none
Accounts ##MS_JobAccount##, ##MS_SyncAccount##, ##MS_SyncResourceManager## RRS feed

  • Question

  • We see these users in our databases. Need details on when these accounts are created and how are the credentials for these accounts maintained. Thanks.
    Tuesday, November 5, 2019 5:32 AM

All replies

  • Was this database part of an elastic pool and moved out?

    (or) 

    Was it part of a sync group or a sync metadata database?

    If the database is not part of the sync anymore, you can consider removing the users.

    Please check this script to remove the Data Sync metadata objects.

    Tuesday, November 5, 2019 9:33 AM
    Moderator
  • Two databases are participating in the sync and this sync is needed. In the database->users, we are able to see ##MS_SyncAccount## and ##MS_SyncResourceManager## accounts. The question is

    a) are these user accounts auto created?

    b) how are the credentials for these user accounts maintained?

    c) can anyone go change the credentials of these users?

    Please let us know on the above. We need this information for auditing purposes. Thanks.

    Tuesday, November 5, 2019 10:01 AM
  • We have reached out internally for more clarification.

    I will update this thread accordingly.

    Thursday, November 7, 2019 3:30 PM
    Moderator
  • Thank you, any quick update on this will help.
    Monday, November 11, 2019 6:19 AM
  • Hi Kothai,

    What I have found is the following related to Security and Reliability available on the Best Practices for Azure Data Sync document. And the Data Sync Agent for Azure SQL Data Sync document does not detail the SQL Level and Database level account information. What is lacking is clear guidance on the service accounts and how these could be managed under a security audit. The first document I have identified should have more detail about these accounts although some basic information is provided.

    I see you are an internal Microsoft employee. I will reachout to you directly with additional guidance.

    Regards,

    Mike

    Tuesday, November 12, 2019 7:46 PM
    Moderator
  • Thank you for the details Mike. I will connect with you on this.

    Regards,

    Kothai.

    Wednesday, November 13, 2019 5:17 AM
  • Posting response from product group for the rest of the community

    There is no password for these accounts – they use certificate authentication. The certificate is associated with the logical server so that actors (e.g.: job agent, data sync agent, Hyperscale components, etc) within the same logical server can communicate.

    Friday, November 15, 2019 2:44 AM
    Moderator