azure AD. |
| Log in to AD DS | Windows Server AD Credentials. | Member of the Enterprise Admins group in Windows Server AD. | It is used to create the AD DS Connector account in Windows Server AD and grant permissions to it. This created account is used to read and write directory information during synchronization. |
Custom settings
In a custom settings installation, you have more choices and options in the wizard.
Custom Settings Wizard
The following table is a summary of the custom settings wizard pages, the credentials collected and what they are used for:
| Wizard page | Credentials collected | Permits required | Purpose |
|---|---|---|---|
| N/A | The user running the setup wizard. | - Admin of the local server. - If you are using a full SQL Server instance, the user must be a System Administrator (sysadmin) on the SQL Server. | By default, it is used to create the local account used as the sync engine service account. The account is created only when the administrator does not specify an account. |
| Install sync services, select service account | The AD credentials of the Windows Server or local user account. | The user and permissions are granted by the installation wizard. | If the administrator specifies an account, that account is used as the service account for the synchronization service. |
| Sign in to Azure AD | Azure AD directory credentials. | Global administrator role in Azure AD. | - Used to enable synchronization in the Azure AD directory. - Used to create the Azure AD Connector account used for continuous synchronization operations in Azure AD. |
| Link your directories | Windows Server AD credentials for each Azure AD-joined forest. | Permissions depend on the features you enable and you can find themCreate the AD DS Connector account. | This account is used to read and write directory information during synchronization. |
| AD FS servers | For each server in the list, the wizard collects credentials when the login credentials of the user running the wizard are insufficient to connect. | The domain administrator account. | Used when installing and configuring the Active Directory Federation Services (AD FS) server role. |
| Web application proxies | For each server in the list, the wizard collects credentials when the login credentials of the user running the wizard are insufficient to connect. | Local administrator on the target machine. | Used when installing and configuring the web application proxy (WAP) role. |
| Proxy Trust Credentials | Federation Service Trust Credentials (the credentials the proxy server uses to register for a Federation Services (FS) trust certificate). | The domain account that is a local administrator of the AD FS server. | Initial registration of the FS-WAP trust certificate. |
| AD FS service account pageUse a domain user account option | The Windows Server AD user account credentials. | A domain user. | The Azure AD user account whose credentials are provided is used as the AD FS login account. |
Create the AD DS Connector account
Great
A new PowerShell module namedADSyncConfig.psm1introduced with version 1.1.880.0 (released August 2018). The module includes a collection of cmdlets that help you configure the correct Windows Server AD permissions for your Azure AD DS Connector account.
For more information, seeAzure AD Connect: Configure AD DS Connector account permission.
The account you specify in theLink your directoriesThe page must be created in Windows Server AD as a regular user object (VSA, MSA, or gMSA are not supported) before installation. Azure AD Connect version 1.1.524.0 and later has the option to let the Azure AD Connect wizard create the AD DS Connector account used to connect to Windows Server AD.
The account you specify must also have the required permissions. The installation wizard does not verify permissions and any problems are detected only during the synchronization process.
Which permissions you need depends on the optional features you enable. If you have multiple domains, permissions must be granted for all domains in the farm. If you do not enable any of these features, the default domain user rights are sufficient.
| feature | Empty |
|---|---|
| ms-DS-ConsistencyGuid capability | Register licenses toms-DS-ConsistencyGuidfeature documented inDesign Concepts - Using ms-DS-ConsistencyGuid as sourceAnchor. |
| Password hash synchronization | - Copy directory changes - Playing the directory changes everything |
| Hybrid growth exchange | Write permissions for the features being documentedHybrid Registration Exchangefor users, groups and contacts. |
| Public Mail Exchange Folder | Read the permissions for the features documented inPublic Mail Exchange Folderfor public files. |
| Password reset | Write permissions for the features being documentedStarting with password managementfor users. |
| Device registration | Permissions are granted with a PowerShell script as described inDevice registration. |
| Group registration | Allows you to write backMicrosoft 365 Teamsin a forest that has Exchange installed. |
Permissions are required to upgrade
When you upgrade from one version of Azure AD Connect to a new version, you need the following permissions:
| principal | Permits required | Purpose |
|---|---|---|
| The user running the setup wizard | Administrator of the local server | Used to update binaries. |
| The user running the setup wizard | Member of ADSyncAdmins | Used to make changes to synchronization rules and other configurations. |
| The user running the setup wizard | If you are using a full instance of SQL Server: DBO (or similar) of the synchronization engine database | Used to make changes at the database level, such as updating tables with new columns. |
Great
In version 1.1.484, there was a regression error in Azure AD Connect. The error requires sysadmin privileges to upgrade the SQL Server database. The bug was fixed in version 1.1.647. To upgrade to this build, you must have sysadmin rights. In this scenario, DBO permissions are not sufficient. If you attempt to upgrade Azure AD Connect without sysadmin rights, the upgrade fails and Azure AD Connect no longer functions correctly.
Account details created
The following sections provide you with more information about the accounts created in Azure AD Connect.
AD DS connector account
If you use express settings, an account is created that is used for synchronization in Windows Server AD. The created account is located in the root domain of the forest resource in the Users container. The account name is prefixed withMSOL_. The account is created with a long, complex password that does not expire. If you have a password policy in your domain, make sure long and complex passwords are allowed for this account.
If you use custom settings, you are responsible for creating the account before starting the installation. I seeCreate the AD DS Connector account.
ADSync service account
The sync service can be run on different accounts. It can run under avirtual service account(VSA), αgroup management service account(gMSA), αstandalone managed service(sMSA) or a regular user account. The supported options changed with the release of Azure AD Connect in April 2017 when you do a fresh installation. If you are upgrading from a previous version of Azure AD Connect, these other options are not available.
| Account type | Installation option | Description |
|---|---|---|
| VSA | Express and custom, 2017 April and later | This option is used for all Quick Setup installations, except for installations on a domain controller. For custom settings, it is the default option. |
| gMSA | Adapted, April 2017 and later | If you are using a remote instance of SQL Server, we recommend that you use a gMSA. |
| User account | Express and custom, 2017 April and later | A user account prefixed withAAD_is created during installation only when Azure AD Connect is installed on Windows Server 2008 and when it is installed on a domain controller. |
| User account | Express and custom, March 2017 and earlier | A local account prefixed withAAD_is created during installation. In a custom installation, you can specify a different account. |
If you are using Azure AD Connect with a version from March 2017 or earlier, do not reset the service account password. Windows destroys encryption keys for security reasons. You cannot change the account to any other account without reinstalling Azure AD Connect. If you are upgrading to a version from April 2017 or later, you can change the service account password, but you cannot change the account in use.
Great
You can set the service account only during the first installation. You cannot change the service account after the installation is complete.
The following table describes default, recommended, and supported options for the sync service account.
Legend:
- Daring= The default option and, in most cases, the recommended option.
- Italics= The recommended option when it is not the default option.
- 2008 = The default option when installing on Windows Server 2008
- Non-bold = A supported option
- Local Account = Local user account on the server
- DomainAccount = DomainUserAccount
- sMSA =standalone managed service account
- gMSA =group management service account
| Local database Express | Local Database/Local SQL Server Custom | Remote SQL Server Custom | |
|---|---|---|---|
| domain-joined machine | VSA Local Account (2008) | VSA Local Account (2008) Local account Domain account sMSA, gMSA | gMSA Domain account |
| Domain controller | Domain account | gMSA Domain account sMSA | gMSA Domain account |
VSA
A VSA is a special type of account that does not have a password and is managed by Windows.
VSA is intended to be used with scenarios where the synchronization engine and SQL Server reside on the same server. If you are using a remote SQL Server, we recommend using a gMSA instead of a VSA.
The VSA feature requires Windows Server 2008 R2 or later. If you install Azure AD Connect on Windows Server 2008, the installation reverts to using auser accountinstead of VSA.
gMSA
If you are using a remote instance of SQL Server, we recommend that you use a gMSA. For more information on how to prepare Windows Server AD for gMSA, seeOverview of Group Management Services accounts.
To use this option, atInstall the required componentspage, selectUse an existing service accountand then selectManaged service account.
You can also use onesMSAin this scenario. However, you can only use an sMSA on the local computer, and there is no benefit to using an sMSA instead of the default VSA.
The sMSA feature requires Windows Server 2012 or later. If you must use an older version of an operating system and you are using remote SQL Server, you must use oneuser account.
User account
A local service account is created by the installation wizard (unless you specify in custom settings which account to use). The account is prefixed withAAD_and is used to run the actual sync service as. If you install Azure AD Connect on a domain controller, the account is created in the domain. TheAAD_the service account must be in the domain if:
- You are using a remote server running SQL Server.
- You are using a proxy server that requires authentication.
TheAAD_The service account is created with a long, complex password that does not expire.
This account is used to securely store the passwords for the other accounts. Passwords are stored encrypted in the database. Private keys for encryption keys are protected with secret key encryption cryptographic services using the Windows Data Protection API (DPAPI).
If you are using a full instance of SQL Server, the service account is the DBO of the created database for the synchronization engine. The service will not function as intended with other permissions. A SQL Server connection is also created.
The account also has permissions to files, registry keys, and other objects related to the synchronization engine.
Azure AD Connector account
An account in Azure AD is created to use the synchronization service. You can identify this account by its display name.
The name of the server on which the account is used can be identified in the second part of the username. In the previous figure, the server name is DC1. If you have staging servers, each server has its own account.
A server account is created with a long, complex password that does not expire. The account is assigned a special Directory Synchronization Accounts role that has permissions to perform only directory synchronization tasks. This special built-in role cannot be assigned outside of the Azure AD Connect wizard. The Azure portal displays this account with the user role.
Azure AD has a limit of 20 sync service accounts. To get the list of existing Azure AD service accounts in your Azure AD instance, run the following Azure AD PowerShell cmdlet:Get-AzureADDirectoryRole | where {$_.DisplayName -eq "Directory Sync Accounts"} | Get-AzureADDirectoryRoleMember
To remove unused Azure AD service accounts, run the following Azure AD PowerShell cmdlet:Remove-AzureADUser -ObjectId
Note
Before you can use these PowerShell commands, you need to install theΕνότητα Azure Active Directory PowerShell for Graphand sign in to your Azure AD instance usingConnect-AzureAD.
For more information on how to manage or reset your Azure AD Connect account password, seeManage your Azure AD Connect account.
Relevant Articles
For more information about Azure AD Connect, see these articles:
| Theme | Link |
|---|---|
| Download Azure AD Connect | Download Azure AD Connect |
| Install using express settings | Quick setup of Azure AD Connect |
| Install using custom settings | Custom installation of Azure AD Connect |
| Upgrade from DirSync | Upgrade from the Azure AD sync tool (DirSync) |
| After installation | Verify installation and assign permissions |
Next steps
Learn more aboutIntegrate your internal identities with Azure Active Directory.
FAQs
How do I add Permissions to Azure AD Enterprise application? ›
- Sign in to the Azure portal using one of the roles listed in the prerequisites section.
- Select Azure Active Directory, and then select Enterprise applications.
- Select the application that you want to restrict access to.
- Select Permissions.
Microsoft now offers the ability to link an Azure Active Directory (AAD) work account and a personal Microsoft account (MSA). Link accounts will be enabled by default to an organization's employees, but still requires employees to opt-in.
What is the permission required to install the Azure AD Connect? ›You also need the following accounts to install Azure AD Connect: Local Administrator account: The administrator who is installing Azure AD Connect and who has local Administrator permissions on the computer. AD DS Enterprise Administrator account: Optionally used to create the required AD DS Connector account.
How do I check user Permissions in Azure AD? ›- Log in to your Azure Account through the Azure portal.
- Select Azure Active Directory.
- In Azure Active Directory, select User settings.
- Check the App registrations setting. ...
- Select Overview and Find a user from Quick tasks.
- Search for your account, and select it when you find it.
Application permissions vs Delegated permissions
Application permissions allow an application in Azure Active Directory to act as it's own entity, rather than on behalf of a specific user. Delegated permissions allow an application in Azure Active Directory to perform actions on behalf of a particular user.
Delegated permissions, also called scopes, allow the application to act on behalf of the signed-in user. Application permissions, also called app roles, allow the app to access data on its own, without a signed-in user.
What is the difference between a Microsoft Azure Active Directory Azure AD account and an AD DS account? ›While AD supports the use of organizational units (OUs) and group policy objects (GPOs) and allows admins to visualize and organize the enterprise in the entirety of its components and sub-units, Azure Active Directory does NOT support organizational units and group policy objects.
What is the difference between a Microsoft Azure Active Directory account and an AD DS account? ›Azure AD DS provides a smaller subset of features to traditional self-managed AD DS environment, which reduces some of the design and management complexity. For example, there are no AD forests, domain, sites, and replication links to design and maintain.
Can each Azure subscription be managed by Microsoft account? ›There can only be one Service Administrator per Azure subscription. Changing the Service Administrator will behave differently depending on whether the Account Administrator is a Microsoft account or whether it is an Azure AD account (work or school account).
What are the requirements for Azure AD Connect? ›Azure AD Connect requires a SQL Server database to store identity data. By default, a SQL Server 2019 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express has a 10-GB size limit that enables you to manage approximately 100,000 objects.
Does ad connect require global admin? ›
The Global Administrator role isn't required after initial setup. After setup, the only required account is the Directory Synchronization Accounts role account.
What is Microsoft Entra? ›What is Microsoft Entra? Microsoft Entra a family of products that encompasses all identity and access capabilities. Within the Entra family are products such as Microsoft Azure Active Directory (Azure AD), Microsoft Entra Verified ID, and Microsoft Entra Permissions Management.
What are the default permissions for Azure AD users? ›For more information about adding guest users, see What is Azure AD B2B collaboration?. Here are the capabilities of the default permissions: Member users can register applications, manage their own profile photo and mobile phone number, change their own password, and invite B2B guests.
What is the default access for Azure AD Enterprise Application? ›By default, all users can access your enterprise applications without being assigned to them. However, if you want to assign the application to a set of users, configure the application to require user assignment and assign the select users to the application.
What are two key types of access permissions? ›Role-based Access Control. Rule-based and role-based are two types of access control models. The two systems differ in how access is assigned to specific people in your building.
Which Azure AD role grants all administrative permissions? ›Categories of Azure AD roles
For example, User Administrator, Application Administrator, Groups Administrator all grant permissions to manage resources that live in Azure AD.
Roles provide a way for community administrators to group permissions and assign them to users or user groups. Permissions define the actions that a user can perform in a community. When they assign roles, community administrators consider the tasks of a user in the context of a particular community.
What is the difference between access rights and access permissions? ›User rights are different from permissions because user rights apply to user accounts – individual users or groups of users – and permissions are attached to objects. User rights are best administered to groups of users.
What are the three permissions? ›Files and directories can have three types of permissions: read, write, and execute: Someone with read permission may read the contents of a file, or list the contents of a directory. Someone with write permission may modify the contents of a file, including adding, changing, or deleting file contents.
Are permissions and privileges the same? ›Permissions allow users to perform some action, such as reading or writing data, or using a tool. Permissions are associated with resources, forming privileges. A privilege is written as a resource name followed by a permission separated by a colon, such as %DB_Sales:Read, which describes an action a user can perform.
What are the three types of Azure AD? ›
Azure Active Directory comes in four editions—Free, Office 365 apps, Premium P1, and Premium P2.
What is the difference between Active Directory service account and user account? ›Active Directory managed service accounts are similar to domain user accounts, but the password is reset regularly and automatically. You can only assign one user account per computer, and each account can be used with multiple services on the computer. Alternately, you can create separate accounts for each service.
What is the difference between Active Directory user and account? ›A computer account in Active Directory is very similar to a user account in Active Directory. Fundamentally, a computer account and a user account are made from the same attributes. Like a user account, the computer account has a password. Unlike a user account, this password is randomly generated.
What are the different types of Azure AD accounts? ›There are three types of user accounts that you can have in Azure AD, federated, synchronized, and cloud, or also known as cloud-only users.
Is an Azure AD account a Microsoft account? ›The Microsoft identity and access administrator designs, implements, and operates an organization's identity and access management systems by using Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra.
What are the different types of service accounts in Azure AD? ›There are three types of service accounts in Azure Active Directory (Azure AD): managed identities, service principals, and user accounts employed as service accounts. When you create service accounts for automated use, they're granted permissions to access resources in Azure and Azure AD.
Can each user account in Azure AD be assigned only one Microsoft? ›Azure Active Directory (Azure AD) provides authentication services for resources hosted in Azure and Microsoft 365. C. Each user account in Azure Active Directory (Azure AD) can be assigned only one license.
Can more than one Azure account be linked to the same subscription? ›An Azure subscription is tied to a single account, the one that was used to create it and is also used for billing. Resources can be supplied as instances of the many Azure products and services under the subscription.
How do I manage multiple Azure accounts? ›When you define your management group hierarchy, first create the root management group. Then move all existing subscriptions in the directory into the root management group. New subscriptions always go into the root management group initially. Later, you can move them to another management group.
How do I add user Permissions in Azure? ›- Step 1: Open the subscription. Sign in to the Azure portal. ...
- Step 2: Open the Add role assignment page. Access control (IAM) is the page that you typically use to assign roles to grant access to Azure resources. ...
- Step 3: Select the Owner role. ...
- Step 4: Select who needs access. ...
- Step 5: Assign role.
How do I grant admin rights to Azure AD? ›
Browse to Azure Active Directory > Devices > Device settings. Select Manage Additional local administrators on all Azure AD joined devices. Select Add assignments then choose the other administrators you want to add and select Add.
How do I assign Permissions to Azure AD license? ›To assign a license to a user
After you select the license plan, select Assign. On the Assign page, select Users and groups, and then search for and select the user you're assigning the license. Select Assignment options, make sure you have the appropriate license options turned on, and then select OK.
- On your phone, open the Settings app.
- Tap Apps.
- Tap the app you want to change. If you can't find it, tap See all apps. ...
- Tap Permissions. If you allowed or denied any permissions for the app, you'll find them here.
- To change a permission setting, tap it, then choose Allow or Don't allow.
Permissions required for registering an app
You must have sufficient permissions to register an application with your Azure AD tenant, and assign to the application a role in your Azure subscription. To complete these tasks, you require Application.ReadWrite.All permission.
In some cases, people even use both terms interchangeably. But, App registration is simply the actual application object where you configure application settings. Whereas Enterprise Application is a representation of the application within a directory.
How do I enable user account in Azure AD? ›Sign in to the Azure portal in the User Administrator role. Navigate to Azure Active Directory > Users. Select either Create new user or Invite external user from the menu. You can change this setting on the next screen.
How do I assign permissions to a user? ›- From Setup, in the Quick Find box, enter Users , and then select Users.
- Select a user.
- In the Permission Set Assignments related list, click Edit Assignments.
- To assign a permission set, select it under Available Permission Sets and click Add. ...
- Click Save.
Differences between Azure roles and Azure AD roles
At a high level, Azure roles control permissions to manage Azure resources, while Azure AD roles control permissions to manage Azure Active Directory resources.
- Select Start > Settings > Accounts .
- Under Family & other users, select the account owner name (you should see "Local account" below the name), then select Change account type. ...
- Under Account type, select Administrator, and then select OK.
- Sign in with the new administrator account.
Go to AD Mgmt > File Server Management > Modify NTFS permissions. Choose which folders you want to enable a user or group access to. Now go to the Accounts section and choose the users or groups you want to grant permission to access the folder. Finalize the changes by clicking Modify.
How do I give permission to enable an account in Active Directory? ›
Open Active Directory Users and Computers. Right-click on the User whose account you need unlocked and select Properties from the context menu. In the Properties window, click on the Account tab. Select the Unlock Account checkbox.
How do I manage permissions in Azure? ›- Go to Resource groups.
- Select a resource group.
- Select Access control (IAM).
- Select + Add > Add role assignment.
- Select a role, and then assign access to a user, group, or service principal.