Intune AD connector - service account and scalability

Question

we have a environment where we have three domain under a forest and developing a windows autopilot hybrid AAD solution. we are planning to place a second Intune AD connector environment, the article below only states to use service account to configure this, however require these question to be answered before requesting additional access for the service account & on intune ad connector scalability

1) Does the service account require full admin rights on the on-premises server hosting Intune AD connector?
2) if we have already configured both Intune AD connectors and they are currently working fine. Do we need to add the service account in the ‘log on’ as account settings for the Intune ODJ service or reconfigure the entire setup using this account?
3) This service accounts requires delegated right as allowed for the Intune AD connector on all target OU, irrespective of which domain it belongs to?
4) Are there any other requirement for the service account access (account to be synced in azure or license, etc.)
5) how many domain can a single Intune ad connector handle and upto how many clients at a time
6) would it be sufficient to have single connector for all three domain?

Appreciate any guidance on this.
Thanks in advance!!

Answer 1

@svjs-0437 , Based on my understanding, here are my answers to your question:s

1) Does the service account require full admin rights on the on-premises server hosting Intune AD connector?
A1: Yes, I think.

2) if we have already configured both Intune AD connectors and they are currently working fine. Do we need to add the service account in the ‘log on’ as account settings for the Intune ODJ service or reconfigure the entire setup using this account?
A2: We can change the Log on account to service account for the Intune ODJConnector Service.

3) This service accounts requires delegated right as allowed for the Intune AD connector on all target OU, irrespective of which domain it belongs to?
A3: Yes. the service account needs to have the permission to create computer objects in all domains.

4) Are there any other requirement for the service account access (account to be synced in azure or license, etc.)
A4. Research, not find any article mentioned other requirement.

5) how many domain can a single Intune ad connector handle and upto how many clients at a time
A5: Based as I know, users in the Administrators or Domain Administrators groups, and the users who have delegated permissions on containers in Active Directory to create and delete computer accounts, are not restricted by the deafult 10 limitation for domain join.
https://support.microsoft.com/en-us/help/243327/default-limit-to-number-of-workstations-a-user-can-join-to-the-domain

6) would it be sufficient to have single connector for all three domain?
A6. Based on my understanding, It seems to be OK. But I don't have multiple domain environment at hand to do test. Maybe you can try to confirm.

Hope it can help.

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.