Active Roles Synchronization Service: Permissions necessary to run the Azure BackSync Configuration Wizard (4276453)

This article details the required permissions for configuring the Azure BackSync in the Active Roles Synchronization Service.

1) As stated in SyncService Admin guide: For Office 365 connector and the Azure AD connector configuration Global Administrator role is required.

Reference:

Active Roles 7.4.5 - Synchronization Service Administration Guide (Creating a Microsoft Office 365 connection)

https://support.oneidentity.com/technical-documents/active-roles/7.4.5/synchronization-service-administration-guide/61#TOPIC-1675465

Active Roles 7.4.5 - Synchronization Service Administration Guide (Creating a Microsoft Azure Active Directory connection)

https://support.oneidentity.com/technical-documents/active-roles/7.4.5/synchronization-service-administration-guide/69#TOPIC-1675497

2) For BackSync configuration and operation following minimum permissions are required.

Reference:

Active Roles 7.4.5 - Synchronization Service Administration (Configure Azure Backsync)

https://support.oneidentity.com/technical-documents/active-roles/7.4.5/synchronization-service-administration-guide/6#TOPIC-1675249

NOTE:

• The minimal privilege required for configuring and executing the back sync operation are :

a) User administrator 

b) Privileged role administrator 

c) Exchange administrator 

d) Application administrator

• Directory Writers Role must be enabled in Azure Active Directory. To enable the role use the following script:

$psCred=Get-Credential

Connect-AzureAD -Credential  $psCred

$roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq "Directory Writers" }

# Enable an instance of the DirectoryRole template

Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId

• In case of an application not found error, please try the configure back-synchronization operation again after some time, since the Azure App synchronization may take some time.