Hi,
I'm helping set up Azure AD Sync for a customer, and they're uncomfortable with the level of permissions ("the account you have specified for a forest in the wizard must be given the “Reset-Password” and “Change Password” extended rights on the root object of each domain in the forest. The right should be marked as inherited by all user objects",https://msdn.microsoft.com/en-us/library/azure/dn757602.aspx) required.
Why is such a broad scope of rights required? My customer (rightly) doesn't want to give a service account the rights to reset the password of every user account, service account, and machine account in the forest.
Thanks,
Sean