![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 74%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,537 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 11%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETH%3C/text%3E%3C/svg%3E)
Hello Levi Luu
In the Azure AD Connect synchronization process, it is recommended to use multiple Azure AD Connect accounts for different purposes. Here's why:
Source Anchor Account: The source anchor is a unique identifier for each object in Azure AD Connect, used for synchronization and matching objects between on-premises Active Directory and Azure AD. An account is required to read and write the source anchor attribute in both environments. This account is typically a highly privileged account with appropriate permissions in the on-premises Active Directory.
Directory Synchronization Account: This account is responsible for connecting to the on-premises Active Directory and retrieving the directory data to be synchronized with Azure AD. The directory synchronization account should have read access to the necessary attributes in the on-premises Active Directory.
Azure AD Account: This account is used for connecting to Azure AD and performing synchronization operations. It requires the necessary permissions to create, update, and delete objects in Azure AD.
Having separate accounts for these different purposes provides several benefits:
a. Segregation of Duties: By using separate accounts, you can enforce the principle of least privilege. Each account has a specific role and permissions scoped to its intended purpose, reducing the risk of unauthorized access or accidental changes.
b. Security and Auditing: With separate accounts, you can easily track and audit actions performed by each account. This helps in troubleshooting, identifying potential issues, and monitoring the synchronization process.
c. Account Management: If you need to change or update the permissions or password for a specific account, it can be done independently without affecting other accounts. This simplifies account management and reduces potential disruption during updates.
d. Compliance: Separating the accounts aligns with security best practices and compliance requirements, such as the separation of duties and least privilege principles.
While it is technically possible to use a single account for the entire synchronization process, it can increase the risk of unauthorized access and make it more challenging to manage permissions effectively. By using separate accounts for different purposes, you can enhance security, control access, and maintain a more robust synchronization environment.
If this does answer your question, please feel free to mark it as the answer as a token of appreciation.