Microsoft Entra ID · Identity Governance
Directory Synchronization Accounts
System role used exclusively by the Microsoft Entra Connect service to synchronize on-premises Active Directory with Microsoft Entra ID. Not intended for human assignment — Microsoft manages membership automatically when Entra Connect is configured.
Scope: Directory synchronization between on-premises AD and Microsoft Entra ID
Permissions
- Read and write all directory data needed for directory sync
- Create, update, and delete users, groups, and contacts
- Manage hybrid identity attributes
- Synchronize password hashes (if PHS is enabled)
- Read and update on-premises identity attributes
Common use cases
- Microsoft Entra Connect service authentication
- Microsoft Entra Connect cloud sync agent authentication
- Hybrid identity password hash synchronization
- Pass-through authentication agent authentication
Best practices
- Do NOT assign users to this role group
- Treat as a system role — Microsoft Entra Connect manages membership
- If you see unexpected human members, investigate immediately as a potential security issue
- Audit role membership changes via Entra audit logs
- Protect Entra Connect server with the same controls as a domain controller
Security considerations
- Effectively a Global Administrator equivalent for sync operations — extremely high privilege
- Unauthorized membership grants attacker the ability to manipulate directory objects
- The service account associated with this role is a TIER 0 asset
- Microsoft Entra Connect server must be protected as Tier 0 infrastructure
- Compromise of this role typically requires breach of the Entra Connect server