Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2014-09-25) Changing The Service Account And/Or Security Groups For Azure AD Sync Services

Posted by Jorge on 2014-09-25


If you used the default configuration, you will end up with a local service account (e.g. AAD_fb304599ae39) for the Azure AD Sync Service and local security groups will be used (ADSyncAdmins, ADSyncOperators, ADSyncBrowse and ADSyncPasswordSet). This blog post helps you change either one, local service account or local security groups, or both to use domain objects. This blog post assumes you want to change both the service account and the security groups. In that case perform all steps. If you only want to change either one, then only perform the corresponding steps.

Step 1: Create the new Azure AD Sync Service service account in AD

Example: ADCORP\SVC_R1_AADSyncSvc

Step 2: Create the new Azure AD Sync Service security groups in AD

Example: ADCORP\AADSyncAdmins

Example: ADCORP\AADSyncOperators

Example: ADCORP\AADSyncBrowse

Example: ADCORP\AADSyncPasswordSet

Step 3: Establish correct memberships

Example: ADCORP\AADSyncAdmins <– make the Azure AD Sync Service service account in AD and any AD based user/admin account that fully manage the AAD Sync Service a member of this group

QUESTION: do you know which other group needed to be created in FIM, but is not needed anymore in AADSync?

Step 4: Configure the new Azure AD Sync Service service account in AD with the correct user rights on the server with Azure AD Sync Service installed

Give the new Azure AD Sync Service service account in AD the following user rights on the server with Azure AD Sync Service installed

“Deny logon as a batch job”

“Deny logon locally”

“Deny logon through Terminal Services”

“Deny access to this computer from the network”

image

Figure 1: Required User Rights For The New Azure AD Sync Service Service Account In AD

If you do not know the password of the current Azure AD Sync Service Service Account stop the "Microsoft Azure AD Sync (ADSync)" service, reset the password of the current Azure AD Sync Service Service Account, reenter credentials for the "Microsoft Azure AD Sync (ADSync)" service and start the "Microsoft Azure AD Sync (ADSync)" service.

image

Figure 2: Resetting The Password Of The Current (Local) Azure AD Sync Service Service Account

image

Figure 3: Re-Entering Credentials For The "Microsoft Azure AD Sync (ADSync)" Service

When changing the Azure AD Sync Service Service Account, the new Azure AD Sync Service Service Account must be configured with the encryption keys securing the secret data in the database. To be able to do that you must export the keyset, if not already available.

image

Figure 4: Exporting The KeySet Using The Azure ADSync Encryption Key Management Wizard

image

Figure 5: Providing The Credentials Of The Current (Local) Azure AD Sync Service Service Account

The default folder is: "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Azure AD Sync\" and make sure a existing keyset does not already exist with the same filename

image

Figure 6: Providing The Path Of The Encryption File

image

Figure 7: Configuration Summary

image

Figure 8: Configuration Result

Now it is time to start the change install

image

Figure 9: Starting The Change Install For Microsoft Azure AD Sync

image

Figure 10: Microsoft Azure AD Sync Maintenance Wizard – Welcome Page

image

Figure 11: Microsoft Azure AD Sync Maintenance Wizard – Maintenance Options Page

image

Figure 12: Microsoft Azure AD Sync Maintenance Wizard – Features Page

image

Figure 13: Microsoft Azure AD Sync Maintenance Wizard – Azure AD Sync Service Service Account Credentials Page

image

Figure 14: Microsoft Azure AD Sync Maintenance Wizard – Azure AD Sync Service Security Groups Page

image

Figure 15: Microsoft Azure AD Sync Maintenance Wizard – Initiating Install Page

If you did not configure the Azure AD Sync Service Service Account with the user rights as shown in figure 1, you will get the following warning.

image

Figure 16: Warning About Azure AD Sync Service Service Account Not Being Configured In Secure Manner

If you get the following error, make sure to check this blog post AFTER the wizard has finished!!!

image

Figure 17: Warning About Azure AD Sync Setup Not Being Able To Configure WMI Permissions On A Non-Existent Namespace

image

Figure 18: Restoring The Keyset For The New Azure AD Sync Service Service Account

image

Figure 19: Change Install Of Microsoft Azure AD Sync Setup Finished

And you’re done!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: