none
Azure AD Sync

    Question

  • Also, is there a document somewhere that would tell me all AD changes that are made by installing Azure AD Sync?

    I noticed changes to certain group policies and I am wondering which changes were made by the installation.  I'm referring to group/local policies, services, users and groups.  Thanks!

    Wednesday, March 22, 2017 3:13 PM

All replies

  • No, that is not documented in detail. Azure AD Sync did not make any changes at all in AD, you had to make those yourself. Azure AD Connect will make changes in AD if you run express mode.

    If you run Azure AD Express, then the wizard will create an account in AD and grant it permissions to read/write and read password hashes. AD Group Policies are not changed.

    There will be some changes on the local server as well (both in express, custom, and in Azure AD Sync). The service account needs sign-in permissions and the right to sign-in as a service. There will be 4 groups created that grants permissions to the service.

    Is it mainly AD you are concerned about, or is it the local server where the service is installed?

    Wednesday, March 22, 2017 4:12 PM
  • We were troubleshooting the installation.  We attempted a 'custom' installation on the domain controller, then an 'express' installation.  We realized the software had to be on a different VLAN to reach our SQL server.  We then installed it on an administrator's SQL server using 'custom' and 'express'.  Once we finally got it working with Microsoft support, our Netwrix showed a ton of changes to GP, users, groups.  80% of these were not manually created by me.  I am more worried about AD than the local server.
    Wednesday, March 22, 2017 5:11 PM
  • The things that are supposed to happen is that when you run express, then an account is created in AD with read/write permissions to AD. You will get one per server installation, so if you install it on different servers, then you will get multiple accounts. There is also a service account per server, both in express and custom. These are described here:
    https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions#more-about-the-created-accounts

    If you install Connect on a DC, then there isn't a local SAM database so the groups used to secure the server are created in the domain rather than on the local machine.

    If you enabled "Exchange hybrid" in the wizard, then every user in AD is changed for these attributes:
    https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#exchange-hybrid-writeback

    There isn't a comprehensive list of changes. I could probably explain every change you see, but it is not something I currently plan to document. If there is something in particular in your logs you are worried about, you can contact me offline at andreas.kjellman(at)knowledgefactory.se.

    Wednesday, March 22, 2017 7:21 PM
  • I appreciate the response.  As the federal government is enforcing a more stringent approach to the NIST framework, it will be very important to know all changes made by installation of 'approved' software.  We, as contractors, are required to follow their regulations.  The concern here is that Netwrix picked up every change made to AD, GPO, local policies, services and users and reported these to auditors.  I needed to explain why each change happened.  I believe it is worthwhile to document all changes made to an environment by installing an application or service.  Just my opinion.
    Friday, April 21, 2017 3:59 PM
  • I hear you, but it is not something that is currently planned and I have not seen enough demand for it to be on Microsoft's list of documentation that is planned to be added as a public doc.

    If you need to explain something to the auditors, then feel free to reach out to me and I will explain everything you see in your audit report.

    Thursday, May 04, 2017 7:50 AM