Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Procedure to replace the Service Account with gMSA for Entra ID Connect
EnterpriseArchitect
6,301
Reputation points
People,
I have identified that there are two Entra ID Connect in my Forest that are syncing AD Users to the cloud.
Both of them are using a traditional user account, which I wanted to decommission.
Starting from the passive server, what are the steps I must take to replace the existing AD Service Account that is DOMAIN\Enterprise.Admins with a more secure alternative, like gMSA for Entra ID Connect ?
Followed by failvoer and then replacing the other server,
Any help would be greatly appreciated.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
VEMULA SRISAI 3,330 Reputation points Microsoft External Staff Moderator2025-12-10T10:49:05.76+00:00 Hello EnterpriseArchitect
It looks like you're looking to replace the existing AD Service Account with a group Managed Service Account (gMSA) for Entra ID Connect in your environment. Here’s a step-by-step guide on how to do that, starting from the passive server.
Steps to Replace the Service Account with gMSA for Entra ID Connect
- Preparation:
- Ensure you have the necessary permissions to create and manage gMSA accounts.
- Have a clear understanding of the current setup of your Entra ID Connect servers.
- Create a gMSA:
- Create a group Managed Service Account (gMSA). You can do this using PowerShell:
New-ADServiceAccount -Name <gMSAName> -DNSHostName <gMSADNSHostName> -PrincipalsAllowedToRetrieveManagedPassword <group> - Replace
<gMSAName>,<gMSADNSHostName>, and<group>with appropriate values for your environment.
- Create a group Managed Service Account (gMSA). You can do this using PowerShell:
- Configure Delegation:
- Set up delegation for the gMSA:
Set-ADServiceAccount -Identity <gMSAName> -TrustedForDelegation $true - This allows the gMSA to authenticate across different services.
- Set up delegation for the gMSA:
- Install gMSA on the Passive Server:
- On the passive server where you want to replace the traditional service account, install the gMSA by using:
Install-ADServiceAccount <gMSAName> - This command will ensure the gMSA is set up properly.
- On the passive server where you want to replace the traditional service account, install the gMSA by using:
- Update Entra ID Connect Configuration:
- Modify the Entra ID Connect configuration to use the new gMSA. You can typically find this in the synchronization service settings or configuration wizard.
- Connect to the server using the gMSA credentials and ensure that it's set to manage the synchronization.
- Testing:
- After updating the configuration, run a test synchronization to verify everything is working correctly.
- Failover:
- If everything works well on the passive server, repeat the steps above on the primary server, ensuring you switch over to the gMSA account.
- Decommission Traditional Service Account:
- Once both servers are confirmed to be using the gMSA without any issues, you can decommission and remove the old service account.
Additional Considerations
- Ensure that all required permissions for the gMSA are configured appropriately within Active Directory.
- Monitor the synchronization process to catch any potential issues early.
I hope this helps you transition to a more secure account setup!
References
- Changing the ADSync service account password
- Configure AD DS Connector account permissions
- ADSync Service account
- Group Managed Service Accounts
Feel free to ask if you have any questions or need further assistance
- Preparation:
-
EnterpriseArchitect 6,301 Reputation points
2025-12-10T12:12:29.95+00:00 @VEMULA SRISAI ,
Thank you, I have already created the gMSA and then added it as the Local Administrator of the Entra ID Connect VM.
What other permissions do I need to assign on the gMSA on the Active Directory and also how to replace and update the Service Account in the Services console ? -
VEMULA SRISAI 3,330 Reputation points Microsoft External Staff Moderator
2025-12-10T12:27:26.07+00:00 EnterpriseArchitect You don’t need extra AD rights beyond allowing the gMSA to retrieve its managed password; Domain Admin is not required. Do not change the ADSync service account in Services—this is unsupported and will break encryption keys. To use gMSA, reinstall Microsoft Entra Connect and select “Managed Service Account” during setup. If using remote SQL, grant the gMSA db_owner on the ADSync database; AD DS connector account stays unchanged. https://learn.microsoft.com/en-in/entra/identity/hybrid/connect/concept-adsync-service-account
Sign in to comment
Sign in to answer