Agent Client Collector Agent Log On As A Service for Entra ID Devices

Zane2277
Tera Contributor

‎06-06-2025 07:05 AM

We are attempting to configure Agent Client Collector for Visibility in our lower DEV instance so that we can eventually move it to PROD. We are attempting to use a domain joined service account to log on as a service and this works for domain joined devices however the majority of our devices are Entra ID devices that cannot use the domain joined service account created. Our security team does not like setting passwords to never expire so we are looking for options other than the default local account created during installation. 

I searched knowledge articles on this subject and only found that the suggestion was using a gMSA service account but this presents the same issue. 

Has anyone else run into this issue and have a suggestion? 

Thank you.

0 Helpfuls
  • 500 Views
2 REPLIES 2

Abbas_5
Tera Sage
Tera Sage

‎06-06-2025 08:34 PM

Hello @Zane2277,

 

The primary method for Agent Client Collector (ACC) to log on as a service on Microsoft Entra ID devices is through the use of a domain-joined service accountIf domain joining isn't feasible or desired, alternative methods include leveraging the built-in user account created during installation or exploring the use of the Global Secure Access Client. 
Using a Domain-Joined Service Account (Domain Joined Devices):
  • Prerequisites:
    The machine must be domain-joined to a Microsoft Entra tenant (either joined or hybrid joined). 
     
  • Authentication:
    The agent can then utilize Microsoft Entra device tokens for authentication and data collection from Azure. 
     
  • Advantages:
    This approach provides a centralized and managed way to handle service account credentials, simplifying administration and security. 
     
Alternative Approaches (Entra ID Devices):
  • Default Local Account:
    The ACC agent will install by default using a local account. This account will need to be configured to run as a service, such as changing the "Log on as a service" permission. 
     
  • Global Secure Access Client (for Global Secure Access):
    Microsoft says the Global Secure Access Client can be used to securely access resources within the organization. By installing and configuring the client, the agent can utilize a user's Microsoft Entra credentials to run as a service. 
     
  • PowerShell Module:
    If the machine is domain joined, the agent can use the Microsoft Entra device tokens to authenticate and fetch DCRs from Azure. 
     
Important Considerations:
  • Security:
    Ensure service account credentials are securely managed and do not have overly permissive permissions. 
     
  • Permissions:
    The user account or service account used by the ACC must have the necessary permissions to access the resources and perform the required tasks. 
     
  • Configuration:
    The ACC agent needs to be configured to use the appropriate credentials and settings for the chosen authentication method. 
     
  • Troubleshooting:
    If issues arise, review system logs, node logs, and the agent's configuration for troubleshooting. 
     
    If this is helpful, please hit the thumbs up button and accept the correct solution by referring to this solution in future it will be helpful to them.
     
    Thanks & Regards,
    Abbas Shaik
0 Helpfuls

Zane2277
Tera Contributor

‎06-09-2025 08:26 AM

Thank you very much for the quick response. We already know these Entra ID devices cannot see a domain joined service account but have not tried what you have suggested. We will discuss and I will reply and mark as helpful once tested. 

 

Again, thank you. 

0 Helpfuls