When we use a managed service like Google Cloud’s Managed Service for Microsoft Active Directory or AWS Managed Microsoft AD, we don’t get full domain admin access to Active Directory. Instead, the services grant us delegated admin access, which is fairly powerful, but not as powerful as domain admin.
One example where the lack of domain admin access can become an issue is AD FS. By default, installing AD FS requires domain admin access, and the deployment wizard refuses to cooperate if we don’t. The Microsoft docs contain a guide for creating an AD FS Farm without domain admin privileges, but even this guide requires at least some of the steps to be run as domain admin.
But it’s possible to deploy AD FS without domain admin privileges and in a new guide, Deploying Active Directory Federation Services, I described how that works with Google Cloud’s Managed Service for Microsoft Active Directory.
On a related note, it’s disappointing that AD FS still doesn’t support CNG-based certificates for token signing and encryption.