Update credential prompts for clarity on roles#1868
Update credential prompts for clarity on roles#1868harrisaoz wants to merge 1 commit intoMicrosoftDocs:mainfrom
Conversation
Parameter description for: Get-Credential -Message (CloudCredential parameter of Set-AzureADKerberosServer) Issue: The documentation currently states: “An Active Directory user who is a member of the Hybrid Identity Administrators group for Microsoft Entra ID.” This wording is inaccurate and misleading. Hybrid Identity Administrator is a Microsoft Entra ID role, not an on‑premises Active Directory group. The CloudCredential used with Set-AzureADKerberosServer must represent a Microsoft Entra ID account, and its permissions are evaluated in the cloud, not through AD DS group membership. Recommended Correction: Replace the sentence with the following: “A Microsoft Entra ID user who is assigned the Hybrid Identity Administrator role.” Rationale: The CloudCredential parameter requires authentication to Microsoft Entra ID endpoints, which means the credential must be an Entra ID identity, not an AD DS account (even if the user happens to also exist on-prem). Role assignment for Hybrid Identity Administrator occurs in Entra ID, not in on‑prem Active Directory. This wording aligns with how permissions for Entra Kerberos server object creation are actually evaluated.
|
@harrisaoz : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
prmerger-automator
bot
added
authentication/subsvc
Change sent to author
entra-id/svc
labels
|
Learn Build status updates of commit fce806f: ✅ Validation status: passed
For more details, please refer to the build report. |
There was a problem hiding this comment.
Pull request overview
This PR updates the credential prompt documentation for the Set-AzureADKerberosServer command to accurately reflect that the Hybrid Identity Administrator is a Microsoft Entra ID role, not an on-premises Active Directory group.
Changes:
- Corrects the description of the cloud credential requirement to specify it must be a Microsoft Entra ID user with the Hybrid Identity Administrator role assigned
- Updates both the code comment and the
Get-Credentialprompt message for consistency
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Can you review the proposed changes? Important: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
Parameter description for: Get-Credential -Message (CloudCredential parameter of Set-AzureADKerberosServer)
Issue
The documentation currently states:
“An Active Directory user who is a member of the Hybrid Identity Administrators group for Microsoft Entra ID.”
This wording is inaccurate and misleading. Hybrid Identity Administrator is a Microsoft Entra ID role, not an on‑premises Active Directory group. The CloudCredential used with Set-AzureADKerberosServer must represent a Microsoft Entra ID account, and its permissions are evaluated in the cloud, not through AD DS group membership.
Recommended Correction
Replace the sentence with the following:
“A Microsoft Entra ID user who is assigned the Hybrid Identity Administrator role.”
Rationale
The CloudCredential parameter requires authentication to Microsoft Entra ID endpoints, which means the credential must be an Entra ID identity, not an AD DS account (even if the user happens to also exist on-prem). Role assignment for Hybrid Identity Administrator occurs in Entra ID, not in on‑prem Active Directory. This wording aligns with how permissions for Entra Kerberos server object creation are actually evaluated.