Protect Azure AD Connect

Protect Azure AD Connect

Today, it is important to respect the policy of least privilege. We had the ability to configure the Active Directory connector for Azure AD Connect with user account. User account without admin right. However, the Azure AD connector still needed an Azure AD account with the Global Admin role.

Since the latest version of Azure AD Connect, it is possible to use a user account with restricted rights for the Azure AD connector

Export configuration of Azure AD Connect

The export allows you to have a backup in case Azure AD Connect malfunctions during the upgrade. It will be possible to restore the initial configuration.

If Azure AD Connect is installed on your server you need to upgrade the version of Azure AD Connect. Download the tool on the Microsoft Website

Before the upgrade, the version of the Azure AD Connect tool is 1.6.142.

Now the version is 1.6.142

From the Azure AD Connect server, double click on the Azure AD Connect icon. This icon is present on the desktop

double click on the icon

Wizard appear, click on Configure.

Configure wizard of Azure AD Connect

Select View or export current configuration then click on Next.

select view or export current configuration

Click on Export configuration for export the Azure AD Connect configuration.

Upgrade Azure AD Connect

Run the previously installed msi file. There is no need to uninstall the tool, the upgrade will be done automatically.

Install version of Azure AD Connect

Wizard appear, check I agree to the license terms and privacy notice then click on Continue.

Agree with the licence terms

Click on Upgrade for begin upgrade.

Upgrade the tools

Upgrade is in progress….

Upgrade is in progress

Following the upgrade, it is necessary to connect as an Azure AD administrator.

connect to Azure AD

Click on Upgrade to upgrade Azure Active Directory synchronisation configuration and enable auto upgrade.

upgrade azure ad

Azure AD Connect has been upgraded.

Create user account on Azure AD

Azure AD Connect must use an Azure AD Account for connect to Azure AD. The Svc_Synchro account was created in Azure AD directly.

Create Azure AD Account

User not have any administrative right.

user not have any administrative right

We can now grant the user a delegation to modify Azure AD through Azure AD Connect. From the Azure AD Portal, click on Azure Active Directory then on Role and Administrators.

list all roles present on Azure AD

Click on Hybrid Identity administrator.

Hybrid Identity administrator

Click on Add assignments.

Select Svc_Synchro. The user is added to the list of Eligible assignments.

user has been added

Click on Update.

Update

Select Active on the in the drop-down list.

Configure Active on the dop-down list

Enter justification and click on Save.

Enter justification

Administrative right has been assigned. Azure AD Connect must be configured

administrative right has been assigned

Configure Azure AD Connect

We can now configure Azure AD Connect to use the new Azure AD Account. From the Azure AD Cxonnect server open a Powershell Command Prompt with administrative account. Run the following command

Double click on the Azure AD Connect Connector

Double click on Azure AD Connector.

Select Connectivity tab and enter username and password of the account. Click OK

Enter Credential

A message appear, click on OK.

Start a new Synchronisation

Start a delta synchronisation.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.