Entra Connect Sync
Microsoft Entra Connect Sync (formerly Azure AD Connect) synchronizes on-premises Active Directory objects to Microsoft Entra ID. It handles identity, group, and device sync for hybrid environments and remains necessary for scenarios that Cloud Sync does not yet cover, such as device writeback, Exchange hybrid writeback, and large multi-forest topologies with complex filtering requirements.
Overview
- What it does: Bidirectional synchronization between on-premises AD and Entra ID, including password hash sync, pass-through authentication, and federation
- Where it fits: The on-premises component in a hybrid identity architecture; runs as a Windows service on a domain-joined server
- When to use it: Required when you need device writeback, Exchange hybrid writeback, filtering by arbitrary AD attributes, or support for topologies beyond what Cloud Sync handles
- Status: Actively supported but Microsoft positions Cloud Sync as the strategic replacement for most scenarios
Contents
Concepts
- Architecture - Sync engine internals, connector spaces, metaverse, the sync pipeline, scheduler, and server model vs agent model
- Topology and Deployment - Supported topologies, authentication mode choices (PHS, PTA, federation), and deployment planning
- When Connect Sync Still Wins - Feature gaps where Connect Sync is required over Cloud Sync, deprecation trajectory, and decision framework
Quickstart
- Installation Paths - Express vs custom install, key configuration choices, and post-install verification
- Filtering and Scoping - Domain, OU, and attribute-based filtering layers with practical examples
Deep Dives
- Sync Rules - Declarative provisioning engine, inbound and outbound rules, precedence, default rule handling, custom rule patterns, and expression syntax
- Operations and Troubleshooting - Monitoring sync cycles, common error patterns, staging server promotion, health checks, and operational runbook