No hybrid user with permanent role assignment on Control Plane

Description

Permanent Assignments of high-privileged Entra ID directory roles will be checked to identify privileges for hybrid users. Related roles will be identified based on the classification model from the EntraOps project which helps to identify directory roles with Control Plane (Tier0) permissions.

How to fix

It's recommended to use cloud-only accounts for privileges with Control Plane privileges to avoid attack paths from on-premises environment.

Learn more

• Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID
• Protecting Microsoft 365 from on-premises attacks