| title | Hybrid Identity Administrator |
|---|---|
| description | Hybrid Identity Administrator |
| ms.topic | include |
| ms.date | 01/26/2026 |
| ms.custom | include file |
This is a privileged role. Users in this role can create, manage and deploy provisioning configuration setup from Active Directory to Microsoft Entra ID using Cloud Provisioning as well as manage Microsoft Entra Connect, pass-through authentication (PTA), password hash synchronization (PHS), seamless single sign-on (seamless SSO), and federation settings. Does not have access to manage Microsoft Entra Connect Health. Users can also troubleshoot and monitor logs using this role.
[!div class="mx-tableFixed"]
Actions Description microsoft.azure.serviceHealth/allEntities/allTasks Read and configure Azure Service Health microsoft.azure.supportTickets/allEntities/allTasks Create and manage Azure support tickets microsoft.directory/applications/appRoles/update Update the appRoles property on all types of applications microsoft.directory/applications/audience/update Update the audience property for applications microsoft.directory/applications/authentication/update Update authentication on all types of applications microsoft.directory/applications/basic/update Update basic properties for applications microsoft.directory/applications/create Create all types of applications microsoft.directory/applications/delete Delete all types of applications microsoft.directory/applications/notes/update Update notes of applications microsoft.directory/applications/owners/update Update owners of applications microsoft.directory/applications/permissions/update Update exposed permissions and required permissions on all types of applications microsoft.directory/applications/policies/update Update policies of applications microsoft.directory/applications/synchronization/standard/read Read provisioning settings associated with the application object microsoft.directory/applications/tag/update Update tags of applications microsoft.directory/applicationTemplates/instantiate Instantiate gallery applications from application templates microsoft.directory/auditLogs/allProperties/read Read all properties on audit logs, excluding custom security attributes audit logs microsoft.directory/cloudProvisioning/allProperties/allTasks Read and configure all properties of Microsoft Entra cloud provisioning service. microsoft.directory/deletedItems.applications/delete Permanently delete applications, which can no longer be restored microsoft.directory/deletedItems.applications/restore Restore soft deleted applications to original state microsoft.directory/domains/allProperties/read Read all properties of domains microsoft.directory/domains/federation/update Update federation property of domains microsoft.directory/domains/federationConfiguration/basic/update Update basic federation configuration for domains microsoft.directory/domains/federationConfiguration/create Create federation configuration for domains microsoft.directory/domains/federationConfiguration/delete Delete federation configuration for domains microsoft.directory/domains/federationConfiguration/standard/read Read standard properties of federation configuration for domains microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks Manage hybrid authentication policy in Microsoft Entra ID microsoft.directory/onPremisesSynchronization/basic/update Update basic on-premises directory synchronization information microsoft.directory/onPremisesSynchronization/standard/read Read standard on-premises directory synchronization information microsoft.directory/organization/dirSync/update Update the organization directory sync property microsoft.directory/passwordHashSync/allProperties/allTasks Manage all aspects of Password Hash Synchronization (PHS) in Microsoft Entra ID microsoft.directory/provisioningLogs/allProperties/read Read all properties of provisioning logs microsoft.directory/servicePrincipals/appRoleAssignedTo/update Update service principal role assignments microsoft.directory/servicePrincipals/audience/update Update audience properties on service principals microsoft.directory/servicePrincipals/authentication/update Update authentication properties on service principals microsoft.directory/servicePrincipals/basic/update Update basic properties on service principals microsoft.directory/servicePrincipals/create Create service principals microsoft.directory/servicePrincipals/delete Delete service principals microsoft.directory/servicePrincipals/disable Disable service principals microsoft.directory/servicePrincipals/enable Enable service principals microsoft.directory/servicePrincipals/notes/update Update notes of service principals microsoft.directory/servicePrincipals/owners/update Update owners of service principals microsoft.directory/servicePrincipals/permissions/update Update permissions of service principals microsoft.directory/servicePrincipals/policies/update Update policies of service principals microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/credentials/manage Manage cloud tenant to cloud tenant application provisioning secrets and credentials. microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/jobs/manage Start, restart, and pause cloud tenant to cloud tenant application provisioning synchronization jobs. microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/schema/manage Create and manage cloud tenant to cloud tenant application provisioning synchronization jobs and schema. microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/credentials/manage Manage application provisioning secrets and credentials. microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/jobs/manage Start, restart, and pause application provisioning synchronization jobs. microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/schema/manage Create and manage application provisioning synchronization jobs and schema. microsoft.directory/servicePrincipals/synchronization/standard/read Read provisioning settings associated with your service principal microsoft.directory/servicePrincipals/synchronizationCredentials/manage Manage application provisioning secrets and credentials microsoft.directory/servicePrincipals/synchronizationJobs/manage Start, restart, and pause application provisioning synchronization jobs microsoft.directory/servicePrincipals/synchronizationSchema/manage Create and manage application provisioning synchronization jobs and schema microsoft.directory/servicePrincipals/tag/update Update the tag property for service principals microsoft.directory/signInReports/allProperties/read Read all properties on sign-in reports, including privileged properties microsoft.directory/users/authorizationInfo/update Update the multivalued Certificate user IDs property of users microsoft.office365.messageCenter/messages/read Read messages in Message Center in the Microsoft 365 admin center, excluding security messages microsoft.office365.serviceHealth/allEntities/allTasks Read and configure Service Health in the Microsoft 365 admin center microsoft.office365.supportTickets/allEntities/allTasks Create and manage Microsoft 365 service requests microsoft.office365.webPortal/allEntities/standard/read Read basic properties on all resources in the Microsoft 365 admin center