Microsoft Entra ID · Remaining Built-in Roles

Hybrid Identity Administrator

Can manage AD to Microsoft Entra cloud provisioning, Microsoft Entra Connect, pass-through authentication, and federation settings for hybrid environments.

Scope: Full hybrid identity infrastructure management including sync, federation, and authentication

Permissions

Update application audience
Update app authentication
Create applications for cloud provisioning
Update application owners
Cloud provisioning management
Manage domain settings
Update domain federation
Hybrid auth policy
Update directory sync settings
Password hash sync
Manage Azure service health
Configure Microsoft Entra Connect settings
Manage cloud provisioning agents
Configure pass-through authentication
Manage AD FS and federation settings

Common use cases

Microsoft Entra Connect deployment and management
Cloud provisioning agent configuration
Hybrid authentication configuration
Pass-through authentication setup
Password hash sync configuration
Federation and AD FS management
Directory synchronization troubleshooting
Hybrid migration planning and execution
Domain verification and configuration

Best practices

Document sync and federation configurations
Monitor sync health regularly
Implement sync error alerting
Plan maintenance windows for sync updates
Test configuration changes in staging
Maintain disaster recovery documentation
Review attribute flow rules periodically
Consider migrating to cloud provisioning
Use PIM for elevated access

Security considerations

Can modify directory sync affecting all users
Can configure authentication methods
Federation changes affect authentication trust
Password hash sync is security-sensitive
Monitor for unauthorized sync configuration changes
Audit authentication method changes
Alert on domain federation modifications
Consider separation from on-premises AD admins

Official Microsoft Learn documentation →

Open the interactive RBACMap →