Well, there is always risk, but I would recommend using Hybrid Identity Administrator, assign that to a hosted Azure account that isnt synced from on-prem and enable PIM and requiring MFA as well.
Hybrid Identity Administrator
Hi,
I need to synchronize users from on prem AD (not having access to it). But our client have access and I need to assign Hybrid Identity Administrator to a user to be able to do the sync. As this role is an admin role, Is there any way to do sync without giving external users an admin role such as Hybrid Identity Administrator? Is it secure to give this role to a client? to sync his users to our Azure AD?
If I get access to the on prem AD, is is secure to do sync with global admin user? is there risque that creds are used by external clients to do other things than the users sync
Regards,
2 answers
Sort by: Most helpful
-
-
Michael Durkan 12,216 Reputation points MVP
2023-08-01T13:29:33.14+00:00 Hi
If your client has their AD Connect Sync configured correctly as per the requirements in the link below, the Hybrid Admin account that is used to run the Sync Service should be a Cloud-Only account that is only used for that purpose and not a sync-ed account that has a multitude of other rights (Domain-based and Cloud-based) assigned to it:
Hope this helps,
Thanks
Michael Durkan
- If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!