Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2019-08-04) Required Permissions For Azure AD Connect

Posted by Jorge on 2019-08-04


The document Azure AD Connect: Accounts and permissions provides information on which accounts require which permissions. One thing that is certain is that I would NEVER install Azure AD Connect using the Express Installation option. Why? The AD Connector account ends up with domain/enterprise admin permissions, which is TOO MUCH to give away.

In addition, my recommendations are:

  • Do not use Express Install
  • Use a gMSA where possible for the Azure AD Connect Sync Service
  • Assign a custom made user account for the AD Connector Account (a.k.a. AD MA account) with a very long (strong) password and make you audit/monitoring changes in this account as it may be very powerful when configured to support PHS and/or configured on the adminSDholder object
  • Delegate permissions to the AD Connector Account instead of “give it all”. See below for a non-exhaustive list of delegations

Active Directory – Permissions:

Permissioned Object

Assigned/Required Permission

Security Principal Using Permission

Permission Assigned Through (Just A Suggestion!)

DC=<DOMAIN>,DC=<TLD>

* “Allow:Replicating Directory Changes” for “This Object Only”

* “Allow:Replicating Directory Changes ALL” for “This Object Only” (only needed for PHS!)

<DOMAIN>\<AD Connector Account>

<DOMAIN>\<AD Group For DS Repl Changes> (security group)

<DOMAIN>\<AD Group For DS Repl Changes All> (security group)

CN=RegisteredDevices,DC=<DOMAIN>,DC=<TLD>

* “Allow:Full Control” for “Descendant msDS-Device Objects” (only needed for device writeback!)

* “Allow:Create msDS-Device Objects” for “This Object Only” (only needed for device writeback!)

* “Allow:Delete msDS-Device Objects” for “This Object Only” (only needed for device writeback!)

<DOMAIN>\<AD Connector Account> Directly

<On The AdminSDHolder Object Of Any Domain>

CN=AdminSDHolder,CN=System,DC=<DOMAIN>,DC=<TLD>

* “Allow:Read/Write On <Immutable ID Attribute>” (only needed to manage “admin” objects)

* “Allow:Read/Write On msDS-ExternalDirectoryObjectId” (only needed to manage “admin” objects)

* “Allow:Read/Write On pwdLastSet” (only needed for Password Writeback/SSPR for “admin” accounts!)

* “Allow:Password Reset” (only needed for Password Writeback/SSPR for “admin” accounts!)

* “Allow:Read/Write On lockoutTime” (only needed for Password Writeback/SSPR for “admin” accounts!)

<DOMAIN>\<AD Connector Account> Directly
<On Any Domain At Domain Level>

* “Allow:Read/Write On <Immutable ID Attribute>” for “Descendant user Objects”

* “Allow:Read/Write On msDS-ExternalDirectoryObjectId” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchArchiveStatus” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchBlockedSendersHash” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchSafeRecipientsHash” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchSafeSendersHash” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchUCVoiceMailSettings” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchUserHoldPolicies” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On proxyAddresses” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On publicDelegates” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msDS-KeyCredentialLink” for “Descendant user Objects” (only needed for for WH4B)

<DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Attributes> (security group)
<On Any Domain At Domain Level>

*Allow:Read/Write On <Immutable ID Attribute>” for “Descendant group Objects”

* “Allow:Read/Write On proxyAddresses” for “Descendant group Objects” (only needed for Hybrid Exchange!)

<DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Attributes> (security group)
<On Any Domain At Domain Level> * “Allow:Read/Write On lockoutTime” for “Descendant user Objects” (only needed for Password Writeback/SSPR!) <DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Password Or Just Account Unlock> (security group)
<On Any Domain At Domain Level>

* “Allow:Read/Write On pwdLastSet” for “Descendant user Objects” (only needed for Password Writeback/SSPR!)

* “Allow:Password Reset” for “Descendant user Objects” (only needed for Password Writeback/SSPR!)

<DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Password Or Just Password Reset> (security group)
<On Any Domain At Domain Level> * “Allow:Read/Write On proxyAddresses” for “Descendant contact Objects” (only needed for Hybrid Exchange!) <DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Attributes> (security group)

REMARK: to configure the required permissions at domain level for any domain so that the AD MA/Connector can sync (write) into AD for user accounts or group objects, the following commands can be used (make sure to customize as needed for your environment!!!):

# CONSTANTS

$dcFQDN = "<FQDN Of The Nearest RWDC Of Domain>"

$domainDN = "<Domain Distinguished Name>"

$domainNBT = "<Domain NetBIOS Name>"

$aadConnectADConnectorAccount = "$domainNBT\<AD Connector Account>"

$dsReplChangesSecPrinc = "$domainNBT\<AD Group For DS Repl Changes>"

$dsReplChangesAllSecPrinc = "$domainNBT\<AD Group For DS Repl Changes All>"

$dnContainerUserObjects = "<DN of Container/OU With User Objects>"

$aadConnectWritebackAttributesUsersSecPrinc = "$domainNBT\<AD Group For Writeback Attributes Users>"

$aadConnectWritebackPasswordUsersSecPrinc = "$domainNBT\<AD Group For Writeback Password Users>"

$dnContainerGroupObjects = "<DN of Container/OU With Group Objects>"

$aadConnectWritebackAttributesGroupsSecPrinc = "$domainNBT\<AD Group For Writeback Attributes Groups>"

$dnContainerContactObjects = "<DN of Container/OU With Contact Objects>"

$aadConnectWritebackAttributesContactSecPrinc = "$domainNBT\<AD Group For Writeback Attributes Contacts>"

# GENERIC

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$domainDN’ /G ‘$dsReplChangesSecPrinc:CA;Replicating Directory Changes’"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$domainDN’ /G ‘$dsReplChangesAllSecPrinc:CA;Replicating Directory Changes’"

Invoke-Expression $dsaclsCMD | Out-Null

# DEVICE WRITEBACK

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\CN=RegisteredDevices,$domainDN’ /G ‘$aadConnectADConnectorAccount:GA;;msDS-Device Objects’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\CN=RegisteredDevices,$domainDN’ /G ‘$aadConnectADConnectorAccount:CCDC;msDS-Device Objects’ /I:T"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR ADMINSDHOLDER PROTECTED OBJECTS

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\CN=AdminSDHolder,CN=System,$domainDN’ /G ‘$aadConnectADConnectorAccount:RPWP;<Attribute To Write To>‘"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$domainDN’ /G ‘$aadConnectADConnectorAccount:CA;<CAR>‘"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR USER ACCOUNTS GENERIC

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;<Immutable ID Attribute>;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msDS-ExternalDirectoryObjectId;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR USER ACCOUNTS HYBRID EXCHANGE

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchArchiveStatus;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchBlockedSendersHash;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchSafeRecipientsHash;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchSafeSendersHash;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchUCVoiceMailSettings;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchUserHoldPolicies;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;proxyAddresses;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;publicDelegates;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR USER ACCOUNTS WINDOWS HELLO FOR BUSINESS

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msDS-KeyCredentialLink;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR USER ACCOUNTS PASSWORD WRITEBACK/SSPR

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackPasswordUsersSecPrinc:RPWP;lockoutTime;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackPasswordUsersSecPrinc:RPWP;pwdLastSet;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackPasswordUsersSecPrinc:CA;Reset Password;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR GROUP OBJECTS GENERIC

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerGroupObjects’ /G ‘$aadConnectWritebackAttributesGroupsSecPrinc:RPWP;<Immutable ID Attribute>;group’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR GROUP OBJECTS HYBRID EXCHANGE

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerGroupObjects’ /G ‘$aadConnectWritebackAttributesGroupsSecPrinc:RPWP;proxyAddresses;group’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null


# FOR CONTACT OBJECTS HYBRID EXCHANGE

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerContactObjects’ /G ‘$aadConnectWritebackAttributesContactsSecPrinc:RPWP;proxyAddresses;contact’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

Azure Active Directory Permissions:

An Azure AD Account with the “Global Administrator” role to be able to configure the AAD Sync Server during installation and any other subsequent configuration moment. This account may be enabled for MFA, but in that case cookies and javascript must be allowed on the server

Hope this helps you!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisements

4 Responses to “(2019-08-04) Required Permissions For Azure AD Connect”

  1. Charlie said

    Hello Jorge

    Great post, quick question please
    what do you mean by “PHS” e.g. what does PHS stand for in this context?
    also what does the MA stand for in “AD MA account” do you mean a standard user account (running a service) as opposed to a gMSA ?

    Thanks very much

    Like

    • Jorge said

      PHS = password hash sync, which when you have Azure AD connect configured to sync the password hash of the user accounts in the on-prem AD to Azure AD. When you would do that you can use that for leaked credentials detection and if you use ADFS you can use it as a backup authentication when AD or ADFS drops dead (switch requires manual action!) and if you do not use ADFS you use it to authenticate to Azure AD

      MA = management agent, aka connector in Azure AD. You have one for AD and one for Azure AD

      You can only use a gMSA for the Azure AD connect sync service

      For the AD connector/MA account you must use a regular user account and you cannot use a gMSA for it

      Like

  2. Charlie said

    Thanks 🙂

    Like

  3. […] With version 1.4.X.0 and higher, it is no longer supported to use an enterprise admin or a domain admin account as the AD DS Connector account. YES!!! If you attempt to enter an account that is an enterprise admin or domain admin when specifying use existing account, you will receive an error. Current installations already using an EA/DA account are not impacted, but it is seriously highly recommended to move away from using an EA/DA account. In other words, stop screwing around and create a regular user account and delegated whatever is needed to that account. Guidance to delegate stuff to that regular account can be found through the following blog post: (2019-08-04) Required Permissions For Azure AD Connect […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: