Microsoft’s updated Intune Connector for Active Directory now uses a Managed Service Account to enhance security with least privilege principles. This update is crucial as older versions will stop working after July 2025. Follow best practices to configure permissions and ensure smooth Windows Autopilot device provisioning. Unique :
Microsoft Intune Connector for Active Directory: What’s New?
Microsoft recently updated the Intune Connector for Active Directory, also known as the Offline Domain Join (ODJ) Connector. This tool helps join devices to an on-premises domain during Windows Autopilot deployment. After the first login, devices become Microsoft Entra hybrid joined. The key update? The connector now uses a Managed Service Account (MSA) to follow the least privilege principle, boosting security.
Keep in mind, older connector versions will stop working starting July 2025. So, updating is essential for uninterrupted device provisioning.
Major Updates and Security Enhancements
The new Intune Connector strengthens security by using an MSA instead of traditional accounts. This reduces attack surfaces and aligns with best practices. The MSA is created during installation and requires specific permissions to function properly.
However, some users might hit a snag: an error when granting the MSA permissions on the default Computers container or a specific Organizational Unit (OU). This error shows as a “constraint violation” in the installation logs and can block the connector’s full functionality.
Workaround for MSA Permission Errors
If you encounter this permission error, don’t panic. The fix involves manually granting the MSA account the “Create Computer objects” permission on the designated OU using Active Directory’s Delegation of Control Wizard. This step is crucial for smooth operation.
After installation, verify the MSA appears in the Managed Service Accounts container within Active Directory Users and Computers (enable Advanced Features to see it). Also, check that the “Intune ODJ connector service” runs with the MSA account and an automatic startup type.
Important Tips for Smooth Setup
- Install the connector with an account that can create msDs-ManagedServiceAccount objects and has local admin rights.
- Monitor Event Viewer logs under Microsoft > Intune > ODJConnectorService for event IDs 30120, 30130, and 30140 to confirm success.
- Ignore the “Configure Managed Service Account” permission error if it appears after setup—it’s a known issue slated for a future fix.
“Older versions of the connector will cease to operate successfully starting July 2025.” – Microsoft Intune Support Team
“The new Intune Connector strengthens security by following the least privilege principle using a Managed Service Account.” – Arpit Sinha, Microsoft Intune Engineer
Why This Matters for IT Pros
Hybrid Azure AD join during Windows Autopilot is powerful but can be tricky to configure and support. The updated Intune Connector simplifies security while maintaining functionality. Ensuring the MSA has correct permissions avoids frustrating errors and downtime.
By staying current with this update, IT admins can confidently provision devices with Autopilot and maintain a secure, hybrid environment.
Final Thoughts
Don’t delay upgrading your Intune Connector for Active Directory. Follow Microsoft’s guidance carefully, especially around MSA permissions. Keep an eye on event logs to confirm everything runs smoothly. And if you run into issues, the community and Microsoft support channels are there to help.
Ready to streamline your Windows Autopilot deployments? This update is a must-have for secure, hybrid device management.
From the Intune Customer Success articles
