Hybrid IdentityEntra Connect Sync & Cloud Sync

Entra Connect Sync & Cloud Sync

30 mins

Understanding the Concept

Microsoft Entra Connect Sync is the on-premises agent that synchronizes users, groups, and contacts from Active Directory to Microsoft Entra ID. It supports password hash synchronization, pass-through authentication, and federation with AD FS. Entra Connect is installed on a dedicated server in the on-premises environment.

Microsoft Entra Cloud Sync is a newer, lighter-weight synchronization option that uses a cloud provisioning agent instead of a full server installation. Cloud Sync supports multi-forest scenarios more easily and is managed entirely from the cloud, making it simpler to deploy and maintain.

Key differences: Connect Sync offers more features (device writeback, group writeback, custom sync rules), while Cloud Sync is simpler and supports multi-forest without complex configuration. Organizations can use both simultaneously for different forests.

Key Points

  • Connect Sync: Full-featured, server-based, supports all sync scenarios
  • Cloud Sync: Lightweight agent, cloud-managed, easier multi-forest
  • Both sync users, groups, and contacts from AD DS to Entra ID
  • Sync filtering: OU-based, attribute-based, or domain-based filtering
  • Connect Sync supports custom sync rules; Cloud Sync uses scoping filters

Hybrid Sync Architecture

Step 1

AD DS Forest

Source of identity data - users, groups, contacts

Step 2

Sync Agent

Connect Sync server or Cloud Sync agent installed

Step 3

Filtering

OU, domain, or attribute filters control what syncs

Step 4

Entra ID

Cloud directory receives synchronized objects

Step 5

Source of Authority

On-prem AD remains master for synced attributes

Why This Matters in Real Organizations

Most enterprise organizations have existing on-premises Active Directory with years of identity data. Hybrid sync bridges this investment with cloud identity, enabling a unified user experience without forcing a disruptive migration.

Common Mistakes to Avoid

Not planning sync filtering, resulting in syncing service accounts or system objects
Running Connect Sync on a domain controller instead of a dedicated server
Not understanding source of authority - editing synced attributes in the cloud instead of on-prem
Choosing Cloud Sync when Connect Sync features are needed (e.g., device writeback)

Interview Tips

  • Compare Connect Sync vs Cloud Sync use cases
  • Explain sync filtering strategies (OU-based is most common)
  • Discuss source of authority and attribute flow

Exam Tips (SC-300)

  • Know the differences between Connect Sync and Cloud Sync
  • Understand sync filtering options
  • Know which scenarios require Connect Sync vs Cloud Sync

Course Complete!

You've finished all lessons

Previous|Next|HHome