Maintain directory synchronization using Microsoft Entra Connect Sync security groups

Completed

During setup, Microsoft Entra Connect Sync automatically creates Microsoft Entra Connect Sync security groups. A Microsoft 365 Administrator can use these groups to:

  • Delegate control in Microsoft Entra Connect Sync to other users.
  • Assign a user temporary permission to run a manual synchronization.
  • Troubleshoot directory synchronization issues using Microsoft Entra Connect Sync.

The following table identifies the Microsoft Entra Connect Sync security groups that Microsoft Entra Connect Sync automatically creates.

Group name Description
ADSyncAdmins Administrators Group. Members of this group have Full Access to do anything in the Microsoft Entra Connect Sync Service Manager.
ADSyncOperators Operators Group. Members of this group have access to the operations of the Microsoft Entra Connect Sync Service Manager, including:

- Execution of Management Agents.
- View of Synchronization Statistics for each run.
- Ability to save the Run History (Operations Tab) to a file.

Members of this group must be a member of the ADSyncBrowse Group.
ADSyncBrowse Browse Group. Members of this group have permission to gather information about a user’s lineage when resetting passwords.
ADSyncPasswordSet Password Reset Group. Members of this group have permission to do all operations by using the password management interface.

Members of this group must be a member of the ADSyncBrowse Group.

Microsoft Entra Connect Sync creates the security groups as either:

  • Local groups on domain-joined servers.
  • On-premises Active Directory domain groups when the organization installs Microsoft Entra Connect Sync on a domain controller.

To create domain groups on member servers, select the Specify Custom Sync Groups option during setup and specify the groups by Domain\Group Name.