Protect Azure AD Connect
Today, it is important to respect the policy of least privilege. We had the ability to configure the Active Directory connector for Azure AD Connect with user account. User account without admin right. However, the Azure AD connector still needed an Azure AD account with the Global Admin role.
Since the latest version of Azure AD Connect, it is possible to use a user account with restricted rights for the Azure AD connector
Export configuration of Azure AD Connect
The export allows you to have a backup in case Azure AD Connect malfunctions during the upgrade. It will be possible to restore the initial configuration.
If Azure AD Connect is installed on your server you need to upgrade the version of Azure AD Connect. Download the tool on the Microsoft Website
Before the upgrade, the version of the Azure AD Connect tool is 1.6.142.
From the Azure AD Connect server, double click on the Azure AD Connect icon. This icon is present on the desktop
Wizard appear, click on Configure.
Select View or export current configuration then click on Next.
Click on Export configuration for export the Azure AD Connect configuration.
Upgrade Azure AD Connect
Run the previously installed msi file. There is no need to uninstall the tool, the upgrade will be done automatically.
Wizard appear, check I agree to the license terms and privacy notice then click on Continue.
Click on Upgrade for begin upgrade.
Upgrade is in progress….
Following the upgrade, it is necessary to connect as an Azure AD administrator.
Click on Upgrade to upgrade Azure Active Directory synchronisation configuration and enable auto upgrade.
Azure AD Connect has been upgraded.
Create user account on Azure AD
Azure AD Connect must use an Azure AD Account for connect to Azure AD. The Svc_Synchro account was created in Azure AD directly.
User not have any administrative right.
We can now grant the user a delegation to modify Azure AD through Azure AD Connect. From the Azure AD Portal, click on Azure Active Directory then on Role and Administrators.
Click on Hybrid Identity administrator.
Click on Add assignments.
Select Svc_Synchro. The user is added to the list of Eligible assignments.
Click on Update.
Select Active on the in the drop-down list.
Enter justification and click on Save.
Administrative right has been assigned. Azure AD Connect must be configured
Configure Azure AD Connect
We can now configure Azure AD Connect to use the new Azure AD Account. From the Azure AD Cxonnect server open a Powershell Command Prompt with administrative account. Run the following command
Double click on the Azure AD Connect Connector
Select Connectivity tab and enter username and password of the account. Click OK
A message appear, click on OK.
Start a delta synchronisation.