AD v2 Spoke - Requires Account Operator. Does it reaaaallly though?

Johnathan R · ‎02-14-2024

I have a hard time believing in order to use the AD v2 Spoke you need a service account with Account Operator. My Security team is grilling me over this one. If you give the appropriate granular permissions in AD to for instance - add users to a single group - would the spoke not work fine to perform that action?

My developer tells me it does not work, and the docs say to give it account operator. Can anyone confirm their experience with this spoke and the required permissions?

Thanks!

DrewW · ‎02-14-2024

I think its going to depend on what you need to do. If you are updating user accounts and groups then yes you are going to need that. If all you are doing is reading data then no.

Johnathan R · ‎02-14-2024

Thanks. If you delegate permissions to allow the updates you are trying to make, would you still need account operator? For example - if the spoke is just to reset a password for a user - and you delegated the ability to reset a users password -- shouldn't the spoke work?

I am being told it wont. Which makes no sense to me.

DrewW · ‎02-14-2024

I have not used the V2 version yet but there is another spoke I ran into that the first thing it did was check to see what permissions the account it was using had and it if was not the expected then it just returned a permissions error. So it is very possible the V2 version is doing something like that.

All you can do is try and see and if you are using the flows they setup or just the individual activities.