Install the Microsoft Entra provisioning Agent by using a CLI and PowerShell
This article shows you how to install the Microsoft Entra provisioning agent by using PowerShell cmdlets.
Note
This article deals with installing the provisioning agent by using the command-line interface (CLI). For information on how to install the Microsoft Entra provisioning agent by using the wizard, see Install the Microsoft Entra provisioning agent.
Prerequisite
The Windows server must have TLS 1.2 enabled before you install the Microsoft Entra provisioning agent by using PowerShell cmdlets. To enable TLS 1.2, follow the steps in Prerequisites for Microsoft Entra Cloud Sync.
Important
The following installation instructions assume that all the prerequisites were met.
Install the Microsoft Entra provisioning agent by using PowerShell cmdlets
Tip
Steps in this article might vary slightly based on the portal you start from.
- Sign in to the Microsoft Entra admin center as at least a Hybrid Administrator.
- Browse to Identity > Hybrid management > Microsoft Entra Connect > Cloud sync.
- Select Manage.
- Click Download provisioning agent
- On the right, click Accept terms and download.
- For the purposes of these instructions, the agent was downloaded to the C:\temp folder.
- Install ProvisioningAgent in quiet mode.
$installerProcess = Start-Process 'c:\temp\AADConnectProvisioningAgentSetup.exe' /quiet -NoNewWindow -PassThru $installerProcess.WaitForExit()
- Import the Provisioning Agent PS module.
Import-Module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Microsoft.CloudSync.PowerShell.dll"
- Connect to Microsoft Entra ID by using an account with the hybrid identity role. You can customize this section to fetch a password from a secure store.
$hybridAdminPassword = ConvertTo-SecureString -String "Hybrid Identity Administrator password" -AsPlainText -Force $hybridAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("[email protected]", $hybridAdminPassword) Connect-AADCloudSyncAzureAD -Credential $hybridAdminCreds
- Add the gMSA account, and provide credentials of the domain admin to create the default gMSA account.
$domainAdminPassword = ConvertTo-SecureString -String "Domain admin password" -AsPlainText -Force $domainAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("DomainName\DomainAdminAccountName", $domainAdminPassword) Add-AADCloudSyncGMSA -Credential $domainAdminCreds
- Or use the preceding cmdlet to provide a precreated gMSA account.
Add-AADCloudSyncGMSA -CustomGMSAName preCreatedGMSAName$
- Add the domain.
$contosoDomainAdminPassword = ConvertTo-SecureString -String "Domain admin password" -AsPlainText -Force $contosoDomainAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("DomainName\DomainAdminAccountName", $contosoDomainAdminPassword) Add-AADCloudSyncADDomain -DomainName contoso.com -Credential $contosoDomainAdminCreds
- Or use the preceding cmdlet to configure preferred domain controllers.
$preferredDCs = @("PreferredDC1", "PreferredDC2", "PreferredDC3") Add-AADCloudSyncADDomain -DomainName contoso.com -Credential $contosoDomainAdminCreds -PreferredDomainControllers $preferredDCs
- Repeat the previous step to add more domains. Provide the account names and domain names of the respective domains.
- Restart the service.
Restart-Service -Name AADConnectProvisioningAgent
- Go to the Microsoft Entra admin center to create the cloud sync configuration.
Provisioning agent gMSA PowerShell cmdlets
Now that you've installed the agent, you can apply more granular permissions to the gMSA. For information and step-by-step instructions on how to configure the permissions, see Microsoft Entra Connect cloud provisioning agent gMSA PowerShell cmdlets.
Installing against US government cloud
By default, the Microsoft Entra provisioning agent installs against the default Azure cloud environment. If you are installing the agent for use in the US government cloud do the following:
- In step #8, add ENVIRONMENTNAME=AzureUSGovernment to the command line like the example.
$installerProcess = Start-Process -FilePath "c:\temp\AADConnectProvisioningAgent.Installer.exe" -ArgumentList "/quiet ENVIRONMENTNAME=AzureUSGovernment" -NoNewWindow -PassThru $installerProcess.WaitForExit()