Using Azure Ad Connect Sync Security Groups

Posted by

During setup, Azure AD Connect automatically creates Azure AD Connect Sync Security Groups. A Microsoft 365 Enterprise Administrator can use these groups to delegate control in Azure AD Connect to other users. You can also use these groups to assign a user temporary permission to run a manual synchronization or to use Azure AD Connect to troubleshoot directory synchronization issues.

Group Name Description
ADSyncAdmins Administrators Group: Members of this group have Full Access to do anything in the Azure AD Connect Sync Service Manager.
ADSyncOperators Operators Group: Members of this group have access to the operations of the Azure AD Connect Sync Service Manager, including:

  • Execution of Management Agents
  • View of Synchronization Statistics for each run
  • Ability to save the Run History (Operations Tab) to a file

Members of this group must be a member of the ADSyncBrowse Group.

ADSyncBrowse Browse Group: Members of this group have permission to gather information about a user’s lineage when resetting passwords.
ADSyncPasswordSet Password Reset Group: Members of this group have permission to perform all operations by using the password management interface.

Members of this group must be a member of the ADSyncBrowse Group.

The groups are created as local groups on domain-joined servers, or as Active Directory domain groups when you install Azure AD Connect on a domain controller

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s