What you’ll learn in this post
- Prerequisites for Microsoft Entra Connect (application-based auth) — what’s new and what you need before install.
- Network segmentation — isolate the Connect server and allow only required ports.
- Set up a gMSA to run the Entra Connect Sync service (automatic, secure password rotation).
- Create a least-privilege AD DS connector account (Not using the defaul MSOL_… account).
- OS-level hardening for the Connect server
Requirements
| Number of objects in Active Directory | Memory | Storage |
|---|---|---|
| Fewer than 10,000 | 4 GB | 70 GB |
| 10,000 to 50,000 | 16 GB | 100 GB |
| 50,001 to 100,000 | 32 GB | 300 GB |
| 100,001 to 300,000 | 32 GB | 450 GB |
| More than 300,000 | 32 GB | 500 GB |
If your directory exceeds ~100,000 objects (users + groups + devices), the SQL Server Express/LocalDB bundled with Entra Connect will hit size and performance limits. Run Entra Connect on a full SQL Server instance (Standard or higher) instead.
Additional Requirements
Server with GUI
.NET Framework 4.5.1 or later
Required Network Ports. (Only open the below ports)
Inbound
| Service | Port | Protocol |
|---|---|---|
| DNS | 53 | TCP / UDP |
| Kerberos | 88 | TCP / UDP |
| RPC EPM | 135 | TCP |
| LDAP | 389 | TCP / UDP |
| HTTPS (SSL/TLS) | 443 | TCP |
| SMB | 445 | TCP |
| SQL (Agent to SQL Server) | 1433 | TCP |
1433 is needed only if you’re using a full/remote SQL Server for Entra Connect.
Outbound
| Protocol | Port | Purpose |
|---|---|---|
| HTTP | 80 | CRL downloads (certificate checks) |
| HTTPS | 443 | Sync service to Microsoft Entra ID |
Installation Account Rights
- Global Admin rights are required within the Entra ID tenant.
- For the express version, at least enterprise administrator rights are needed within AD. (This account is only needed for the initial setup and can be removed after installation.) Best Practice: create a new account, temporarily grant rights, install Entra Connect, and then remove the account.
Recommendations
- Deploy Microsoft Entra Connect on a separate, dedicated member server—do not install it on a domain controller.
- Use the new authentication based (Authenticate to Microsoft Entra ID by Using Application Identity – Microsoft Entra ID | Microsoft Learn) This will remove the need of an account in your cloud directory.
Setup the gMSA Account
One way to harden your Entra Connect configuration is using a gMSA account. A gMSA is an Active Directory–managed service identity with an automatically rotating password.
Compared to a classic “user-as-service” account, a gMSA offers no hard-coded passwords, automatic rotation, Kerberos/AES support, and clean auditing.
1) Create the KDS root key (once per forest)
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))2) Create a gMSA and a Group. (Shortcut is to use the MDI module for this. This has a function te create an gMSA account and a group for you 😛 )
# Create group
New-ADGroup -Name 'Mecs-Group' -SamAccountName 'Mecs-Group' -GroupScope Global -GroupCategory Security -Path 'OU=Groups,OU=Tier0,DC=rockitone,DC=local' -Description 'gMSA Group Entra Connect'
# Add Member server to the group in this case the entraconnectsync server
Add-ADGroupMember -Identity 'Mecs-Group' -Members 'ConnectSync01$'
# Create gMSA and allow that group to retrieve its password
New-ADServiceAccount -Name 'Mecs-gMSA' -Description 'gMSA Account Entra Connect' -DNSHostName 'rockit1.dc01.rockitone.local' -ManagedPasswordIntervalInDays 30 -PrincipalsAllowedToRetrieveManagedPassword 'Mecs-Group' -Enabled $true
OR
Misusing the Defender for Identity module here because it creates a gMSA + group quickly.
Install-Module -Name DefenderForIdentity
New-MDIDSA -Identity Mecs-gMSA -GmsaGroupName Mecs-Group- Mecs-gMSA = the gMSA for our server
- Mecs-Group = the security group whose members are allowed to retrieve the gMSA password
3) Reboot the Entra Connect server and login
Install-ADServiceAccount -Identity MECGMSA
Test-ADServiceAccount -Identity MECGMSAYou should get a True from the test.
Now we can test if the gMSA accounts works
Download Microsoft Entra Connect rom the https://entra.microsoft.com
4) Run the Entra Connect Sync tool
Start the Entra Connect wizard/tool and click on customize and fill in your gmsa account and click next, this will then validate your gmsa account.
By default, Entra Connect will create an MSOL connector account with broad rights. Since this is a security-first setup, we don’t want that. Instead, use your own service account (e.g., svcadds) and remove access everywhere you don’t need it.
Create AD DS Connector Account
I followed these steps to create a service account → Create AD DS Connector account – ALI TAJRAN
Start Entra Connect on your domain controller. This creates the folder “C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1”
Then run this command
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"then
Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN "CN=ADDS,OU=Service Accounts,OU=Tier0,DC=rockitone,DC=local"
Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN "CN=ADDS,OU=Service Accounts,OU=Tier0,DC=rockitone,DC=local"
Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN "CN=ADDS,OU=Service Accounts,OU=Tier0,DC=rockitone,DC=local"#If you need more permissions see below.
By default, these delegations inherit to all child OUs. In my setup I’ve disabled inheritance and apply them only to
OU=Computers,OU=Tier2, so the connector has rights strictly where needed.
To further harden your service account, the article recommends running the following command
Set-ADSyncRestrictedPermissions -ADConnectorAccountDN "CN=ADDS,OU=Service Accounts,OU=Tier0,DC=rockitone,DC=local" -Credential $credentialAfter some research, the command performs the following: (https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-adsyncconfig)
- Disables ACL inheritance on the account object you pass in (SVCADDS).
- Removes existing ACEs on that object (except SELF).
- Sets a minimal, explicit ACL (SYSTEM, Enterprise Admins, Domain Admins, Administrators = Full Control; Enterprise DCs and Authenticated Users = read/list) to make the account object harder to tamper with.
A prompt shows up. Fill in the credentials with admin rights.
Finish the Setup
Press next
When you use the Password Hash Synchronization you add the “Replicating Directory Changes All” permissions to the root of the domain you can not scope these permissions. If you only want to sync your hybride devices because the rest of your users are being synced with the entra cloud sync for example you should turn this option off. Also you can not have enabled PHS on both connectors just one.
Fill in your entra admin password
Scope the Selected OU’s (I also scope the users folder to see if the permissions stopped the ou from syncing)
In this case I scope the access rights only to the tier 2 computers OU but to test if all rights are correct I also sync the users OU.
After I finished the setup go to services.msc and you see the gmsa running the service.
After the initial sync, you should only see the computer from the Tier-2 Computers in the tenant. Once validated, remove the temporary Users OU from scope.
Additional Server Hardening
Microsoft has a whole list of how to harden your server. Microsoft Entra Connect: Prerequisites and hardware – Microsoft Entra ID | Microsoft Learn I will not explain this in detail as this will make this blog super long but here is a summary of that list.
- Disable NTLM
- Enable TPM on your Server (Microsoft Entra Connect manages the application and certificate, which includes creation, rotation, and deletion of the certificate. The certificate is stored in the
CURRENT_USERstore. For optimal protection of the certificate’s private key, we recommend that the machine should use a Trusted Platform Module (TPM) solution to establish a hardware-based security boundary.) 
- Use Windows LAPS
- Enable TLS 1.2 between your SQL Server and Entra connect server (Enable TLS 1.2 on servers – Configuration Manager | Microsoft Learn
Conclusion
For extra hardening, use Microsoft Entra Cloud Sync for users and groups, and keep Entra Connect (Sync) only for hybrid-joined devices. This separates privileges, shrinks the sync footprint, and reduces your attack surface.
Entra cloud sync supports server core and limites the need of ports to only LDAP
- TCP 389: For standard LDAP communication.
- TCP 3268: For accessing the Global Catalog.
Sources
Installation and Configuration of Microsoft Entra Cloud Sync – cloudcoffee.ch
Secure Identity Integration: The Roadmap with Entra Connect – Michael Waterman
Thanks for mentioning my blog. Good job on yours!
You are a legend! Thanks for visiting my blog!