Yesterday Microsoft released AAD Connect build 1.1.654.0 which addresses a security vulnerability that allows lower level administrators to gain elevated privileges by resetting the password of the on-prem MSOL_xxxxxx account used by AAD Connect for synchronization. To be honest, this is no more risky than allowing junior admins from resetting the password of any highly privileged account or being able to add themselves to a highly privileged group, like Domain or Enterprise Admins. You should always secure and monitor any highly privileged account or group in your organization.
The AAD Connect Version History explains the security issue that build 1.1.654.0 addresses. It also gets the EXPTA award for the most poorly written release notes ever. Spelling errors, grammar errors, syntax errors, oh my. But I digress...
Microsoft also released a PowerShell script (module, really), AdSyncConfig.psm1, which configures the new recommended permissions on the MSOL_xxxxxx account for those organizations who need to secure the account immediately, but can't upgrade to the latest version of AAD Connect at this time. The script is available on the TechNet Gallery.
The AdSyncConfig module is not quite as straight forward as written, though, so I wanted to document here how to use it. The first problem is that the module is not digitally signed. That means that you'll get the warning, "The publisher of AdSyncConfig.psm1 couldn't be verified" when you download it with Internet Explorer. Edge doesn't complain.
It also means that you will probably have to change your execution policy in PowerShell to run it. The recommended execution policy of RemoteSigned will prevent the module from being imported since it's not digitally signed.
If you can't upgrade to the latest build immediately, here are all the correct steps to use the AdSyncConfig.psm1 module to secure the MSOL_xxxxxx account immediately. There is no downtime associated with these steps.
- Download AdSyncConfig.psm1 to your AAD Connect computer and open an elevated PowerShell console.
- Run Get-ExecutionPolicy to view the current policy. Usually it's RemoteSigned or Restricted.
- Run Set-ExecutionPolicy -ExecutionPolicy Unrestricted in order to import the unsigned module.
- Run Import-Module AdSyncConfig.psm1 to import the module.
- Run $Account = Get-ADUser -Filter 'Name -like "msol_*"' to store the account information for the MSOL_xxxxxx account.
- Run Set-ADSyncRestrictedPermissions -ObjectDN $Account.DistinguishedName -Credential (Get-Credential) to reset the permissions on the MSOL account to the new recommended settings. Be sure to use domain\username format.
- Run Set-ExecutionPolicy -ExecutionPolicy RemoteSigned to reset the execution policy.
- Run Restart-Service adsync to restart the Microsoft Azure AD Sync service.
- Run Start-ADSyncSyncCycle -PolicyType Delta to force a new delta sync and confirm that synchronization is working properly.
Once you install AAD Connect build 1.1.654.0 or run the steps for the module above, you will see that the MSOL_xxxxxx account has updated permissions for SELF.