![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 34%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES6%3C/text%3E%3C/svg%3E)
25,143 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
This depends on your existing configuration and on duration of the outage. However, synced objects already in Microsoft Entra ID will remain intact and continue to function as expected.
Here's a breakdown of the impact:
1. Short-Term Impact (Immediate Effects)
- No New Syncs or Updates:
- Changes made to objects in the on-premises Active Directory (AD) will not sync to Microsoft Entra ID. This includes changes to:
- User accounts (e.g., new users, deletions, or attribute changes like password updates).
- Group memberships.
- Device objects.
- Changes made to objects in the on-premises Active Directory (AD) will not sync to Microsoft Entra ID. This includes changes to:
- Existing Synced Objects:
- Objects that were synced before the Azure AD Connect server went down will remain in Microsoft Entra ID without changes.
- Password Hash Sync (PHS):
- If Password Hash Sync is enabled, any password changes in on-prem AD will not sync to Microsoft Entra ID until the server is restored.
- Pass-Through Authentication (PTA):
- If PTA is configured, user authentication will continue to work because authentication requests are routed through the PTA agents installed on other servers (if redundancy exists). If no other PTA agents are available, users will not be able to authenticate.
- Federated Authentication:
- For organizations using federation (e.g., ADFS), authentication will not be impacted as long as the federation infrastructure remains operational.
2. Medium-Term Impact (Over Time)
- Provisioning Delays:
- New hires or role changes (e.g., group memberships or license assignments) will not be reflected in Microsoft Entra ID.
- This can result in delayed access to cloud services like Microsoft 365 or Microsoft Teams for new users or for users with updated roles.
- Device Join and Hybrid Join:
- Devices attempting to complete Hybrid Azure AD Join may fail to register if the Azure AD Connect server is not available to process updates and sync device objects.
- Licensing Impact:
- If group-based licensing is used, group membership changes in on-prem AD will not propagate, potentially delaying license assignments or removals.
3. Long-Term Impact (Prolonged Downtime)
- Stale or Inconsistent Data:
- Over time, objects in Microsoft Entra ID may become out of sync with on-prem AD, leading to discrepancies in attributes like email addresses, phone numbers, or group memberships.
- Account Lockout Issues:
- If password hash sync is used and the server remains down, users may experience issues logging into cloud services if their passwords are changed or reset in on-prem AD and those changes are not synced.
- Expired Certificates for PTA/Hybrid Join:
- Some components, such as Pass-Through Authentication (PTA) certificates or device registration certificates for Hybrid Azure AD Join, may eventually expire if the Azure AD Connect server is not operational to renew them.
To mitigate the impact, consider deploying an additional Azure AD Connect server in staging mode to ensure a backup is available. You should also use multiple PTA agents if Pass-Through Authentication is used.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin