This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi Everyone,
May I know what's the least amount of privilege for the Group Managed Service Accounts required for the ADFS v4.0 and Azure AD Connect ?
Because at the moment the environment I'm managing is using Domain Administrator account, which is over privilege.
What's the process / procedures in replacing the service account?
I assume there will be some major outage since it is used by the Identity services (SSO and Azure AD Synch).
Hi @EnterpriseArchitect,
Microsoft says the following about changing the Azure AD Connect service account.
Changes to the service account
Azure AD Connect sync is running under a service account created by the installation wizard. This service account holds the encryption keys to the database used by sync. It is created with a 127 characters long password and the password is set to not expire.
It is unsupported to change or reset the password of the service account. Doing so destroys the encryption keys and the service is not able to access the database and is not able to start.
Here is the process for changing the ADSycn service account password if you still want to try.
Here is the script for changing the ADFS service account.
https://gallery.technet.microsoft.com/scriptcenter/Active-Directory-ddb67df0
OK, @TKujala does it mean I will need to create new service account to run the Azure AD Synch service OnPremise?
OK, does it mean I will need to create new service account to run the Azure AD Synch service OnPremise?
Yes, I think the easiest way is to create new service account (an On-Premises domain account or Managed Service account).
You can run the Azure AD Connect wizard and select Customize.
Then you can define a new account.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/concept-adsync-service-account