Make sure you set this up with the correct service user to start with
Add Groups that have roles assigned will be synced onprem
Make sure you do not sure this back to Azure

Using Azure AD Privileged Identity Management with Active Directory roles (such as domain admin)

Requests for privileged access to systems and applications are validated when first requested