Hybrid users should not be assigned Entra ID role assignments
Why This Matters
Assigning Entra ID roles to hybrid users whose identities are synchronized from on-premises Active Directory increases the risk of credential compromise. If an attacker gains access to an on-premises domain controller, they could potentially leverage hybrid identity synchronization to escalate privileges into cloud roles. Keeping Entra ID role assignments limited to dedicated cloud-only accounts reduces this attack surface.
What Aether365 Checks
Aether365 scans your tenant for any Entra ID role assignments, both eligible and permanent, that are given to hybrid synchronization users. This check appears in your Aether365 dashboard under the entra-id category.