locked
Syncing Group Managed Service Accounts to Azure AD RRS feed

  • Question

  • Group managed service accounts (gmsa) do not sync to Azure AD.  Digging through documentation objects with the attribute  isCriticalSystemObject are excluded.  I'm not sure why.  I'm also not sure why gmsas have that attribute set or if you can create one without that attribute set.  I was hoping I could have an on-prem app running as a gmsa that would be able to access azure resources like KeyVault without any credentials being managed.  I realize the app could be deployed to Azure AD and connect using an Azure Managed Identity but the app also connects to on-prem resources using the gmsa account.  Any help is appreciated.  
    Friday, June 28, 2019 5:20 PM

All replies

  • I have an on-premises web application running as a group managed service account (gmsa).  Is there a way to access an Azure Key Vault using a gmsa account?  GMSA accounts appear to be excluded by default from syncing to Azure AD and therefore I can't assign permissions.  Even if I was able to sync to Azure AD I'm not sure if it would work.  Based on my searching gmsa accounts are excluded from syncing because the attribute isCriticalSystemObject is set on gmsas.  I realize I could move the app to azure and use an azure managed identity but the app connects to on-prem resources also.  I'm also aware I could set up my app in Azure and authenticate using clientID/secret or certificate but I dont' want to introduce another set of credentials if possible.
    Friday, June 28, 2019 5:17 PM
  • Support was recently added but it does not apply to all services. 

    https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/version-history

    https://feedback.azure.com/forums/169401/suggestions/18395203

    I'm looking into whether the second part is possible as I am not certain. 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Monday, July 1, 2019 8:02 PM
    Owner
  • Hi Shawn, I have escalated your question to the Key Vault team to confirm.

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Monday, July 1, 2019 9:31 PM
    Owner
  • Hi Shawn,

    Sorry for the late reply but I just heard back. 

    This is not allowed unless there’s a mechanism to translate a GMSA to an AAD principal.  Authorization to AKV is via AAD only.


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Monday, July 15, 2019 8:39 PM
    Owner
  • Right.  A GMSA could be translated to an AAD principal if it could sync to AAD.  That's why I originally asked if GMSAs can sync to Azure AD.  
    Monday, July 15, 2019 8:45 PM
  • Has anybody was able to figure out how to sync on-prem gMSA with Azure Active Directory?


    • Edited by rockroada Thursday, September 26, 2019 10:18 PM
    Thursday, September 26, 2019 10:18 PM