Choose your directory synchronization tool
Organizations with an on-premises Active Directory Domain Services (AD DS) domain or forest can synchronize their AD DS user accounts, groups, and contacts with the Microsoft Entra tenant of their Microsoft 365 subscription. Microsoft 365 refers to this design as hybrid identity.
When an organization with an on-premises Active Directory plans to implement Microsoft 365, it must bring its on-premises accounts into Microsoft Entra ID. Doing so enables its users to use Microsoft 365's cloud services, such as Exchange Online, SharePoint Online, Teams, and so on. To support Microsoft 365, most organizations want to avoid creating new user accounts in Microsoft Entra ID, and instead use their existing on-premises accounts. While providing greater efficiency, this design also saves them from having to manage different passwords for each account.
Integrating on-premises directories with Microsoft Entra ID makes users more productive by providing a common identity for accessing both cloud and on-premises resources. Users and organizations can take advantage of the following features:
- Users can use a single identity to access on-premises applications and cloud services such as Microsoft 365.
- Organizations can use a single tool to provide an easy deployment experience for synchronization and sign in.
User account synchronization between on-premises AD and Microsoft Entra ID is part of a set of features known collectively as identity governance. The purpose of identity governance is to ensure the right people have the right access to the right resources at the right time. This design improves security and increases productivity in your organization. Governance starts with ensuring that your users are accurately represented throughout your ecosystem. This design enables you to authenticate them, authorize their access requests, and audit their activities, which are all key to secure productivity.
Microsoft relies on Microsoft Entra ID to improve the timeliness and accuracy of managing identity related objects throughout an organization's ecosystem. Microsoft Entra ID provides a single platform that can enable identities for use between a company's HR system, its identity directories, and its applications.
There are two options to choose from to implement user account synchronization between on-premises AD and Microsoft Entra ID - Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync. The following sections outline the benefits, limitations, and features of each solution.
Microsoft Entra Connect Sync
Microsoft Entra Connect Sync is an on-premises Microsoft application designed to meet and accomplish your hybrid identity goals. Organizations typically install it on an on-premises domain-joined server, although they can install it on a domain controller. Its only requirement is an outbound HTTPS connection to Microsoft 365 servers.
Microsoft Entra Connect Sync was the first solution built for provisioning from on-premises AD to Microsoft Entra ID. It currently supports most Microsoft Entra hybrid scenarios, and it can support organizations with large directories. While the Microsoft Entra Connect Sync tool has robust capabilities, it can also:
- Require a heavy investment in infrastructure resources.
- Be complicated to configure.
- Result in higher maintenance costs.
Microsoft Entra Connect Sync comes with several features you can optionally turn on or are enabled by default. Some features also require more configuration in certain scenarios and topologies.
- Filtering. Used when an organization wants to limit which objects it synchronizes to Microsoft Entra ID. By default, it synchronizes all users, contacts, groups, and Windows 10 computers. Organizations can change the filtering based on domains, OUs, or attributes.
- Password hash synchronization. Synchronizes the password hash in Active Directory to Microsoft Entra ID. The end user can use the same password on-premises and in the cloud but only manage it in one location. Since password hash synchronization uses an organization's on-premises Active Directory as the authority, the organization can use its own password policy.
- Password writeback. Enables users to change and reset their passwords in the cloud and have their organization's on-premises password policy applied.
- Device writeback. For devices registered in Microsoft Entra ID, Microsoft Entra Connect Sync can write them back to on-premises Active Directory for use in Conditional Access.
- Preventing accidental deletes. Enables an organization to protect its cloud directory from numerous deletes at the same time. By default, it allows 500 deletes per run. An organization can change this setting depending on its size. The system turns on this feature by default.
- Automatic upgrade. Ensures an organization's version of Microsoft Entra Connect Sync is always up to date with the latest release. This option is enabled by default for express settings installations.
The following diagram shows how Microsoft Entra Connect Sync synchronizes the fields from an on-premises AD to Microsoft Entra ID.
When users access their on-premises resources, they use their on-premises identities for access. Conversely, when users access Microsoft 365 services such as Exchange Online and SharePoint Online, they use their connected Microsoft Entra user accounts. Organizations can configure custom settings in Microsoft Entra Connect Sync when they want more options for the installation. For example, they should use these settings if they have multiple forests, or if they want to configure optional features. Organizations should use custom settings in all cases where express installation doesn't satisfy their deployment or topology needs.
Additional reading. For more information, see Customize an installation of Microsoft Entra Connect Sync.
Microsoft Entra Connect Sync consists of two primary components:
- Synchronization services. This component is responsible for synchronizing users, groups, and other objects. It's also responsible for making sure identity information for your on-premises users and groups is matching the cloud.
- Microsoft Entra Connect Health. This component provides robust health monitoring and a central location in the Microsoft Entra admin center to view this activity. For more information, see Microsoft Entra Connect Health.
Microsoft Entra Cloud Sync
Microsoft Entra Cloud Sync is also designed to meet and accomplish an organization's hybrid identity goals for synchronization of on-premises users, groups, and contacts to Microsoft Entra ID. Since Microsoft Entra Cloud Sync and Microsoft Entra Connect Sync both synchronize identities, what makes them different? The next section outlines the feature differences between these two directory synchronization tools. However, suffice it to say that Microsoft Entra Connect Sync, which is based on older synchronization technology, requires a greater investment to deploy and support. By comparison, Microsoft Entra Cloud Sync uses a lightweight agent design that requires a minimal on-premises footprint. It also enables organizations to manage all their provisioning configuration in the cloud.
Microsoft Entra Cloud Sync uses Microsoft Online Services to provision from on-premises Active Directory to Microsoft Entra ID. An organization only needs to deploy a light-weight agent in their on-premises or IaaS-hosted environment. This agent acts as a bridge between on-premises Active Directory and Microsoft Entra ID. Microsoft Online Services stores the provisioning configuration in Microsoft Entra ID and manages it as part of its service.
Microsoft Entra Cloud Sync offers several advantages over Microsoft Entra Connect Sync. One of the major reasons to consider choosing Microsoft Entra Cloud Sync is cost savings. Because Microsoft Entra Cloud Sync uses a lightweight agent, organizations don't have to deploy a robust server in their data centers to run the service. And while Microsoft Entra Connect Sync requires SQL Server for larger deployments, that's not the case with Microsoft Entra Cloud Sync. This design can potentially save and organization money on licensing costs. Along with the infrastructure savings, organizations also spend less on support and maintenance throughout the life of the service due to its simplified architecture.
Due to its smaller on-premises footprint and multi-agent support, Microsoft Entra Cloud Sync is easier to set up. It also provides resiliency that isn't available in Microsoft Entra Connect Sync. This design enables organizations to get Microsoft Entra Cloud Sync up and running in their deployments in a fraction of the time spent deploying Microsoft Entra Connect Sync. The simple setup is intuitive and streamlined, which enables end users to start collaborating quickly and seamlessly with minimal effort.
An organization can also deploy multiple agents to provide high availability and automatic failover. This design prevents service outages due to a server or network failure, which ultimately eliminates end user frustration. Support calls are also reduced for things like unprovisioned users and outdated group memberships.
Note
The cloud provisioning agent doesn't load balance if you have multiple agents installed. Only one agent is ever active.
Microsoft Entra Cloud Sync is also the ideal solution if you find yourself needing to provision users from multiple Active Directory forests that have no network connectivity between them. This scenario is often the case in complex business arrangements such as mergers and acquisitions. Microsoft Entra Cloud Sync enables an organization to deploy agents into each of the isolated networks that can communicate independently between the forest and the respective network and Microsoft Entra ID.
Organizations that have Microsoft Entra Connect Sync deployed can still deploy Microsoft Entra Cloud Sync. Microsoft Entra Cloud Sync can be used side by side with Microsoft Entra Connect Sync.
And lastly, Microsoft Entra Cloud Sync can keep Microsoft Entra ID up-to-date with greater frequency than Microsoft Entra Connect Sync. As such, organizations no longer have to wait 30 minutes for on-premises changes to be seen in Microsoft Entra ID, as is the case when using Microsoft Entra Connect Sync.
Comparison between Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync
One of the primary differences between the two tools is where the provisioning configuration is stored and where provisioning occurs:
- Microsoft Entra Connect Sync. The provisioning configuration is stored on the on-premises sync server. Provisioning also runs on the on-premises sync server.
- Microsoft Entra Cloud Sync. The provisioning configuration is stored in the cloud. Provisioning also runs in the cloud as part of the Microsoft Entra provisioning service.
The following table provides a comparison of the features in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync.
Feature | Microsoft Entra Connect Sync | Microsoft Entra Cloud Sync |
---|---|---|
Connect to single on-premises AD forest | X | X |
Connect to multiple on-premises AD forests | X | X |
Connect to multiple disconnected on-premises AD forests | X | |
Lightweight agent installation model | X | |
Multiple active agents for high availability | X | |
Connect to LDAP directories | X | |
Support for user objects | X | X |
Support for group objects | X | X |
Support for contact objects | X | X |
Support for device objects. | X | |
Allow basic customization for attribute flows | X | X |
Synchronize Exchange online attributes | X | X |
Synchronize extension attributes 1 through 15 | X | X |
Synchronize customer defined AD attributes (directory extensions) | X | |
Support for Password Hash Sync | X | X |
Support for Pass-Through Authentication | X | |
Support for federation | X | X |
Seamless Single Sign-on | X | X |
Supports installation on a Domain Controller | X | X |
Support for Windows Server 2016 | X | X |
Filter on Domains/OUs/groups | X | X |
Filter on objects' attribute values | X | |
Allow minimal set of attributes to be synchronized (MinSync) | X | X |
Allow removing attributes from flowing from AD to Microsoft Entra ID | X | X |
Allow advanced customization for attribute flows | X | |
Support for password writeback | X | X |
Support for device writeback | X | |
Support for group writeback | X | |
Support for merging user attributes from multiple domains | X | |
Microsoft Entra Domain Services support | X | |
Exchange hybrid writeback | X | |
Unlimited number of objects per AD domain | X | |
Support for up to 150,000 objects per AD domain | X | X |
Groups with up to 50,000 members | X | X |
Large groups with up to 250,000 members | X | |
Cross domain references | X | X |
On-demand provisioning | X | X |
Support for US Government | X | X |