Entra Cloud Sync
Microsoft Entra Cloud Sync is the lightweight, cloud-managed replacement for Connect Sync in most hybrid identity scenarios. It uses a small provisioning agent on-premises and moves all sync logic to the cloud, simplifying deployment and enabling multi-forest support without complex infrastructure. Cloud Sync is Microsoft’s strategic default for new hybrid identity deployments, though feature parity gaps remain for advanced scenarios like device writeback and complex sync rules.
Overview
- What it does: Provisions users, groups, and contacts from on-premises AD to Entra ID using a cloud-managed sync engine
- Agent model: Lightweight provisioning agent installed on-premises; all configuration and sync rules managed from the Entra portal
- Strategic direction: Microsoft’s recommended path for new deployments and migrations from Connect Sync
- Parity gaps: No device writeback, no pass-through authentication, limited custom sync rule complexity (check current docs for latest status). Exchange hybrid writeback is now supported.
Contents
Concepts
- Architecture - Agent model, Azure Service Bus, cloud-side orchestration, scale limits, and how it contrasts with Connect Sync
- Connect Sync vs Cloud Sync - Feature comparison, decision guidance, coexistence patterns, and migration path summary
Quickstart
- Configuration - Agent installation, scoping filters, attribute mappings, on-demand provisioning, and verification
- Migration from Connect Sync - OU-based pilot migration, MS Graph API programmatic migration, post-migration validation, and rollback
Deep Dives
- Group Provisioning to AD - Cloud-to-AD group writeback: configuration, source of authority, nested groups, limitations
- Expression Language - Syntax, core functions, common patterns, expression builder, and differences from Connect Sync
- Troubleshooting - Agent health, sync errors, quarantine resolution, accidental deletion, password writeback