Maintain directory synchronization using Microsoft Entra Connect Sync security groups
During setup, Microsoft Entra Connect Sync automatically creates Microsoft Entra Connect Sync security groups. A Microsoft 365 Administrator can use these groups to:
- Delegate control in Microsoft Entra Connect Sync to other users.
- Assign a user temporary permission to run a manual synchronization.
- Troubleshoot directory synchronization issues using Microsoft Entra Connect Sync.
The following table identifies the Microsoft Entra Connect Sync security groups that Microsoft Entra Connect Sync automatically creates.
| Group name | Description |
|---|---|
| ADSyncAdmins | Administrators Group. Members of this group have Full Access to do anything in the Microsoft Entra Connect Sync Service Manager. |
| ADSyncOperators | Operators Group. Members of this group have access to the operations of the Microsoft Entra Connect Sync Service Manager, including: - Execution of Management Agents. - View of Synchronization Statistics for each run. - Ability to save the Run History (Operations Tab) to a file. Members of this group must be a member of the ADSyncBrowse Group. |
| ADSyncBrowse | Browse Group. Members of this group have permission to gather information about a user’s lineage when resetting passwords. |
| ADSyncPasswordSet | Password Reset Group. Members of this group have permission to do all operations by using the password management interface. Members of this group must be a member of the ADSyncBrowse Group. |
Microsoft Entra Connect Sync creates the security groups as either:
- Local groups on domain-joined servers.
- On-premises Active Directory domain groups when the organization installs Microsoft Entra Connect Sync on a domain controller.
To create domain groups on member servers, select the Specify Custom Sync Groups option during setup and specify the groups by Domain\Group Name.