Update AADS LDAPS Settings - What Roles Are Required?

Haxim 1 Reputation point

What roles are required to allow a user to update the LDAPS Certificate of Azure AD Domain Services? We've tried a number of different things, including assigning the Domain Services Contributor role at the AADS/Resource Group AND Subscription levels, which includes write access on Microsoft.AAD/domainServices/write which SHOULD allow the update, but we keep getting the error: The user XXXXX does not have administrative privileges to manage AAD Domain Services instance in tenant XXXXXX.

The user is also a part of the AAD DC Administrators group

The only relevant post I found was this one: https://learn.microsoft.com/en-us/answers/questions/2150/aadds-secure-ldap-setting-is-greyed-out.html suggesting to give global admin to the user, which I would really rather not do.

Azure Active Directory Domain Services
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 11,591 Reputation points Microsoft Employee

    @Haxim Thank you for reaching out to us, As I understand you are updating LDAPS Certificate of Azure AD Domain Services, I have researched on your ask and also confirmed with my team as this is a modify operation on the AADDS deployment, you need to have tenant admin i.e Global Admin privileges are required to make this change.

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    No comments