Well, there is always risk, but I would recommend using Hybrid Identity Administrator, assign that to a hosted Azure account that isnt synced from on-prem and enable PIM and requiring MFA as well.
Hybrid Identity Administrator
I need to synchronize users from on prem AD (not having access to it). But our client have access and I need to assign Hybrid Identity Administrator to a user to be able to do the sync. As this role is an admin role, Is there any way to do sync without giving external users an admin role such as Hybrid Identity Administrator? Is it secure to give this role to a client? to sync his users to our Azure AD?
If I get access to the on prem AD, is is secure to do sync with global admin user? is there risque that creds are used by external clients to do other things than the users sync