Use Microsoft Entra Connect Sync Security Groups to help maintain directory synchronization
During setup, Microsoft Entra Connect automatically creates Microsoft Entra Connect Sync Security Groups. A Microsoft 365 Enterprise Administrator can use these groups to:
- delegate control in Microsoft Entra Connect to other users.
- assign a user temporary permission to run a manual synchronization.
- troubleshoot directory synchronization issues using Microsoft Entra Connect.
The following table identifies the Microsoft Entra Connect Sync Security Groups that are automatically created by Microsoft Entra Connect.
Group name
Description
ADSyncAdmins
Administrators Group: Members of this group have Full Access to do anything in the Microsoft Entra Connect Sync Service Manager.
ADSyncOperators
Operators Group: Members of this group have access to the operations of the Microsoft Entra Connect Sync Service Manager, including:
- Execution of Management Agents
- View of Synchronization Statistics for each run
- Ability to save the Run History (Operations Tab) to a file
Members of this group must be a member of the ADSyncBrowse Group.
ADSyncBrowse
Browse Group: Members of this group have permission to gather information about a user’s lineage when resetting passwords.
ADSyncPasswordSet
Password Reset Group: Members of this group have permission to do all operations by using the password management interface. Members of this group must be a member of the ADSyncBrowse Group.
The groups are either created as local groups on domain-joined servers, or as Active Directory domain groups when Microsoft Entra Connect is installed on a domain controller. To create domain groups on member servers, select the Specify Custom Sync Groups option during setup and specify the groups by Domain\Group Name.