System Administration & Network Administration
active-directory azure-active-directory
Updated Sat, 16 Jul 2022 01:48:33 GMT

AAD Connect and Domain Admin accounts - is it safe to sync them?

I've just installed Active Directory and want to sync the users with already existing Azure AD we have. From technical point of view it looks pretty easy. I've created domain and added UPN of our verified domain Than I created 3 accounts accounts:

  1. (domain admin)
  2. (domain admin)
  3. (regular user)

The UPN for (1) already exists in Azure AD (regular user), The (2) and (3) do not exist in the Azure AD at the moment. I'm aware that password and other attributes for (1) will be overwritten by on-premise values in Azure AD.

I do not have any doubts regarding (3) but have some questions regarding (1) and (2):

  1. Should I just synchronise the (1) and (2) and do not worry
  2. Should I maybe create separate and accounts to manage AD locally and do not sync them at all; additionally create and so we have regular accounts to work with our services

I was trying to find the answer for this but in the Azure AD Connect documentation I've found only that

"Microsoft strongly recommends against synchronizing on-premises accounts with pre-existing administrative accounts in Azure Active Directory.

Which is totally opposite to my case.

Any advice appreciated.


Syncing accounts 1 and 2 to Azure AD doesn't proffer any special abilities, privileges, or rights to the synced accounts in Azure AD or Office 365. Additionally, their membership in any protected groups in your on premises AD is not synced to the account in Azure AD.

Comments (1)

  • +0 – Thanks for clarifying. Meanwhile I did some tests which confirm your answer. I think I'll still create separate administrative accounts so we do not have to use domain admins on daily basis. — Oct 12, 2018 at 13:54