Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS AD Connect Replication permissions

0

by default, "AWS Delegated Replicate Directory Changes Administrators" have "Replicate Directory Changes" permissions and don't have "Replicate Directory Changes All" which prevent password hash synchronization with Azure AD in case of AD Connect usage.
https://social.technet.microsoft.com/wiki/contents/articles/51110.azure-ad-sync-troubleshooting-error-611-replication-access-was-denied-password-synchronisation-failed.aspx
Is it by design?
Is it possible add "Replicate Directory Changes All" permission?
What is the possible work around?

Topics
Security, Identity, & Compliance
Tags
AWS Directory Service
Language
English
asked 7 years ago910 views
1 Answer
0

Yes this is by design. As managed service we can not allow our passwords to replicate to a 3rd party. This blog post describes the AD Connect scenario that we do support.

https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-microsoft-active-directory-credentials/

AWS
answered 7 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content