Hybrid Identity Administrator

mehar 21 Reputation points


I need to synchronize users from on prem AD (not having access to it). But our client have access and I need to assign Hybrid Identity Administrator to a user to be able to do the sync. As this role is an admin role, Is there any way to do sync without giving external users an admin role such as Hybrid Identity Administrator? Is it secure to give this role to a client? to sync his users to our Azure AD?

If I get access to the on prem AD, is is secure to do sync with global admin user? is there risque that creds are used by external clients to do other things than the users sync


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,618 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 137.9K Reputation points MVP

    Well, there is always risk, but I would recommend using Hybrid Identity Administrator, assign that to a hosted Azure account that isnt synced from on-prem and enable PIM and requiring MFA as well.


    0 comments No comments

  2. Michael Durkan 12,271 Reputation points MVP


    If your client has their AD Connect Sync configured correctly as per the requirements in the link below, the Hybrid Admin account that is used to run the Sync Service should be a Cloud-Only account that is only used for that purpose and not a sync-ed account that has a multitude of other rights (Domain-based and Cloud-based) assigned to it:


    Hope this helps,


    Michael Durkan

    • If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
    0 comments No comments