Azure AD Connect uses 3 accounts in order to synchronize information from on-premises or Windows Server Active Directory to Azure Active Directory. These accounts are:
AD DS Connector account: used to read/write information to Windows Server Active Directory
ADSync service account: used to run the synchronization service and access the SQL database
Azure AD Connector account: used to write information to Azure AD
In addition to these three accounts used to run Azure AD Connect, you will also need the following additional accounts to install Azure AD Connect. These are:
Local Administrator account: The administrator who is installing Azure AD Connect and who has local Administrator permissions on the machine.
AD DS Enterprise Administrator account: Optionally used to create the “AD DS Connector account” above.
Azure AD Global Administrator account: used to create the Azure AD Connector account and configure Azure AD.
SQL SA account (optional): used to create the ADSync database when using the full version of SQL Server. This SQL Server may be local or remote to the Azure AD Connect installation. This account may be the same account as the Enterprise Administrator. Provisioning the database can now be performed out of band by the SQL administrator and then installed by the Azure AD Connect administrator with database owner rights.
No comments:
Post a Comment