Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets
The purpose of this document is to describe the Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets. These cmdlets allow you to have more granularity on the permissions that are applied on the service account (gMSA). By default, Azure AD Connect cloud sync applies all permissions similar to Azure AD Connect on the default gMSA or a custom gMSA.
This document will cover the following cmdlets:
How to use the cmdlets:
The following prerequisites are required to use these cmdlets.
Install provisioning agent.
Import Provisioning Agent PS module into a PowerShell session.
Import-Module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Microsoft.CloudSync.Powershell.dll"
Remove existing permissions. To remove all existing permissions on the service account, except SELF use:
This cmdlet requires a parameter called
Credentialwhich can be passed, or it will prompt if called without it.
To create a variable, use:
$credential = Get-Credential
This will prompt the user to enter username and password. The credentials must be at a minimum domain administrator(of the domain where agent is installed), could be enterprise admin as well.
Then you can call the cmdlet to remove extra permissions:
Set-AADCloudSyncRestrictedPermissions -Credential $credential
Or you can simply call:
Set-AADCloudSyncRestrictedPermissionswhich will prompt for credentials.
Add specific permission type. Permissions added are same as Azure AD Connect. See Using Set-AADCloudSyncPermissions below for examples on setting the permissions.
Set-AADCloudSyncPermissions supports the following permission types which are identical to the permissions used by Azure AD Connect. The following permission types are supported:
|BasicRead||See BasicRead permissions for Azure AD Connect|
|PasswordHashSync||See PasswordHashSync permissions for Azure AD Connect|
|PasswordWriteBack||See PasswordWriteBack permissions for Azure AD Connect|
|HybridExchangePermissions||See HybridExchangePermissions permissions for Azure AD Connect|
|ExchangeMailPublicFolderPermissions||See ExchangeMailPublicFolderPermissions permissions for Azure AD Connect|
|CloudHR||Applies 'Create/delete User objects' on 'This object and all descendant objects'|
|All||adds all the above permissions.|
You can use AADCloudSyncPermissions in one of two ways:
- Grant a certain permission to all configured domains
- Grant a certain permission to a specific domain
Grant a certain permission to all configured domains
Granting certain permissions to all configured domains will require the use of an enterprise admin account.
Set-AADCloudSyncPermissions -PermissionType "Any mentioned above" -EACredential $credential (prepopulated same as above [$credential = Get-Credential])
Grant a certain permission to a specific domain
Granting certain permissions to a specific domain will require the use of, at minimum a domain admin account of the domain you are attempting to add.
Set-AADCloudSyncPermissions -PermissionType "Any mentioned above" -TargetDomain "FQDN of domain" (has to be already configured through wizard) -TargetDomainCredential $credential(same as above)
Note: for 1. The credentials must be at a minimum Enterprise admin.
For 2. The Credentials can be either Domain admin or enterprise admin.