Group Managed Service Accounts
A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, the ability to delegate the management to other administrators, and also extends this functionality over multiple servers. Microsoft Entra Cloud Sync supports and uses a gMSA for running the agent. You can choose to allow the installer to create a new account or specify a custom account. You'll be prompted for administrative credentials during setup, in order to create this account or set permissions if using a custom account. If the installer creates the account, the account appears as domain\provAgentgMSA$
. For more information on a gMSA, see group Managed Service Accounts.
Prerequisites for gMSA
- The Active Directory schema in the gMSA domain's forest needs to be updated to Windows Server 2012 or later.
- PowerShell RSAT modules on a domain controller.
- At least one domain controller in the domain must be running Windows Server 2012 or later.
- A domain joined server where the agent is being installed needs to be either Windows Server 2016 or later.
Permissions set on a gMSA account (ALL permissions)
When the installer creates the gMSA account, it sets ALL of the permissions on the account. The following tables detail these permissions
MS-DS-Consistency-Guid
Type | Name | Access | Applies To |
---|---|---|---|
Allow | <gmsa account> | Write property mS-DS-ConsistencyGuid | Descendant user objects |
Allow | <gmsa account> | Write property mS-DS-ConsistencyGuid | Descendant group objects |
If the associated forest is hosted in a Windows Server 2016 environment, it includes the following permissions for NGC keys and STK keys.
Type | Name | Access | Applies To |
---|---|---|---|
Allow | <gmsa account> | Write property msDS-KeyCredentialLink | Descendant user objects |
Allow | <gmsa account> | Write property msDS-KeyCredentialLink | Descendant device objects |
Password Hash Sync
Type | Name | Access | Applies To |
---|---|---|---|
Allow | <gmsa account> | Replicating Directory Changes | This object only (Domain root) |
Allow | <gmsa account> | Replicating Directory Changes All | This object only (Domain root) |
Password Writeback
Type | Name | Access | Applies To |
---|---|---|---|
Allow | <gmsa account> | Reset Password | Descendant User objects |
Allow | <gmsa account> | Write property lockoutTime | Descendant User objects |
Allow | <gmsa account> | Write property pwdLastSet | Descendant User objects |
Allow | <gmsa account> | Unexpire Password | This object only (Domain root) |
Group Writeback
Type | Name | Access | Applies To |
---|---|---|---|
Allow | <gmsa account> | Generic Read/Write | All attributes of object type group and subobjects |
Allow | <gmsa account> | Create/Delete child object | All attributes of object type group and subobjects |
Allow | <gmsa account> | Delete/Delete tree objects | All attributes of object type group and subobjects |
Exchange Hybrid Deployment
Type | Name | Access | Applies To |
---|---|---|---|
Allow | <gmsa account> | Read/Write all properties | Descendant User objects |
Allow | <gmsa account> | Read/Write all properties | Descendant InetOrgPerson objects |
Allow | <gmsa account> | Read/Write all properties | Descendant Group objects |
Allow | <gmsa account> | Read/Write all properties | Descendant Contact objects |
Exchange Mail Public Folders
Type | Name | Access | Applies To |
---|---|---|---|
Allow | <gmsa account> | Read all properties | Descendant PublicFolder objects |
UserGroupCreateDelete (CloudHR)
Type | Name | Access | Applies To |
---|---|---|---|
Allow | <gmsa account> | Generic write | All attributes of object type group and subobjects |
Allow | <gmsa account> | Create/Delete child object | All attributes of object type group and subobjects |
Allow | <gmsa account> | Generic write | All attributes of object type user and subobjects |
Allow | <gmsa account> | Create/Delete child object | All attributes of object type user and subobjects |
Using a custom gMSA account
If you're creating a custom gMSA account, the installer will set the ALL permissions on the custom account.
For steps on how to upgrade an existing agent to use a gMSA account see group Managed Service Accounts.
For more information on how to prepare your Active Directory for group Managed Service Account, see group Managed Service Accounts Overview.
Next steps
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for