Exchange Online
A Microsoft email and calendaring hosted service.
6,173 questions
The HCW supports using accounts protected by MFA, yes. And all your Global admins should be protected by MFA!
Global Admin requirement for using Hybrid Configuration Wizard to create a full classic hybrid deployment?
EnterpriseArchitect
6,041
Reputation points
Based on this article: https://learn.microsoft.com/en-us/exchange/hybrid-deployment/deploy-hybrid#use-the-exchange-admin-center-and-hybrid-configuration-wizard-to-create-a-full-classic-hybrid-deployment
Does the service account used by Hybrid Configuration Wizard to create a full classic hybrid deployment can be my own admin account with MFA/2FA enforced?
Or is this must be a separate OnPremise AD account with the Global Administrator role with no MFA/2FA enforced?
Exchange Online
Exchange | Exchange Server | Management
7,920 questions
Exchange | Hybrid management
2,309 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,081 questions
Microsoft Security | Microsoft Entra | Other
2,590 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Yuki Sun-MSFT 41,376 Reputation points Moderator2023-08-21T08:11:59.67+00:00 Hi @EnterpriseArchitect ,
I am writing to see how everything is going on with this thread. If the replies below are helpful, do you mind accepting it as answer? If you still have further concern on this, please feel free to let us know.
Sign in to comment
Accepted answer
-
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator2023-08-16T07:01:15.8333333+00:00 -
EnterpriseArchitect 6,041 Reputation points
2023-08-16T07:04:53.2566667+00:00 @Vasil Michev ,
OK, do I have to create a separate service account without 2FA/MFA as Global Admin to do this purpose?or can I just use my Admin account which is already enforced with 2FA/MFA?
-
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
2023-08-16T08:56:15.3133333+00:00 Any account would do, with or without MFA. No need to create another one, you will be able to login even if the account is protected by MFA.
-
Yuki Sun-MSFT 41,376 Reputation points Moderator
2023-08-17T02:25:15.3833333+00:00 Hi @EnterpriseArchitect ,
Agree with Vasil that you can use your own account with MFA/2FA enabled.
According to this document, Hybrid deployment management accounts require the following role group memberships:
- Organization Management role group in on-premises Exchange
- Global admins in Microsoft 365
So, you just need to make sure your admin account has these permissions. As regards to your concern about MFA, it's supported to run HCW using an admin account enabled for MFA, see this article for more details.
By the way, if Vasil's reply answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query, feel free to comment down.
-
EnterpriseArchitect 6,041 Reputation points
2023-08-17T02:27:26.04+00:00 Hi @Yuki Sun-MSFT ,
OK, so do I need to create separate service account rather than using my own admin account for this task? -
EnterpriseArchitect 6,041 Reputation points
2023-08-21T11:46:52.9333333+00:00 Thank you @Vasil Michev you are really helpful.
Sign in to comment -
1 additional answer
Sort by: Most helpful
-
Yuki Sun-MSFT 41,376 Reputation points Moderator
2023-08-17T02:42:43.2533333+00:00 Hi @EnterpriseArchitect ,
Not quite clear about the exact role group membership of your current admin account, but as aforementioned, basically, there are 2 types of Admin accounts needed to run HCW:
- On-premises Exchange Account This account needs to be member of Organization Management.
- Microsoft 365 Exchange Online Account. This needs to be a Global Admin (Exchange Admin included)
You can use the existent admin accounts that meet the requirements, regardless of whether they are with or without MFA.
Here's one more blog with some screenshots for your reference:
(The UI might have changed a bit but the basic concepts still apply)Modern HCW (Hybrid Agent): troubleshooting like a pro
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
EnterpriseArchitect 6,041 Reputation points
2023-08-21T11:47:18.78+00:00 Thank you @Yuki Sun for your assistance in this matter.
Sign in to comment