In Discovery: Active Directory Connector: Supporting Group Managed Service Account (gMSA) as service Account

Announcements Product Research
, , ,
1

Business Problem

SailPoint is hearing from few of our customers for supporting group managed service account (gMSA) as service account in the Active Directory connector including IQService.

Sound Familiar?

If this is a problem that impacts your organization, use our Ideas Portal to cast your vote for this Idea. Here you can view currently submitted ideas, add comments for your specific use cases around this problem, and vote!.

Idea:

How You Can Help

We are continuing to validate our understanding of the problem space and solution. In addition, we are conducting research calls focused on validating our designed solution, better understanding the desired user experience, and ensuring we hit the most common customer use cases.

We already did investigation on the requirement and feasibility, and here are the follow up questions for which we need an answer from your side which will be really helpful for us.

  1. As confirmed with Microsoft, Group Managed Service Accounts (gMSA) are not supported in on-premises Exchange Server environments. So, managing exchange doesn’t look feasible. We would like to know whether you are using exchange feature or that will be okay for you?
  2. For using gMSA in IQService, IQService should be executed in the context of the user that has permissions to retrieve the passwords for the concerned group managed service account. This has to be explicitly done by your side during the configuration process. ‘Read’ permissions to the gMSA’s “msDS-ManagedPassword” attribute. To be precise, the permission is PrincipalsAllowedToRetrieveManagedPassword. Can you please have a discussion with your AD admin and let us know whether you are okay to provide this elevated permission ? This is required for both cross domain as well as cross forest service principals. TLS must be configured.

Our Product Management team would love to hear from you! Here’s how:

  • Voice your thoughts, questions, comments, and concerns right here in this topic.
  • Vote on the idea linked above.
  • or schedule a call if you feel the need to discuss this topic in private, and provide insights specific to your business problem and use cases. If you don’t see a calendar opening that aligns with your availability, feel free to send me a direct email at [email protected].