Azure ADConnect insufficinet permissions access on Admin ids while syncing with Azure

HM 26 Reputation points
2022-03-09T17:51:22.47+00:00

We had ADConnect (1way) sync configured on DC A (on premises) and one of our associates moved it to DC B. We noticed that all Admin ids(Members of Domain , Enterprise Admins etc.) are failing to sync with insufficient rights. I enabled the security inheritance on these ids which fixed the issue and added new MSOL user on security permissions on these user ids. I noticed that MSOL user got removed after sometime & Inheritance is automatically disabled. When I look at security permissions of AdminSDHolder then I still see the MSOL id for DC A is there but not for DC B. I'm assuming to fix this issue we need to add the MSOL user id of DC B on AdminSDHolder container. Please suggest if my assumption is correct. If yes, then what all permissions do we need to set for MSOL user on AdminSDHolder. I tried checking permissions of existing id (MSOL uder of DC A) but for some reason when I go in details of special permissions then nothing is checked.
Thanks

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,562 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2022-03-10T03:11:03.963+00:00

    This is documented here:
    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account

    The Set-ADSyncPasswordHashSyncPermissions to configure the permissions has a -IncludeAdminSdHolders parameter.

    BUT this is not recommended to go ahead with that because ideally you do not want the on-prem admins to be synchronized in Azure AD. On-prem admins should be dedicated accounts for administration with no applications access. You want the Azure AD admins to be cloud only accounts: https://learn.microsoft.com/en-us/azure/active-directory/roles/security-planning#ensure-separate-user-accounts-and-mail-forwarding-for-global-administrator-accounts

    3 people found this answer helpful.
    0 comments
  2. HM 26 Reputation points
    2022-03-10T19:13:57.237+00:00

    Yeah you are right, I found this : "Microsoft strongly recommends against synchronizing on-premises accounts with pre-existing administrative accounts in Azure Active Directory."
    Any idea what can be done for Admin ids which are now already synchronized (its a 1 way sync). Is there any action we can take to revert that.

    Ref : https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant

    0 comments
  3. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2022-03-16T02:40:38.01+00:00

    If you can deprovision the user by putting them out of sync (like in an OU which is not sychronized) or if you use attribute filtering by adding or removing an attribute to prevent the sync. Even if you do not do attribute filtering, I think you can use the default filter existing on the default user provisionning rule. If you edit your user and go to attribute editor, and type a value starting with User_ in the adminDescription attribute, the object should fall out of sync and trigger a deletion in AAD.

    0 comments