Procedure to Convert Azure AD Connect to a Managed Service Account (MSA)

Question

Hello, we currently have 2 servers (1 in staging) running Azure AD Connect on a user service account. We would like to move this over to a gMSA. The only information that I've found is that the only is the following:

You cannot change the account to any other account without reinstalling Azure AD Connect.

[https://learn.microsoft.com/en-us/azure/active-directory/hybrid/concept-adsync-service-account

Even when I uninstall and reinstall, I'm not getting the option to use a gMSA.

Version: 2.1.20

What is the correct process to convert the service to utilize a gMSAs?

Thanks.

Answer 1

Hi,

Unfortunately , there is no easy way to move your service account to GMSA.

For your information, during the installation of adconnect , the service account is synched in azure ad in order to generate a account used to in the connector of azure AD.

If you want to replace your current service account by a GMSA, I recommend you to perform the following steps, first start by staging server then by active server:

Export adconnect settings

Export custom rules

Uninstall adconnect service

Reinstall adconnect service choose the option to import expertoted configuration

Please don't forget to mark helpful reply as answer

Answer 2

@Anon4343 Thank you for reaching out to us, As I understand you are looking for steps on re-configuring existing Azure AD Connect server with gMSA.

As far i am aware, we can’t reconfigure an existing Azure AD Connect installation to use a gMSA. You need to deploy new Azure AD Connect server in staging mode and configure the same with gMSA.

Refer to this article which has the detailed steps/recommendations how this can be achieved.

Also refer to this https://learn.microsoft.com/en-us/azure/active-directory/hybrid/concept-adsync-service-account which was more information related to type of service accounts which can be used in which scenarios.

Let me know if you have any further questions, feel free to post back.