In some cases, you may wish to delegate the right to synchronize Azure AD Connect.
You can easily do this without delegating full access to manage Azure AD Connect.
When you install Azure AD Connect, it creates several groups:
- ADSyncAdmins
- ADSyncBrowse
- ADSyncOperators
- ADSyncPasswordSet
If you install Azure AD Connect to a member server, then these groups are created as local groups on the server.
If you install Azure AD Connect on a domain controller, these groups are created as domain local groups.
To allow an admin to perform an Azure AD Connect synchronization, she needs to be a member of ADSyncOperators.
After updating the group membership, the user needs to log off and log on to refresh their access token.
You can check the access token using the following command:
PS C:\> whoami /all USER INFORMATION ---------------- User Name SID ====================== ============================================== easy365manager\adm.msk S-1-5-21-3688220979-3330231506-4120471870-1142 GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============================================== =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group EASY365MANAGER\AD User Management Group S-1-5-21-3688220979-3330231506-4120471870-1143 Mandatory group, Enabled by default, Enabled group Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group EASY365MANAGER\ADSyncOperators Alias S-1-5-21-3688220979-3330231506-4120471870-1105 Mandatory group, Enabled by default, Enabled group, Local Group Mandatory Label\High Mandatory Level Label S-1-16-12288
Perform One-Click Synchronization From AD Users & Computers
With Easy365Manager, you get the ability to trigger an Azure AD Connect synchronization directly from user properties.
Typically, you’ll want to trigger a synchronization immediately after making AD user changes (like updating the email address).
Select the “Synchronize AD with Office 365” checkbox and click OK or Apply:
With Easy365Manager, you can offload complex tasks (that usually would require PowerShell) to first-level support in a few minutes.
As a bonus, it’s possible to altogether remove your on-premises Exchange Server. This will give you 100% protection from future zero-day exploits like Hafnium.
Download the 30-day trial to try out the many features.