Table of Sub-pages
Table of Contents
This series of articles go through the configuration steps to configure Active Directory to Entra ID Sync, and from Entra ID to Active Directory.
Cloud Sync is the newer lightweight agent, compared to Connect Sync that have been around for many years.
However you should carefully read the features matrix below to understand if Cloud Sync is the right path to chose for your setup.
The basics
The most basic things to note about Cloud Sync is:
- Sync from Active Directory to Entra ID includes object CREATED in Active Directory under the following categories
- Users created in Active Directory
- Groups created in Active Directory
- Sync from Entra ID to Active Directory includes objects CREATED in Entra ID under the following categories:
- Security Groups created in Entra ID (not Microsoft 365 groups and distribution groups)
Another important thing to understand is that if you have setup sync from Entra ID to Active Directory and you modify the members of the cloud created groups in local Active Directory, this update will NOT flow back to Entra ID. All member changes of groups created in the cloud MUST always happen in Entra ID and then flow back to AD.
Note that groups created in Entra ID and synced back to Active Directory, gets an identifier after the last portion of the name:
You can always see the list of groups in Entra ID and quickly check if the source of the group is cloud or AD:
Lifecycle management of users
For a successful lifecycle managemenet of users (onboarding and offboarding), the company should leverage a HR-driven system that supports creation, deletion and membership management of groups in Entra ID – AND creation and deletion of groups in local Active Directory. If no HR-driven system is implemented, IT-department could use other 3th party solutions or build their own onboarding and offboarding Forms and connect them to automation that run scripts against Entra ID and Active Directory (this however is more complex to maintain).
Comparison between Microsoft Entra Connect and cloud sync
Source: What is Microsoft Entra Cloud Sync? – Microsoft Entra ID | Microsoft Learn
The following table provides a comparison between Microsoft Entra Connect and Microsoft Entra Cloud Sync:
Expand table
| Feature | Connect sync | Cloud sync |
|---|---|---|
| Connect to single on-premises AD forest | ● | ● |
| Connect to multiple on-premises AD forests | ● | ● |
| Connect to multiple disconnected on-premises AD forests | ● | |
| Lightweight agent installation model | ● | |
| Multiple active agents for high availability | ● | |
| Support for user objects | ● | ● |
| Support for group objects | ● | ● |
| Support for contact objects | ● | ● |
| Support for device objects | ● | |
| Allow basic customization for attribute flows | ● | ● |
| Synchronize Exchange online attributes | ● | ● |
| Synchronize extension attributes 1-15 | ● | ● |
| Synchronize customer defined AD attributes (directory extensions) | ● | ● |
| Support for Password Hash Sync | ● | ● |
| Support for Pass-Through Authentication | ● | |
| Support for federation | ● | ● |
| Seamless Single Sign-on | ● | ● |
| Supports installation on a Domain Controller | ● | ● |
| Support for Windows Server 2016 | ● | ● |
| Filter on Domains/OUs/groups | ● | ● |
| Filter on objects’ attribute values | ● | |
| Allow minimal set of attributes to be synchronized (MinSync) | ● | ● |
| Allow removing attributes from flowing from AD to Microsoft Entra ID | ● | ● |
| Allow advanced customization for attribute flows | ● | |
| Support for password writeback | ● | ● |
| Support for device writeback | ● | Customers should use Cloud Kerberos trust for this moving forward |
| Support for group writeback | ● | |
| Support for merging user attributes from multiple domains | ● | |
| Microsoft Entra Domain Services support | ● | |
| Exchange hybrid writeback | ● | ● |
| Unlimited number of objects per AD domain | ● | |
| Support for up to 150,000 objects per AD domain | ● | ● |
| Groups with up to 50,000 members | ● | ● |
| Large groups with up to 250,000 members | ● | |
| Cross domain references | ● | ● |
| Cross forest references | ● | |
| On-demand provisioning | ● | |
| Support for US Government | ● | ● |
Comments