Share via

Hello! Question for service accounts in Active Directory.

Gev Ananyan 20 Reputation points
2025-03-18T14:49:38.3033333+00:00

Hello everyone! I have a project, to implement a services MSA (Managed Service Account) & gMSA (Group Managed Service Account). And have a 2-nd task, to implement IDM(identity Management). And i have a question. This services can work together? In documentation microsoft i saw one moment(convert microsoft identity manager to gMSA). From this I can assume that these services cannot work with each other, but I wanted to know in more detail. Who are know answer for my question and used this method.

Windows Server Identity and access Active Directory
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 32,416 Reputation points Microsoft External Staff
    2025-03-20T03:01:18.8166667+00:00

    Hello Gev Ananyan,

    Thank you for posting in Q&A forum.

    Managed Service Accounts (MSA) and Group Managed Service Accounts (gMSA) can work together with Identity Management (IDM) services, including Microsoft Identity Manager (MIM). Here are some key points to consider:

    Compatibility and Integration

    1. MSA and gMSA:

    • MSA: Designed for single-server use, providing automatic password management and simplified SPN management.

    • gMSA: Extends MSA functionality to multiple servers, ideal for server farms and services requiring mutual authentication.

    1. Microsoft Identity Manager (MIM):

    • MIM can be configured to use gMSA for various services, such as the MIM Synchronization Service and MIM Service.

    • Certain MIM components, like the MIM Portal, do not support gMSA directly due to their integration with SharePoint.

    Steps to Implement gMSA with MIM

    1. Prepare the Environment:

    • Ensure your Active Directory domain is configured to support gMSA.

    • Create the Key Distribution Services (KDS) root key on your domain controller.

    1. Create gMSA Accounts:

    • Use PowerShell to create gMSA accounts for the MIM services.

    For example:

    New-ADServiceAccount -Name MIMSyncGMSAsvc -DNSHostName MIMSyncGMSAsvc.contoso.com -PrincipalsAllowedToRetrieveManagedPassword "MIMSync_Servers"

    1. Configure MIM Services:

    • Update the MIM services to use the newly created gMSA accounts.

    This involves setting the service accounts for the MIM Synchronization Service, MIM Service, and other supported components.

    References:

    Group Managed Service Accounts Overview | Microsoft Learn

    Get started with Group Managed Service Accounts

    Convert Microsoft Identity Manager-specific services to gMSA | Microsoft Learn

    Set up a gMSAs for Microsoft Identity Manager 2016 | Microsoft Learn

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.