Accounts for integrating with Active Directory
The following article describes the accounts that are required for each of the two synchronization tools. Use these sections as a reference when configuring and setting up your environment.
Requirement | Description and more requirements |
---|---|
Domain/Enterprise administrator | Required to install the agent on the server and create the gMSA service account. |
Hybrid Identity Administrator | Required to configure cloud sync. This account cannot be a guest account. |
gMSA service account | Required to run the agent. |
For more information, on cloud sync accounts, and how to set up a custom gMSA account, see Cloud sync prerequisites.
Microsoft Entra Connect uses three accounts to synchronize information from on-premises Windows Server Active Directory (Windows Server AD) to Microsoft Entra ID:
Requirement | Description and additional requirements |
---|---|
AD DS Connector account | Used to read and write information to Windows Server AD by using Active Directory Domain Services (AD DS). |
ADSync service account | Used to run the sync service and access the SQL Server database. |
Microsoft Entra Connector account | Used to write information to Microsoft Entra ID. |
Local Administrator account | The administrator who is installing Microsoft Entra Connect and who has local Administrator permissions on the computer. |
AD DS Enterprise Administrator account | Optionally used to create the required AD DS Connector account. |
Hybrid Identity Administrator | Used to create the Microsoft Entra Connector account and to configure Microsoft Entra ID. You can view Hybrid Identity Administrator accounts in the Microsoft Entra admin center. See List Microsoft Entra role assignments. |
SQL SA account (optional) | Used to create the ADSync database when you use the full version of SQL Server. The instance of SQL Server can be local or remote to the Microsoft Entra Connect installation. This account can be the same account as the Enterprise Administrator account. |
For more information, on Microsoft Entra Connect accounts, and how to configure them, see Accounts and permissions.