Migrate from Azure AD Cloud Sync to Azure AD Connect

Erik Wooldridge 20 Reputation points
2023-03-23T22:38:21.1633333+00:00

We want to enable Self-Service Password Reset (SSPR) and Azure AD hybrid enrollment for an existing environment. Currently the environment is configured with the Azure AD Cloud Sync agent which supports neither of the features we'd like to implement.

What is the best option in this scenario?

I considered running both services in tandem, but I believe that will only address the hybrid join need, and not SSPR.

I'd like to completely replace Cloud Sync with AAD Connect. I don't want to assume I can simply disable the cloud sync agent in Azure, then stand up an AAD Connect instance and everything will sync just fine. There's not a lot of documentation around this transition so I'm a little lost. I've read situations where user accounts in Azure are either deleted or converted to Cloud Only when synchronization is disabled, and I don't want either of these outcomes.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,858 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
0 comments
Accepted answer
  1. Givary-MSFT 27,966 Reputation points Microsoft Employee
    2023-03-24T06:03:23.2633333+00:00

    @Erik Wooldridge Thank you for reaching out to us, As I understand you want to move from Azure AD Cloud sync to Azure AD Connect, you can follow this approach install/setup Azure AD Connect in staging mode, make sure all users/groups are in proper scope as per your requirements and verify the same in metaverse.

    If the configuration matches as per your requirement, go ahead with the removal of Azure AD Cloud sync agent and move the Azure AD Connect from staging to production.

    Let me know if you have any further questions, feel free to post back or we can connect offline discuss further as well ( you can reach me at by sending an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:Givary" and link to this post.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 141.6K Reputation points MVP
    2023-03-24T12:14:45.3+00:00

    I'd like to point out that Azure AD Cloud Sync has SSPR capabilities:

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback

    I wouldnt move "backwards" to Azure AD Connect unless you have a very compelling reason otherwise.