Microsoft Entra ID · Identity Governance

Directory Synchronization Accounts

System role used exclusively by the Microsoft Entra Connect service to synchronize on-premises Active Directory with Microsoft Entra ID. Not intended for human assignment — Microsoft manages membership automatically when Entra Connect is configured.

Scope: Directory synchronization between on-premises AD and Microsoft Entra ID

Permissions

  • Read and write all directory data needed for directory sync
  • Create, update, and delete users, groups, and contacts
  • Manage hybrid identity attributes
  • Synchronize password hashes (if PHS is enabled)
  • Read and update on-premises identity attributes

Common use cases

  • Microsoft Entra Connect service authentication
  • Microsoft Entra Connect cloud sync agent authentication
  • Hybrid identity password hash synchronization
  • Pass-through authentication agent authentication

Best practices

  • Do NOT assign users to this role group
  • Treat as a system role — Microsoft Entra Connect manages membership
  • If you see unexpected human members, investigate immediately as a potential security issue
  • Audit role membership changes via Entra audit logs
  • Protect Entra Connect server with the same controls as a domain controller

Security considerations

  • Effectively a Global Administrator equivalent for sync operations — extremely high privilege
  • Unauthorized membership grants attacker the ability to manipulate directory objects
  • The service account associated with this role is a TIER 0 asset
  • Microsoft Entra Connect server must be protected as Tier 0 infrastructure
  • Compromise of this role typically requires breach of the Entra Connect server

Common questions

When should I assign the Directory Synchronization Accounts role?

Assign Directory Synchronization Accounts when you need to: Microsoft Entra Connect service authentication; Microsoft Entra Connect cloud sync agent authentication; Hybrid identity password hash synchronization; and Pass-through authentication agent authentication. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Directory Synchronization Accounts role do?

The Directory Synchronization Accounts role grants permissions including: Read and write all directory data needed for directory sync; Create, update, and delete users, groups, and contacts; Manage hybrid identity attributes; Synchronize password hashes (if PHS is enabled); and Read and update on-premises identity attributes. See the Permissions section above for the full list.

What are the security risks of the Directory Synchronization Accounts role?

Key considerations when assigning Directory Synchronization Accounts: Effectively a Global Administrator equivalent for sync operations — extremely high privilege; Unauthorized membership grants attacker the ability to manipulate directory objects; The service account associated with this role is a TIER 0 asset; and Microsoft Entra Connect server must be protected as Tier 0 infrastructure. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →