question

ZotBot-6520 avatar image
0 Votes"
ZotBot-6520 asked soysoliscarlos commented

manually run AD sync without additional privileges

How do we allow someone to run an AD sync but not give them any other privileges?

Let me explain

We have some lower level admins who often make changes to AD accounts or Exchange mailboxes. Usually these changes need to be synchronized to Azure AD. So, they make the changes, then wait 30 minutes for the sync cycle to run, then check to see if the changes fixed the problem.

If the changes did not fix the problem, they make more adjustments and then wait again for 30 minutes. The point is that it's taking a long time. If they could kick off a Delta sync on demand, they could be more efficient. I would like to allow this, but I also cannot allow them to be admins on our Azure AD Connect server. The last thing I need is someone making changes to our Azure AD sync options.

Any ideas on allowing them to run an Azure AD sync, but also restricting them so they cannot run any of the Set cmdlets, or otherwise make AADC changes?

Thanks, ZotBot


azure-ad-connect
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

michev avatar image
0 Votes"
michev answered

Afaik you need to add the user to the ADSyncOperators group. You cannot get more granular than that. Well, you can always create some sort of a PowerShell script that "wraps" the cmdlet and grant them access to that.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soysoliscarlos avatar image
0 Votes"
soysoliscarlos answered soysoliscarlos commented

Hi @ZotBot-6520

Thank you for asking this question on the Microsoft Q&A Platform.

I understand that you require executing Start-ADSyncSyncCycle -PolicyType Delta as a normal user, right?

You can create a script with the command and add the property ProxyRunAsLocalAdmin

Here are two references to do that configuration.
- https://community.spiceworks.com/topic/2171361-how-to-provide-access-to-powershell-run-as-administrator-for-normal-user
- https://serverfault.com/questions/734320/allow-standard-user-to-run-program-as-local-admin-without-elevation-prompt

Let me know how was go?

Hope this helps,
Carlos Solís Salazar

Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.
NOTE: To answer you as quickly as possible, please mention me in your reply.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soysoliscarlos avatar image soysoliscarlos ·

@ZotBot-6520, you can Accept Answer and Upvote, if the above response helped answer your query, others visiting the forum with the same query might get help.

NOTE: To answer you as quickly as possible, please mention me in your reply.

0 Votes 0 ·