Azure AD Role for Domain Administrator

B

The correct Azure AD role that should be assigned to the domain administrator to modify the synchronization options while adhering to the principle of least privilege is the "User administrator" role.

Here's why:

Azure AD Connect is a tool used to synchronize on-premises Active Directory objects to Azure AD. This synchronization process is performed by the Azure AD Connect service account, which is created during the installation of Azure AD Connect.

By default, the Azure AD Connect service account is a member of the "AAD Connect Sync" security group, which is created in the on-premises Active Directory during the installation of Azure AD Connect. Members of this group have the required permissions to modify the synchronization options.

Therefore, to enable a domain administrator to modify the synchronization options, the administrator should be added to the "AAD Connect Sync" security group in the on-premises Active Directory. This will grant the administrator the necessary permissions to modify the synchronization options without assigning any unnecessary privileges.

However, since the question asks for the Azure AD role that should be assigned to the domain administrator, the "User administrator" role is the appropriate choice. This role allows the administrator to manage user accounts and groups in Azure AD, which includes managing synchronization options for on-premises Active Directory objects.

Assigning the "Security administrator" or "Global administrator" roles to the domain administrator would grant unnecessary privileges and violate the principle of least privilege. The "Security administrator" role has permissions to manage security settings in Azure AD, while the "Global administrator" role has permissions to manage all aspects of Azure AD, including resources, policies, and users.