Create a group managed service account (gMSA) in Azure AD Domain Services
Applications and services often need an identity to authenticate themselves with other resources. For example, a web service may need to authenticate with a database service. If an application or service has multiple instances, such as a web server farm, manually creating and configuring the identities for those resources gets time consuming.
Instead, a group managed service account (gMSA) can be created in the Azure Active Directory Domain Services (Azure AD DS) managed domain. The Windows OS automatically manages the credentials for a gMSA, which simplifies the management of large groups of resources.
This article shows you how to create a gMSA in an Azure AD DS managed domain using Azure PowerShell.
Before you begin
To complete this article, you need the following resources and privileges:
- An active Azure subscription.
- If you don’t have an Azure subscription, create an account.
- An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
- An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
- If needed, complete the tutorial to create and configure an Azure Active Directory Domain Services instance.
- A Windows Server management VM that is joined to the Azure AD DS managed domain.
- If needed, complete the tutorial to create a management VM.
Managed service accounts overview
A standalone managed service account (sMSA) is a domain account whose password is automatically managed. This approach simplifies service principal name (SPN) management, and enables delegated management to other administrators. You don't need to manually create and rotate credentials for the account.
A group managed service account (gMSA) provides the same management simplification, but for multiple servers in the domain. A gMSA lets all instances of a service hosted on a server farm use the same service principal for mutual authentication protocols to work. When a gMSA is used as service principal, the Windows operating system again manages the account's password instead of relying on the administrator.
For more information, see group managed service accounts (gMSA) overview.
Using service accounts in Azure AD DS
As Azure AD DS managed domains are locked down and managed by Microsoft, there are some considerations when using service accounts:
- Create service accounts in custom organizational units (OU) on the managed domain.
- You can't create a service account in the built-in AADDC Users or AADDC Computers OUs.
- Instead, create a custom OU in the Azure AD DS managed domain and then create service accounts in that custom OU.
- The Key Distribution Services (KDS) root key is pre-created.
- The KDS root key is used to generate and retrieve passwords for gMSAs. In Azure AD DS, the KDS root is created for you.
- You don't have privileges to create another, or view the default, KDS root key.
Create a gMSA
To complete these steps to create a gMSA, use your management VM. This management VM should already have the required AD PowerShell cmdlets and connection to the managed domain.
The following example creates a custom OU named myNewOU in the Azure AD DS managed domain named aadds.contoso.com. Use your own OU and managed domain name:
New-ADOrganizationalUnit -Name "myNewOU" -Path "DC=contoso,DC=COM"
Now create a gMSA using the New-ADServiceAccount cmdlet. The following example parameters are defined:
- -Name is set to WebFarmSvc
- -Path parameter specifies the custom OU for the gMSA created in the previous step.
- DNS entries and service principal names are set for WebFarmSvc.aadds.contoso.com
- Principals in CONTOSO-SERVER$ are allowed to retrieve the password use the identity.
Specify your own names and domain names.
New-ADServiceAccount -Name WebFarmSvc ` -DNSHostName WebFarmSvc.aadds.contoso.com ` -Path "OU=MYNEWOU,DC=contoso,DC=com" ` -KerberosEncryptionType AES128, AES256 ` -ManagedPasswordIntervalInDays 30 ` -ServicePrincipalNames http/WebFarmSvc.aadds.contoso.com/aadds.contoso.com, ` http/WebFarmSvc.aadds.contoso.com/contoso, ` http/WebFarmSvc/aadds.contoso.com, ` http/WebFarmSvc/contoso ` -PrincipalsAllowedToRetrieveManagedPassword CONTOSO-SERVER$
Applications and services can now be configured to use the gMSA as needed.
For more information about gMSAs, see Getting started with group managed service accounts.