A company plans to synchronize users in an existing Active Directory organizational unit with Office 365.
You must configure the Azure Active Directory Synchronization (AAD Sync) tool with password sync.
You need to ensure that the service account has the minimum level of permissions required.
Which two permission levels should you assign to the account for each task? To answer, select the appropriate permission level from each list in the answer area.
Explanation:
* Password Write-Back
For each forest you have configured in Azure AD Sync, the account you have specified for a forest in the wizard must be given the “Reset-Password” and “Change
Password” extended rights on the root object of each domain in the forest.
* Permissions for password synchronization
If you want to enable password synchronization between your on-premises AD DS and your Azure Active Directory for your users, you need to grant the following
permissions to the account that is used by Azure AD Sync to connect to your AD DS:
Replicating Directory Changes
Replicating Directory Changes All Install the Azure Active Directory Sync Service
https://msdn.microsoft.com/en-us/library/azure/dn757602.aspx
For each forest you have configured in Azure AD Sync, the account you have specified for a forest in the wizard must be given the “Reset-Password” and “Change Password” extended rights on the root object of each domain in the forest. The right should be marked as inherited by all user objects.
If you want to enable password synchronization between your on-premises AD DS and your Azure Active Directory for your users, you need to grant the following permissions to the account that is used by Azure AD Sync to connect to your AD DS:
• Replicating Directory Changes
• Replicating Directory Changes All
Both permissions are required to enable the account to read password hashes from your on-premises AD DS.
https://msdn.microsoft.com/en-us/library/azure/dn757602.aspx