Assign Hybrid Identity Administrator Pre AD Connect

Justin Lee 221

How do I assign a user a Hybrid Identity Admin in Azure to setup AAD connect when we don’t have users yet because we haven’t connected to AD DS

Andy David - MVP 141.5K Reputation points MVP

2023-01-30T22:46:49.0166667+00:00

See my previous answer above for the permissions required. You need just the Global Admin to install:

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#accounts-used-for-azure-ad-connect

Once installed, you can assign the Hybrid Identity Admin to any user you want or you do not need to assign it and you can use the existing Global Admin account to access the Menus in Azure for AADConnect health

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#hybrid-identity-administrator

Accepted answer

Thameur-BOURBITA 32,501 Reputation points

2023-01-29T19:33:56.9433333+00:00

Hi,

If I pretty understand your question, you want create a admin account to manage and configure Azure AD connect.

To setup AAD connect you have to use a admin account in same domain of AAD connect.

A admin cloud-only can't setup azure AD connect.

This admin account should be not synched in azure. It's not recommended to synchronize on-premise admin account.

Please don't forget to mark helpful answer as accepted
Please sign in to rate this answer.
Justin Lee 221 Reputation points

2023-01-30T20:52:01.6466667+00:00

I read in the documentation that we need a user with Hybrid Identity privileges for AAD Connect. That privilege is in Azure. If I haven’t gotten any users into Azure, how do I assign this privilege.

Thameur-BOURBITA 32,501 Reputation points

2023-01-30T21:39:12.3666667+00:00

Hi @Justin lee

If you are talking about the first installation of Azure AD connect , you have to use a cloud only account (not a hybrid identity) member of Global Admin group to connect to Azure AD during the first installation and another admin account member of local administrators group of Azure AD connect to launch the installation:

Please don't forget to mark helpful answer as accepted*

Justin Lee 221 Reputation points

2023-01-30T22:31:04.9+00:00

That’s great! Thanks so much! Now how do I get one of my admins logged into Azure AD to create a global admin account? How do I get the first person licensed to be able to use Azure? I guess that’s my real question.

Thameur-BOURBITA 32,501 Reputation points

2023-01-30T23:07:15.6066667+00:00

If you have already a tenant , you have to ask a admin with the role Global admin to create a admin account for with the role Global Admin. If the tenant is not created , when you create it , the first user is Global Admin: Create a new tenant in Azure Active Directory.

Regarding the licence I invite you to read the following link:

Assign Microsoft 365 licenses to users
Sign in to comment

1 additional answer

Andy David - MVP 141.5K Reputation points MVP

2023-01-29T14:52:30.68+00:00

HI, the AADConnect setup requires a Global Admin to initially set things up:

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#accounts-used-for-azure-ad-connect

The hybrid Identity Role role is a standard one in Azure. You can certainly add any account you want to this role to manage options in Azure.

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#hybrid-identity-administrator

To assign:

https://learn.microsoft.com/en-us/azure/active-directory/roles/manage-roles-portal#assign-a-role
Please sign in to rate this answer.
Justin Lee 221 Reputation points

2023-01-30T20:54:57.4133333+00:00

Yes I knew it was a standard role. I’m just unsure of how to assign roles if I have no users in AAD because I haven’t setup AAD connect. Do I just manually add a user to assign this to?
Sign in to comment