Configure Microsoft Entra Connect Sync prerequisites

  • 7 minutes

The following sections outline the prerequisites that must be satisfied before you install Microsoft Entra Connect Sync.

Important

Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.

Microsoft Entra ID

  • You need a Microsoft Entra tenant. You get one with an Azure free trial. You can use one of the following portals to manage Microsoft Entra Connect Sync:
    • The Microsoft Entra admin center
    • The Office portal
  • Add and verify the domain you plan to use in Microsoft Entra ID. For example, if you plan to use contoso.com for your users, verify that you're using this domain and not just the contoso.onmicrosoft.com default domain.
  • A Microsoft Entra tenant allows, by default, 50,000 objects. When you verify your domain, the limit increases to 300,000 objects. If you need even more objects in Microsoft Entra ID, open a support case to increase the limit even further. If you need more than 500,000 objects, you need a license, such as Microsoft 365, Microsoft Entra ID P1 or P2, or Enterprise Mobility + Security.

Prepare your on-premises data

On-premises Active Directory

  • The Active Directory schema version and forest functional level must be Windows Server 2003 or later. The domain controllers can run any version as long as the schema version and forest-level requirements are met. You might require a paid support program if you require support for domain controllers running Windows Server 2016 or older.
  • The domain controller used by Microsoft Entra ID must be writable. Using a read-only domain controller (RODC) isn't supported, and Microsoft Entra Connect Sync doesn't follow any write redirects.
  • Using on-premises forests or domains by using "dotted" NetBIOS names (where the name contains a period) aren't supported.
  • Microsoft recommends that you enable the Active Directory recycle bin.

PowerShell execution policy

  • Microsoft Entra Connect Sync runs signed PowerShell scripts as part of the installation. Ensure the PowerShell execution policy allows running of scripts.
  • The recommended execution policy during installation is "RemoteSigned."
  • For more information on setting the PowerShell execution policy, see Set-ExecutionPolicy.

Microsoft Entra Connect Sync server

The Microsoft Entra Connect Sync server contains critical identity data. It's important that administrative access to this server is properly secured.

  • Microsoft doesn't support synchronization from multiple active Microsoft Entra ID Connect Sync servers to a single tenant. However, extra servers can be installed in staging mode to achieve redundancy and expedite recovery from failure. Staging mode is examined in a later section in this training unit.
  • The Microsoft Entra Connect Sync server must be treated as a Tier 0 component as documented in the Active Directory administrative tier model.
  • Microsoft recommends hardening the Microsoft Entra Connect Sync server as a Control Plane asset by following the guidance provided in Secure Privileged Access.
  • To read more about securing your Active Directory environment, see Best practices for securing Active Directory.

Microsoft Entra Connect Sync server installation prerequisites

Organizations must satisfy the following prerequisites before installing Microsoft Entra Connect Sync:

  • Microsoft Entra Connect Sync offers the flexibility to be deployed on various server types, including domain controllers, member servers, or servers not joined to a domain. Its design provides authentication and access control features regardless of the server's domain status. This versatility allows organizations to utilize Microsoft Entra Connect Sync in a range of network setups, even in less prevalent standalone scenarios where servers operate independently of a domain. For example, where a distinct management network is configured or an organization employs external systems.
  • Microsoft Entra Connect Sync must be installed on servers running Windows Server 2016 or later. Microsoft recommends using Windows Server 2022. Keep in mind that Windows Server 2016 is in extended support. As such, if you deploy Microsoft Entra Connect Sync on Windows Server 2016, you might need a paid support program if you require support for this configuration.
  • The minimum .NET Framework version required is 4.6.2, and newer versions of .NET are also supported. .NET version 4.8 and greater offers the best accessibility compliance.
  • You can't install Microsoft Entra Connect Sync on Small Business Server or Windows Server Essentials before 2019 (Windows Server Essentials 2019 is supported). The server must be using Windows Server standard or better.
  • The Microsoft Entra Connect Sync server must have a full GUI installed. Installing Microsoft Entra Connect Sync on Windows Server Core isn't supported.
  • The Microsoft Entra Connect Sync server can't have PowerShell Transcription Group Policy enabled if you use the Microsoft Entra Connect Sync wizard to manage Active Directory Federation Services (AD FS) configuration. You can enable PowerShell transcription if you use the Microsoft Entra Connect Sync wizard to manage sync configuration.
  • If you plan to deploy AD FS:
  • You can't break and analyze traffic between Microsoft Entra Connect Sync and Microsoft Entra ID. This action isn't supported, and doing so can disrupt the service.
  • If your Hybrid Identity Administrators have MFA enabled, the URL https://secure.aadcdn.microsoftonline-p.com must be in the trusted sites list. This URL is the content rendering site for Microsoft Office logins when using MFA. When you receive an MFA challenge and you didn't previously add this site to the trusted sites list, the system prompts you to add it. You can use Internet Explorer or Microsoft Edge to add it to your trusted sites.
  • If you plan to use Microsoft Entra Connect Health for syncing, ensure you meet the prerequisites for Microsoft Entra Connect Health. For more information, see Microsoft Entra Connect Health agent installation.

Harden your Microsoft Entra Connect Sync server

Microsoft recommends that organizations harden their Microsoft Entra Connect Sync server to decrease the security attack surface for this critical component of their IT environment. You should follow these recommendations to help mitigate some security risks to your organization.

  • Microsoft recommends hardening the Microsoft Entra Connect Sync server as a Control Plane (formerly Tier 0) asset by following the guidance provided in Secure Privileged Access and Active Directory administrative tier model.
  • Restrict administrative access to the Microsoft Entra Connect server to only domain administrators or other tightly controlled security groups.
  • Create a dedicated account for all personnel with privileged access. Administrators shouldn't be browsing the web, checking their email, and doing day-to-day productivity tasks with highly privileged accounts.
  • Deny use of NTLM authentication with the Microsoft Entra Connect Sync server. You can accomplish this action through Restricting NTLM on the AADConnect Server and Restricting NTLM on a domain
  • Ensure every machine has a unique local administrator password. For more information, see Local Administrator Password Solution (Windows LAPS). LAPS is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. More guidance for operating an environment with Windows LAPS and privileged access workstations (PAWs) can be found in Operational standards based on clean source principle.
  • Implement dedicated privileged access workstations for all personnel with privileged access to your organization's information systems.
  • Follow these extra guidelines to reduce the attack surface of your on-premises Active Directory environment.
  • Follow the Monitor changes to federation configuration to set up alerts to monitor changes to the trust established between your Idp and Microsoft Entra ID.
  • Enable multifactor authentication (MFA) for all users who have privileged access in Microsoft Entra ID or in your on-premises Active Directory. Why is enabling MFA so important? Well, let's assume an attacker manages to reset a user's password using Microsoft Entra Connect synchronization. Doing so can enable the attacker to gain control over the Microsoft Entra Connect Sync server, from which they can manipulate users in Microsoft Entra ID. However, by enabling MFA for all users that have privileged access in Microsoft Entra ID or in your on-premises Active Directory, you can prevent the attacker from using the user password information to take over Microsoft Entra accounts. MFA prevents this type of attack because the attacker can't bypass the second authentication factor.
  • Disable Soft Matching on your tenant. Soft Matching is a great feature to help transfer source of authority for existing cloud-managed objects to Microsoft Entra Connect Sync, but it comes with certain security risks. If you don't require it, you should disable Soft Matching.
  • Disable Hard Match Takeover. Hard match takeover allows Microsoft Entra Connect Sync to take control of a cloud-managed object and change the source of authority for the object to Active Directory. Once Microsoft Entra Connect Sync takes over the source of authority of an object, changes made to the Active Directory object that is linked to the Microsoft Entra object overwrite the original Microsoft Entra data, including the password hash when Password Hash Sync is enabled. An attacker could use this capability to take over control of cloud-managed objects. To mitigate this risk, disable hard match takeover.

Microsoft Entra Connect Sync in staging mode

You were earlier instructed that Microsoft doesn't support more than one active Microsoft Entra Connect Sync server connected to a single Microsoft Entra or Microsoft 365 tenant. There's one exception to this rule, and that's when an organization deploys a staging mode environment. In staging mode, organizations can deploy more than one Microsoft Entra Connect Sync server connected to a single Microsoft Entra or Microsoft 365 tenant. However, only one of those servers can be the "active" Microsoft Entra Connect Sync server. The other servers take on the role of what's known as staging servers. Microsoft Entra Connect Sync staging servers are often used as part of a strategy for high availability, testing, deploying new configuration changes, and disaster recovery.

A Microsoft Entra Connect Sync staging server is set up in parallel to the active Microsoft Entra Connect Sync server. However, the staging server doesn't perform any changes or synchronization to Microsoft Entra ID. It's used for testing and validating configuration changes, ensuring that they work as expected before being applied to the production environment.

The primary reasons for using a staging server when deploying an active Microsoft Entra Connect Sync server are:

  • High availability. By having a staging server, you can test changes without affecting the production environment, ensuring that services remain available and uninterrupted.
  • Testing configuration changes. Before making any changes to the active Microsoft Entra Connect Sync server, you can implement and test them on the staging server to verify their impact. This design helps in identifying and addressing potential issues in a controlled manner.
  • Disaster recovery. In there are any issues with the active Microsoft Entra Connect Sync server, the staging server can be promoted to take over, minimizing downtime and service disruption.
  • Migration and updates. When migrating Microsoft Entra Connect Sync to a new server or applying updates, the staging server allows you to prepare and test these changes without affecting the current synchronization process.
  • Safe environment. The staging server provides a safe environment to make and test changes without the risk of affecting the active directory synchronization with Microsoft Entra ID.

Note

When you run Microsoft Entra Connect Sync in staging mode, it doesn't run password hash sync or password writeback until it's promoted from staging mode.

In staging mode, organizations can have multiple Microsoft Entra Connect Sync staging servers. In this design, they typically set them up so that only one staging server is active at a time, while the remaining inactive staging servers are ready to take over if needed. In other words, only one is performing the role of a Microsoft Entra Connect Sync staging server at any given moment. The inactive staging servers serve as backups (think of them as backups to the backup), ready to take over the role of the active staging server in case it fails or needs to be taken offline for maintenance or updates.

This design ensures that there's always a staging server ready to step in and maintain the continuity of the staging process, which is crucial for testing and validating changes before they're applied to the production environment. Think of it as a relay race where only one runner (the active staging server) is running at a time, but the other runners (the inactive staging servers) are ready to take the baton if needed. Deploying a staging mode environment that consists of multiple staging servers provides the ultimate resilience and high availability for the synchronization process with Microsoft Entra or Microsoft 365.

SQL Server used by Microsoft Entra Connect Sync

Microsoft Entra Connect Sync requires a SQL Server database to store identity data. By default, a SQL Server 2019 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express has a 10-GB size limit that enables you to manage approximately 100,000 objects.

  • If your organization manages a higher volume of directory objects, point the installation wizard to a different installation of SQL Server. The type of SQL Server installation can impact the performance of Microsoft Entra Connect Sync.
  • If you use a different installation of SQL Server, the following requirements apply:
    • Microsoft Entra Connect Sync supports all mainstream supported SQL Server versions up to SQL Server 2022 running on Windows. Refer to this SQL Server lifecycle article to verify the support status of your SQL Server version. SQL Server 2012 is no longer supported. Azure SQL Database and Azure SQL Managed Instance aren't supported as a database.
    • You must use a case-insensitive SQL collation. These collations are identified with a _CI_ in their name. Using a case-sensitive collation identified by _CS_ in their name isn't supported.
    • You can have only one sync engine per SQL instance.A SQL instance can't be shared with FIM/MIM Sync, DirSync, or Microsoft Entra Connect Sync.

Accounts

  • You must create a Microsoft Entra Global Administrator account or Hybrid Identity Administrator account for the Microsoft Entra tenant you want to integrate with. This account must be a school or organization account and can't be a Microsoft account.
  • If you use express settings or upgrade from DirSync, you must create an Enterprise Administrator account for your on-premises Active Directory.
  • If you use the custom settings installation path, see Custom installation settings for information on more options.

Connectivity

The Microsoft Entra Connect Sync server needs DNS resolution for both intranet and internet. The DNS server must be able to resolve names both to your on-premises Active Directory and the Microsoft Entra endpoints.

  • Microsoft Entra Connect Sync requires network connectivity to all configured domains.
  • Microsoft Entra Connect Sync requires network connectivity to the root domain of all configured forests.
  • If you have firewalls on your intranet and you need to open ports between the Microsoft Entra Connect Sync servers and your domain controllers, see Microsoft Entra Connect ports.
  • If you're using the Microsoft cloud in Germany or the Microsoft Azure Government cloud, see Microsoft Entra Connect Sync service instances considerations for URLs.
  • If your proxy or firewall limit which URLs can be accessed, the URLs documented in Office 365 URLs and IP address ranges must be opened. Also see Safelist the Microsoft Entra admin center URLs on your firewall or proxy server.
  • Microsoft Entra Connect Sync (version 1.1.614.0 and after) by default uses TLS 1.2 for encrypting communication between the sync engine and Microsoft Entra ID. If TLS 1.2 isn't available on the underlying operating system, Microsoft Entra Connect Sync incrementally falls back to older protocols (TLS 1.1 and TLS 1.0). From Microsoft Entra Connect Sync version 2.0 onwards, TLS 1.0 and 1.1 are no longer supported and installation fails if TLS 1.2 isn't enabled.
  • Prior to version 1.1.614.0, Microsoft Entra Connect Sync by default uses TLS 1.0 for encrypting communication between the sync engine and Microsoft Entra ID. To change to TLS 1.2, follow the steps in Enable TLS 1.2 for Microsoft Entra Connect.
  • If you're using an outbound proxy for connecting to the internet, the following setting in the C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config file must be added for the installation wizard and Microsoft Entra Connect Sync to be able to connect to the internet and Microsoft Entra ID. This text must be entered at the bottom of the file. In this code, <PROXYADDRESS> represents the actual proxy IP address or host name.