Microsoft Entra Cloud Sync is an advanced synchronization solution that enables seamless integration of objects from Active Directory into Microsoft Entra ID. This technology simplifies synchronization by orchestrating the deployment of Active Directory objects within Microsoft Entra ID in the Microsoft Cloud Services. For the on-premises infrastructure, only the installation of a lightweight agent is required, reducing complexity and enhancing efficiency.

The synchronization configuration is centrally managed through the Microsoft Entra admin center. By installing the Microsoft Entra Cloud Sync agent on various local servers, a highly available architecture can be achieved.

This guide walks you through the steps of installing and configuring Microsoft Entra Cloud Sync to ensure efficient and resilient synchronization.

Prerequisites and Licensing

For the Microsoft Entra Cloud Sync feature, no license is required.

Agent Requirements:

  • Windows Server 2016 or higher
  • Outbound Port 80 (CRL, Certificate Revocation Lists)
  • Outbound Port 443 (outgoing communication to Microsoft Online Service)
  • Access to the following URLs
    – *.msappproxy.net
    – *.servicebus.windows.net
    – login.windows.net
    – login.microsoftonline.com
    – mscrl.microsoft.com
    – crl.microsoft.com
    – ocsp.msocsp.com
    – www.microsoft.com

Microsoft Entra Cloud Sync currently does not have all the features available in Microsoft Entra Connect. The table below lists the features that are already supported: https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync#comparison-between-azure-ad-connect-and-cloud-sync

Microsoft Entra Cloud Sync Agent

Install Agent

The agent is available for download in the Microsoft Entra admin center (https://entra.microsoft.com) under Identity > Hybrid management > Microsoft Entra Connect > Cloud Sync > Agents > Download on-premises agent.

To download the agent, click on Accept terms & download.

To start the installation, simply double-click on the downloaded file AADConnectProvisioningAgentSetup.exe.

Microsoft Entra Provisioning Agent Package license terms
Microsoft Entra Provisioning Agent Package setup progress

After a successful installation, close the window by clicking on the Close button.

Microsoft Entra Provisioning Agent Package setup successfull

Configure Agent

After a successful installation, the Microsoft Entra Provisioning Agent Wizard will automatically start to guide you through the further configuration process. Click on Next to begin the configuration.

Select the extension HR-driven provisioning.

Connect to Microsoft Entra ID using a global administrator account.

For the service, a group-managed service account (gMSA) is required. You have the option to create a new account or use an existing one. The login credentials will be used exclusively for setting up the gMSA and will not be stored permanently.

Establishing Connection to Active Directory.

Reveiw agent configuration and confirm with Confirm.

After a few minutes, the agent has been successfully configured. Close the window with Exit.

For ensuring high availability, the agent can be set up on additional servers using the same procedure.

Check agent status

Microsoft Entra admin center

In the Microsoft Entra admin center (https://entra.microsoft.com) under Identity > Hybrid management > Microsoft Entra Connect > Cloud Sync > Agents, all agents with their current status are listed.

On-Premise Server

On the server where the agent is installed, the following services are visible and running in the service management (services.msc):

  • Microsoft Azure AD Connect Agent Updater
  • Microsoft Azure AD Connect Provisioning Agent

Setting up cloud sync

Configuration

To synchronize Active Directory objects with Microsoft Entra ID, a new configuration is created in the Microsoft Entra admin center (https://entra.microsoft.com) under Identity > Hybrid management > Microsoft Entra Connect > Cloud Sync > Configuration > New configuration > AD to Microsoft Entra ID sync.

In the next step, the Active Directory domain is selected (1).
Recommended: Enable Password Hash Sync (2) to take advantage of the following benefits:

  • Perform authentication entirely through Microsoft Entra ID
  • Detect leaked passwords and receive corresponding alerts
  • Enable seamless Single Sign-On (SSO)

Proceed with Create (3).

In the next step, all settings will be shown and customized according to your needs. It is recommended to review and adjust the following settings:
Overview > Properties

  • Check password hash synchronization settings (1)
  • Specify email notification recipients (2) for quarantine notifications

Scoping filters are used to define the selection of objects that will be synchronized with Active Directory. By default, all users are synchronized. Personally, I prefer to select the objects for synchronization based on the organizational units in Active Directory.

If all settings are correct, the configuration can be enabled under Overview > Review and enable > Enable configuration.

Shortly after the configuration, the Cloud Sync overview will display the deployment status.

Verify Configuration

In the logs under Microsoft Entra admin center (https://entra.microsoft.com) > Identity > Hybrid management > Microsoft Entra Connect > Cloud Sync > Provisioning logs, the performed synchronizations are documented.

Good to know

Provision on demand

If required, an individual Active Directory object can be manually synchronized. To do this, in the Microsoft Entra Admin Center (https://entra.microsoft.com), go to Identity > Hybrid management > Microsoft Entra Connect > Cloud Sync > Configurations and select the configuration that covers the Active Directory object.

Click on Provision on demand (1), insert the Distinguished Name (2) of the user from the Active Directory, and start the synchronization by clicking Provision (3).

The status of the deployment will be displayed shortly.

Coexistence of Microsoft Entra Connect and Microsoft Entra Cloud Sync

Microsoft Entra Cloud Sync and Microsoft Entra Connect can be installed and operated in coexistent operation on a single server. This configuration allows for the benefits of both synchronization methods to be utilized. While Microsoft Entra Connect performs synchronization tasks directly on the local server, Microsoft Entra Cloud Sync uses a deployment configuration stored in the cloud to efficiently manage synchronization services.

gMSA

The managed service account (gMSA), which was created during the configuration of Microsoft Entra Cloud Sync, is stored in the Active Directory within the Managed Service Accounts organizational unit.


Follow me on LinkedIn to always stay updated on my recent posts.

Follow on LinkedIn

Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!

Buy me a coffee