|

Planning, Configuring, and Troubleshooting Directory Synchronization with Microsoft Entra ID

ByTechieGeek

Planning, Configuring, and Troubleshooting Directory Synchronization with Microsoft Entra ID

If you still have on-premises Active Directory but also use Microsoft 365, you donโ€™t want users juggling separate accounts and passwords. Directory synchronization solves this by keeping on-prem identities and cloud identities in sync.

In this post, weโ€™ll look at:

  • What directory synchronization is and why it matters
  • Entra Cloud Sync vs Entra Connect Sync
  • Key features of Entra Connect Sync
  • How to configure what gets synced
  • How to monitor and troubleshoot synchronization
  • How to verify synced users and groups in the portals

Why directory synchronization matters

Directory synchronization lets users sign in to:

  • On-premises resources (file shares, printers, legacy apps)
  • Cloud services (Microsoft 365, Teams, Exchange Online)

with one identity.

Benefits:

  • Single sign-on experience for users
  • Hybrid device scenarios (devices joined on-prem and registered in the cloud)
  • Centralized management of users, groups, and sometimes devices
  • Support for writeback, so changes in the cloud (like password changes) can update on-prem AD

Once sync is in place, you can start using cloud tools like Intune to manage hybrid devices, while still using on-prem AD for legacy workloads.

What is directory synchronization?

In simple terms, directory synchronization:

  • Copies security principals (users, groups, sometimes devices) between:
    • On-premises Active Directory (AD DS)
    • Microsoft Entra ID (formerly Azure AD)
  • Keeps key attributes updated in both directions (depending on configuration)
  • Can also support writeback:
    • Password writeback (for SSPR)
    • Group writeback (cloud group changes back to on-prem)

This means:

  • A user can change their password using self-service password reset (SSPR) in the cloud.
  • That new password is written back to on-prem AD, keeping both sides aligned.

Entra Cloud Sync vs Entra Connect Sync

Today you have two main options:

  • Entra Cloud Sync
  • Entra Connect Sync (the evolution of Azure AD Connect Sync)

Both:

  • Require an agent installed on an on-prem domain-joined server
  • Move identity data between AD DS and Entra ID

The key difference is where the sync engine lives and who initiates sync:

Entra Connect Sync

  • The on-premises agent runs the sync engine.
  • Sync is initiated on-prem and pushes changes to the cloud.
  • You manage configuration from the local server using the Entra Connect wizard and related tools.

Entra Cloud Sync

  • The sync engine runs in the cloud.
  • The cloud service initiates sync; the on-prem agent mainly acts as a lightweight conduit.
  • Configuration and orchestration are controlled from the Entra admin center.
  • Supports some advanced scenarios (like multi-forest, disconnected forests) and easier failover.

Current Cloud Sync limitations

At the time of this content, Cloud Sync:

  • Does not support device objects (so no hybrid device sync)
  • Does not support pass-through authentication (PTA)
  • Does not integrate with Entra Domain Services
  • Does not support syncing to third-party LDAP directories

If you need those features, Entra Connect Sync is still the right choice.

Key features of Entra Connect Sync

Entra Connect Sync supports several sign-in models and sync features:

1. Password Hash Synchronization (PHS)

  • Default and simplest option.
  • Regularly syncs a hash of the password hash from AD DS to Entra ID.
  • Users can sign in directly to Microsoft 365 with their on-premises password (no line-of-sight needed to a domain controller).

2. Pass-Through Authentication (PTA)

  • When users sign in to the cloud, Entra contacts an on-premises agent to validate the password.
  • AD DS stays the authoritative source.
  • Useful when security or policy requires on-prem validation.

3. Federation integration

  • Works with solutions like AD FS for full federation scenarios.
  • More complex and less common now, but still supported.

4. Health monitoring

  • Connect Sync exposes sync status and health:
    • Last sync time
    • Whether sync is enabled
    • Which method is in use (PHS/PTA)
    • Health reports (with Entra ID Premium and Entra Connect Health)

Installing and configuring Entra Connect Sync

At a high level:

  1. Choose a server
    • Domain-joined member server (do not use a domain controller in production).
  2. Download the Entra Connect installer
    • From the Entra admin center under Entra Connect / Hybrid.
  3. Run the setup wizard
    • Use Express settings for simple, single-forest environments.
    • Use Custom settings if you:
      • Have multiple forests
      • Need to filter which OUs sync
      • Want to configure PTA/federation
  4. Provide credentials
    • On-prem AD enterprise admin (for initial config)
    • Entra ID global admin (or suitable role), at least for setup
  5. Choose sync options
    • PHS vs PTA vs federation
    • Password writeback, group writeback, etc.
  6. Finish setup and allow the first sync cycle to complete.

Anytime you need to change configuration, run the Entra Connect wizard again and choose the relevant task (e.g., change OUs, enable password writeback, configure device options).

Controlling what gets synchronized

You rarely want to sync your entire directory. Instead, you usually:

  • Filter by OU
    • Only sync OUs holding users and groups you care about (e.g., Managers, Marketing, Sales, Hybrid Computers).
  • Use attribute filters if needed
    • Sync only accounts with specific attributes (advanced scenario).

Examples:

  • You may sync:
    • Marketing OU containing users like Alice and Boris
    • Sales OU containing users like Ben, Brandon, Andrea
  • You can leave test or legacy OUs out of sync entirely.

Writeback settings

In the wizard you can also:

  • Enable Password writeback
    • Required if you want SSPR in the cloud to update on-prem passwords.
  • Enable Group writeback
    • Let certain cloud groups write back to AD (for apps that still depend on on-prem groups).

Hybrid device options

Under Device options in the wizard, you can:

  • Configure Hybrid Entra ID join for Windows 10 and later.
  • Select the domain and devices that should be hybrid joined.
  • This is essential for many Intune + on-prem AD scenarios.

Monitoring sync and services on-prem

On your Entra Connect server, there are two key places to watch:

1. Synchronization Service Manager

Use Synchronization Service Manager to check:

  • Operations tab
    • Shows recent sync runs: imports, exports, delta syncs, full syncs
    • Status (success, error, warnings)
  • Connectors tab
    • Shows the connectors to:
      • On-prem AD DS
      • Entra ID
    • Lets you see when they last ran

If you see errors (e.g., a server down during export/import), you can drill in and fix the underlying issue.

2. Windows services

Run services.msc and look for:

  • Microsoft Azure AD Sync Service
  • Microsoft Azure AD Connect Agent Updater

Both should be:

  • Automatic
  • Running

If sync appears to stop:

  • Check if these services are stopped.
  • Start them again and check the next sync cycle.

Note: Service names still use the older Azure AD naming, so donโ€™t worry about that mismatch.

Monitoring sync in the cloud

In the Microsoft 365 admin center and Entra admin center you can also see sync status.

In Microsoft 365 admin center

  • Go to Users > Active users:
    • A cloud icon means the user is cloud-only.
    • A little โ€œdirectory bookโ€ icon means the user is synced from on-prem AD.
  • Go to Teams & groups > Active teams and groups / Security groups:
    • Same icon logic for groups.

In Entra admin center

  • Home / Overview:
    • Shows Microsoft Entra Connect: Enabled/Disabled
    • Shows Last sync time
    • Shows sign-in method (e.g., Password Hash Sync enabled)
  • Users list:
    • Column such as On-premises sync enabled:
      • Yes โ†’ synced user
      • No โ†’ cloud-only user
  • Groups list:
    • Source column tells you:
      • Cloud
      • Windows Server AD

Under Entra Connect > Connect Sync you can see more details:

  • Enabled state
  • Last sync time
  • Method (PHS/PTA/federation)
  • Health information (with Entra ID P1/P2 and Entra Connect Health)

When to consider Entra Cloud Sync

Entra Cloud Sync is worth a look if:

  • You have multiple disconnected forests
  • You want easier failover and cloud-managed orchestration
  • You donโ€™t need:
    • Device sync
    • PTA
    • Entra Domain Services integration
    • Third-party LDAP sync

For many classic hybrid AD + Microsoft 365 environments, Entra Connect Sync remains the default choice, especially when hybrid join or PTA is required.

Summary and best practices

Directory synchronization is the backbone of a hybrid Microsoft 365 environment. Done right, it gives users one identity, smooth SSO, and consistent access to resources across on-prem and cloud.

Key points:

  • Choose between Entra Connect Sync (full-featured, on-prem engine) and Entra Cloud Sync (cloud-managed, lighter, but with some limitations).
  • Use Password Hash Sync unless you have a specific requirement for PTA or federation.
  • Carefully select which OUs and objects you sync. Donโ€™t bring everything.
  • Enable password writeback if you use cloud SSPR for synchronized users.
  • Monitor sync using:
    • Synchronization Service Manager and the Azure AD Sync service on-prem
    • Entra admin center and Microsoft 365 admin center in the cloud
  • For hybrid devices and Intune scenarios, configure Hybrid Entra ID join through the Entra Connect wizard.

With a solid plan, clear visibility into sync health, and the right features turned on, you can keep your hybrid identities clean, consistent, and easy to manage.

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *