This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Based on this article: https://learn.microsoft.com/en-us/exchange/hybrid-deployment/deploy-hybrid#use-the-exchange-admin-center-and-hybrid-configuration-wizard-to-create-a-full-classic-hybrid-deployment
Does the service account used by Hybrid Configuration Wizard to create a full classic hybrid deployment can be my own admin account with MFA/2FA enforced?
Or is this must be a separate OnPremise AD account with the Global Administrator role with no MFA/2FA enforced?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Hi @EnterpriseArchitect ,
I am writing to see how everything is going on with this thread. If the replies below are helpful, do you mind accepting it as answer? If you still have further concern on this, please feel free to let us know.
The HCW supports using accounts protected by MFA, yes. And all your Global admins should be protected by MFA!
@Vasil Michev ,
OK, do I have to create a separate service account without 2FA/MFA as Global Admin to do this purpose?
or can I just use my Admin account which is already enforced with 2FA/MFA?
Any account would do, with or without MFA. No need to create another one, you will be able to login even if the account is protected by MFA.
Hi @EnterpriseArchitect ,
Agree with Vasil that you can use your own account with MFA/2FA enabled.
According to this document, Hybrid deployment management accounts require the following role group memberships:
So, you just need to make sure your admin account has these permissions. As regards to your concern about MFA, it's supported to run HCW using an admin account enabled for MFA, see this article for more details.
By the way, if Vasil's reply answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query, feel free to comment down.
Hi @Yuki Sun-MSFT ,
OK, so do I need to create separate service account rather than using my own admin account for this task?
Thank you @Vasil Michev you are really helpful.
Hi @EnterpriseArchitect ,
Not quite clear about the exact role group membership of your current admin account, but as aforementioned, basically, there are 2 types of Admin accounts needed to run HCW:
You can use the existent admin accounts that meet the requirements, regardless of whether they are with or without MFA.
Here's one more blog with some screenshots for your reference:
(The UI might have changed a bit but the basic concepts still apply)
Modern HCW (Hybrid Agent): troubleshooting like a pro
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you @Yuki Sun for your assistance in this matter.