Azure Ad Connect and gMSA

APTOS 216 Reputation points

Hello ,

i'm planing to migrate our account Azure Ad connect to gMSA . I didn't found any recomandation from Microsoft and i need to know what could be the impact in the future i didi it .Like Azure Ad connect version upgrade , if the service is in failure ..

the goal of this , to let the machine manage it self to renew de password


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,714 questions
0 comments No comments
{count} votes

Accepted answer
  1. Thameur-BOURBITA 29,606 Reputation points

    Hi @ali ali,

    Below ,a microsoft article which confirm that GMSA is supported by Azure AD connect.

    Azure AD Connect: Accounts and permissions

    GMSA will still supported by the future versions ,because Microsoft recommend to use GMSA instead of standard user domain, to symplify passoword management for service account and avoid to have Passowrd never expired.

    the goal of this , to let the machine manage it self to renew de password

    When you use GMSA as service account instead of standard user , the password will be changed managed automatically. It's recommended approach.

    Please don't forget to mark helpful answer as accepted

3 additional answers

Sort by: Most helpful
  1. JimmySalian-2011 41,631 Reputation points


    This is possible as standard configuration so you do not have to manage the service account password, so gMSA can be used for AAD Connect there is no config guide from Microsoft however third party blogs are available to setup this -

    Hope this helps.



    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. APTOS 216 Reputation points

    the link given it's for new installation , but if we have already Ad connect upgareded with the latest versions ?

    0 comments No comments

  3. Rohit Kumar Sinha 1,316 Reputation points

    Hi Ali,

    Azure AD Connect uses three service accounts:

    A local account on the Windows Server installation running Azure AD Connect, used to run the he Microsoft Azure AD Sync service

    An account in the Azure Active Directory tenant

    One account per Active Directory Domain Services environment in scope for Azure AD Connect.

    You can use a group Managed Service Account (gMSA) for the first account to run the service on the Windows Server(s) where you’ve installed and configured Azure AD Connect

    Once you create the gMSA , during installation of AD connect , you can specify the account created and skip the password , and it should work as normal installation.

    This works perfectly fine during installation , during upgrades as well as for configuring Staging Mode as well.

    0 comments No comments