Forum Discussion

StuartK73's avatar
StuartK73
Iron Contributor
Jan 18, 2026

Hybrid Identity Admin Questions

Hi All

 

I hope you are well.

 

Anyway, we are migrating our Entra Connect Sync server to it's own dedicated server.

 

With regards to the Hybrid Identity admin role, do we:

 

  • Include MFA on this account
  • Configure as Eligible or Permanent in PIM 

Info appreciated

 

Stuart

Authentication
Azure AD Connect
security

2 Replies

  • StuartK73's avatar
    StuartK73
    Iron Contributor
    Jan 19, 2026

    Hi Buddy

     

    Many thanks for the info.

     

    I assume that the MFA has no bearing on Entra Syncs? And if / when doing any config work on the Entra Sync client, a PIM approval would be required first to elevate the access?

     

    Stuart

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Jan 19, 2026

    Microsoft strongly advises enabling Multi-Factor Authentication (MFA) for all privileged accounts, including the Hybrid Identity Administrator role. Within Privileged Identity Management (PIM), the recommended approach is to configure the role as Eligible rather than Permanent. This ensures that administrative access is granted only when required, thereby reducing standing privileges and enhancing overall security posture.

     

    Microsoft Entra built-in roles - Microsoft Entra ID | Microsoft Learn

     

    Privileged Identity Management documentation | Azure Docs

Resources