25,081 questions
Afaik you need to add the user to the ADSyncOperators group. You cannot get more granular than that. Well, you can always create some sort of a PowerShell script that "wraps" the cmdlet and grant them access to that.
manually run AD sync without additional privileges
Jonny Pearson
1
Reputation point
How do we allow someone to run an AD sync but not give them any other privileges?
Let me explain
We have some lower level admins who often make changes to AD accounts or Exchange mailboxes. Usually these changes need to be synchronized to Azure AD. So, they make the changes, then wait 30 minutes for the sync cycle to run, then check to see if the changes fixed the problem.
If the changes did not fix the problem, they make more adjustments and then wait again for 30 minutes. The point is that it's taking a long time. If they could kick off a Delta sync on demand, they could be more efficient. I would like to allow this, but I also cannot allow them to be admins on our Azure AD Connect server. The last thing I need is someone making changes to our Azure AD sync options.
Any ideas on allowing them to run an Azure AD sync, but also restricting them so they cannot run any of the Set cmdlets, or otherwise make AADC changes?
Thanks, ZotBot
Microsoft Security Microsoft Entra Microsoft Entra ID
2 answers
Sort by: Most helpful
-
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator2022-04-28T16:16:17.09+00:00 -
Carlos Solís Salazar 18,191 Reputation points MVP Volunteer Moderator2022-04-28T16:22:34.247+00:00 Thank you for asking this question on the **Microsoft Q&A Platform. **
I understand that you require executing
Start-ADSyncSyncCycle -PolicyType Deltaas a normal user, right?You can create a script with the command and add the property ProxyRunAsLocalAdmin
Here are two references to do that configuration.
- https://community.spiceworks.com/topic/2171361-how-to-provide-access-to-powershell-run-as-administrator-for-normal-user
- https://serverfault.com/questions/734320/allow-standard-user-to-run-program-as-local-admin-without-elevation-prompt
Let me know how was go?
Hope this helps,
Carlos Solís Salazar----------
Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.
NOTE: To answer you as quickly as possible, please mention me in your reply.
-
Carlos Solís Salazar 18,191 Reputation points MVP Volunteer Moderator
2022-05-02T21:53:58.263+00:00 @Jonny Pearson , you can Accept Answer and Upvote, if the above response helped answer your query, others visiting the forum with the same query might get help.
NOTE: To answer you as quickly as possible, please mention me in your reply.
Sign in to comment