Share via

Azure Ad Connect and gMSA

APTOS 221 Reputation points
2023-01-30T11:16:52.86+00:00

Hello ,

i'm planing to migrate our account Azure Ad connect to gMSA . I didn't found any recomandation from Microsoft and i need to know what could be the impact in the future i didi it .Like Azure Ad connect version upgrade , if the service is in failure ..

the goal of this , to let the machine manage it self to renew de password

Regards

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,629 questions
0 comments
Accepted answer
  1. Thameur-BOURBITA 32,636 Reputation points
    2023-01-30T11:46:02.59+00:00

    Hi @ali ali,

    Below ,a microsoft article which confirm that GMSA is supported by Azure AD connect.

    Azure AD Connect: Accounts and permissions

    GMSA will still supported by the future versions ,because Microsoft recommend to use GMSA instead of standard user domain, to symplify passoword management for service account and avoid to have Passowrd never expired.

    the goal of this , to let the machine manage it self to renew de password

    When you use GMSA as service account instead of standard user , the password will be changed managed automatically. It's recommended approach.

    Please don't forget to mark helpful answer as accepted

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 42,071 Reputation points
    2023-01-30T11:30:09.7733333+00:00

    Hi,

    This is possible as standard configuration so you do not have to manage the service account password, so gMSA can be used for AAD Connect there is no config guide from Microsoft however third party blogs are available to setup this - https://posh-samples.com/2021/12/04/secure-install-of-azure-ad-connect/

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments
  2. APTOS 221 Reputation points
    2023-01-30T11:57:58.2566667+00:00

    the link given it's for new installation , but if we have already Ad connect upgareded with the latest versions ?

    0 comments
  3. Rohit Kumar Sinha 1,321 Reputation points
    2023-01-30T12:39:28.7233333+00:00

    Hi Ali,

    Azure AD Connect uses three service accounts:

    A local account on the Windows Server installation running Azure AD Connect, used to run the he Microsoft Azure AD Sync service

    An account in the Azure Active Directory tenant

    One account per Active Directory Domain Services environment in scope for Azure AD Connect.

    You can use a group Managed Service Account (gMSA) for the first account to run the service on the Windows Server(s) where you’ve installed and configured Azure AD Connect

    Once you create the gMSA , during installation of AD connect , you can specify the account created and skip the password , and it should work as normal installation.

    This works perfectly fine during installation , during upgrades as well as for configuring Staging Mode as well.

    0 comments