You are at risk because the MSOL_ account has special rights. These rights let it copy directory data. AD Connect gives this account these rights. This helps it sync changes between your local Active Directory and Azure AD.
1. AD Connect picks which MSOL_ account to use for syncing.
2. It looks for missing rights and helps you add them.
3. The tool shows y…