Microsoft Entra ID · Remaining Built-in Roles
Hybrid Identity Administrator
Can manage AD to Microsoft Entra cloud provisioning, Microsoft Entra Connect, pass-through authentication, and federation settings for hybrid environments.
Scope: Full hybrid identity infrastructure management including sync, federation, and authentication
Permissions
- Update application audience
- Update app authentication
- Create applications for cloud provisioning
- Update application owners
- Cloud provisioning management
- Manage domain settings
- Update domain federation
- Hybrid auth policy
- Update directory sync settings
- Password hash sync
- Manage Azure service health
- Configure Microsoft Entra Connect settings
- Manage cloud provisioning agents
- Configure pass-through authentication
- Manage AD FS and federation settings
Common use cases
- Microsoft Entra Connect deployment and management
- Cloud provisioning agent configuration
- Hybrid authentication configuration
- Pass-through authentication setup
- Password hash sync configuration
- Federation and AD FS management
- Directory synchronization troubleshooting
- Hybrid migration planning and execution
- Domain verification and configuration
Best practices
- Document sync and federation configurations
- Monitor sync health regularly
- Implement sync error alerting
- Plan maintenance windows for sync updates
- Test configuration changes in staging
- Maintain disaster recovery documentation
- Review attribute flow rules periodically
- Consider migrating to cloud provisioning
- Use PIM for elevated access
Security considerations
- Can modify directory sync affecting all users
- Can configure authentication methods
- Federation changes affect authentication trust
- Password hash sync is security-sensitive
- Monitor for unauthorized sync configuration changes
- Audit authentication method changes
- Alert on domain federation modifications
- Consider separation from on-premises AD admins
Common questions
When should I assign the Hybrid Identity Administrator role?
Assign Hybrid Identity Administrator when you need to: Microsoft Entra Connect deployment and management; Cloud provisioning agent configuration; Hybrid authentication configuration; Pass-through authentication setup; and Password hash sync configuration. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Hybrid Identity Administrator role do?
The Hybrid Identity Administrator role grants permissions including: Update application audience; Update app authentication; Create applications for cloud provisioning; Update application owners; Cloud provisioning management; and Manage domain settings. See the Permissions section above for the full list.
What are the security risks of the Hybrid Identity Administrator role?
Key considerations when assigning Hybrid Identity Administrator: Can modify directory sync affecting all users; Can configure authentication methods; Federation changes affect authentication trust; and Password hash sync is security-sensitive. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.