In configuring a lab environment I found myself setting up Azure Cloud Sync on an on-premise DC for testing purposes and found myself stuck on a seemingly simple error that I could not seem to get past:
“Please provide the Azure AD credentials of a global administrator or a Hybrid Administrator.”
At first sight this appears as a minor permission issue and it would be if it wasn’t for the fact that the account I was using was definitely assigned the GA role:
However, checking the trace logs of the Cloud Sync wizard I could see it wasn’t able to recognize it:
The trace logs can be found in the following directory:
C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace
After some rebooting and clearing of caches I figured this wouldn’t magically solve itself and in frustration I directly assigned the account the Hybrid Admin role and voila!
So why didn’t it find the proper role? Well it turns out that the tool has no problems finding directly assigned roles but not group-inherited assigned roles configured as described here.
I confirmed this by removing the group-assigned role and directly assigning it instead and retrying the wizard:
In conclusion, if you’re configuring Cloud Sync through the wizard and running into permission issues it may be smart to check if they’re directly assigned or not.
Security consultant with focus on cloud and Azure.
