Update AADS LDAPS Settings - What Roles Are Required?

Stephen Elaschuk 1 Reputation point
2023-01-10T23:29:16.527+00:00

What roles are required to allow a user to update the LDAPS Certificate of Azure AD Domain Services? We've tried a number of different things, including assigning the Domain Services Contributor role at the AADS/Resource Group AND Subscription levels, which includes write access on Microsoft.AAD/domainServices/write which SHOULD allow the update, but we keep getting the error: The user XXXXX does not have administrative privileges to manage AAD Domain Services instance in tenant XXXXXX.

The user is also a part of the AAD DC Administrators group

The only relevant post I found was this one: https://learn.microsoft.com/en-us/answers/questions/2150/aadds-secure-ldap-setting-is-greyed-out.html suggesting to give global admin to the user, which I would really rather not do.

Microsoft Entra
{count} votes

2 answers

Sort by: Most helpful
  1. Givary-MSFT 32,291 Reputation points Microsoft Employee
    2023-01-11T07:18:35.19+00:00

    @Stephen Elaschuk Thank you for reaching out to us, As I understand you are updating LDAPS Certificate of Azure AD Domain Services, I have researched on your ask and also confirmed with my team as this is a modify operation on the AADDS deployment, you need to have tenant admin i.e Global Admin privileges are required to make this change.

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

  2. Chi Chiu 0 Reputation points
    2023-09-27T19:30:51.3966667+00:00
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.