Microsoft Entra ID · Identity Governance
Directory Synchronization Accounts
System role used exclusively by the Microsoft Entra Connect service to synchronize on-premises Active Directory with Microsoft Entra ID. Not intended for human assignment — Microsoft manages membership automatically when Entra Connect is configured.
Scope: Directory synchronization between on-premises AD and Microsoft Entra ID
Permissions
- Read and write all directory data needed for directory sync
- Create, update, and delete users, groups, and contacts
- Manage hybrid identity attributes
- Synchronize password hashes (if PHS is enabled)
- Read and update on-premises identity attributes
Common use cases
- Microsoft Entra Connect service authentication
- Microsoft Entra Connect cloud sync agent authentication
- Hybrid identity password hash synchronization
- Pass-through authentication agent authentication
Best practices
- Do NOT assign users to this role group
- Treat as a system role — Microsoft Entra Connect manages membership
- If you see unexpected human members, investigate immediately as a potential security issue
- Audit role membership changes via Entra audit logs
- Protect Entra Connect server with the same controls as a domain controller
Security considerations
- Effectively a Global Administrator equivalent for sync operations — extremely high privilege
- Unauthorized membership grants attacker the ability to manipulate directory objects
- The service account associated with this role is a TIER 0 asset
- Microsoft Entra Connect server must be protected as Tier 0 infrastructure
- Compromise of this role typically requires breach of the Entra Connect server
Common questions
When should I assign the Directory Synchronization Accounts role?
Assign Directory Synchronization Accounts when you need to: Microsoft Entra Connect service authentication; Microsoft Entra Connect cloud sync agent authentication; Hybrid identity password hash synchronization; and Pass-through authentication agent authentication. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Directory Synchronization Accounts role do?
The Directory Synchronization Accounts role grants permissions including: Read and write all directory data needed for directory sync; Create, update, and delete users, groups, and contacts; Manage hybrid identity attributes; Synchronize password hashes (if PHS is enabled); and Read and update on-premises identity attributes. See the Permissions section above for the full list.
What are the security risks of the Directory Synchronization Accounts role?
Key considerations when assigning Directory Synchronization Accounts: Effectively a Global Administrator equivalent for sync operations — extremely high privilege; Unauthorized membership grants attacker the ability to manipulate directory objects; The service account associated with this role is a TIER 0 asset; and Microsoft Entra Connect server must be protected as Tier 0 infrastructure. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.