This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 80%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hi,
I need to synchronize users from on prem AD (not having access to it). But our client have access and I need to assign Hybrid Identity Administrator to a user to be able to do the sync. As this role is an admin role, Is there any way to do sync without giving external users an admin role such as Hybrid Identity Administrator? Is it secure to give this role to a client? to sync his users to our Azure AD?
If I get access to the on prem AD, is is secure to do sync with global admin user? is there risque that creds are used by external clients to do other things than the users sync
Regards,
Well, there is always risk, but I would recommend using Hybrid Identity Administrator, assign that to a hosted Azure account that isnt synced from on-prem and enable PIM and requiring MFA as well.
Hi
If your client has their AD Connect Sync configured correctly as per the requirements in the link below, the Hybrid Admin account that is used to run the Sync Service should be a Cloud-Only account that is only used for that purpose and not a sync-ed account that has a multitude of other rights (Domain-based and Cloud-based) assigned to it:
Hope this helps,
Thanks
Michael Durkan