How To Delegate Access to Synchronize Azure AD Connect

In some cases, you may wish to delegate the right to synchronize Azure AD Connect.

You can easily do this without delegating full access to manage Azure AD Connect.

When you install Azure AD Connect, it creates several groups:

  • ADSyncAdmins
  • ADSyncBrowse
  • ADSyncOperators
  • ADSyncPasswordSet

If you install Azure AD Connect to a member server, then these groups are created as local groups on the server.

If you install Azure AD Connect on a domain controller, these groups are created as domain local groups.

To allow an admin to perform an Azure AD Connect synchronization, she needs to be a member of ADSyncOperators.

After updating the group membership, the user needs to log off and log on to refresh their access token.

You can check the access token using the following command:

PS C:\> whoami /all
USER INFORMATION
----------------
User Name              SID
====================== ==============================================
easy365manager\adm.msk S-1-5-21-3688220979-3330231506-4120471870-1142

GROUP INFORMATION
-----------------
Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                     Alias            S-1-5-32-544                                   Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON      Well-known group S-1-5-14                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                        Mandatory group, Enabled by default, Enabled group
EASY365MANAGER\AD User Management          Group            S-1-5-21-3688220979-3330231506-4120471870-1143 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                       Mandatory group, Enabled by default, Enabled group
EASY365MANAGER\ADSyncOperators             Alias            S-1-5-21-3688220979-3330231506-4120471870-1105 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

Perform One-Click Synchronization From AD Users & Computers

With Easy365Manager, you get the ability to trigger an Azure AD Connect synchronization directly from user properties.

Typically, you’ll want to trigger a synchronization immediately after making AD user changes (like updating the email address).

Select the “Synchronize AD with Office 365” checkbox and click OK or Apply:

With Easy365Manager, you can offload complex tasks (that usually would require PowerShell) to first-level support in a few minutes.

As a bonus, it’s possible to altogether remove your on-premises Exchange Server. This will give you 100% protection from future zero-day exploits like Hafnium.

Download the 30-day trial to try out the many features.

Did you like this post? Maybe your friends will too!