Unused Azure AD Connect accounts "On-Premises Directory Synchronization Service Account"
Playing with #Azure Privileged Identity Management made me aware of two active accounts from old or failed AAD connector installations from way back.
And we don't want to leave something with that potential for misusage laying available in our AAD.
To check if you have you the same in your system don't need PIM, just search for "On-Premises Directory Synchronization Service Account" under Users in https://admin.microsoft.com/Adminportal or the Azure portal. I am using the Microsoft 365 Admin center because you can block the account from here. With the Azure portal you must use PowerShell commands
The active AAD Sync account should contain name of AAD connector servers in them.
Remember to disable/block the account before delete to make sure it's not in use, or else you must re-run the installation to recreate it.
You can also check the sign-ins log in Azure AD, the passive one if you have 2 connectors are usually login in once a month so there should be some activities on that one.
Remember to disable/block the account before delete to make sure it's not in use, or else you must re-run the installation to recreate it.
You can also check the sign-ins log in Azure AD, the passive one if you have 2 connectors are usually login in once a month so there should be some activities on that one.