Previous

Next

Configure Microsoft Entra Cloud Sync

Completed

Once an organization satisfies the Microsoft Entra Cloud Sync prerequisites, it must complete the following tasks to install this directory synchronization tool:

1. Install the Microsoft Entra Connect provisioning agent.
2. Verify the agent is installed.
3. Verify the agent is running.
4. Configure Microsoft Entra Connect Cloud Sync provisioning.

The following sections outline each of these tasks.

Task 1 - Install the Microsoft Entra Connect provisioning agent

This task examines the installation process for the Microsoft Entra Connect provisioning agent and how to initially configure it in the Microsoft Entra admin center. The provisioning agent is only supported on Windows Server operating systems.

Note

This unit deals with installing the provisioning agent by using the Microsoft Entra Connect provisioning agent wizard. For information on installing the Microsoft Entra Connect provisioning agent by using a command-line interface (CLI), see Install the Microsoft Entra Connect provisioning agent by using a CLI and PowerShell.

You should complete the following steps to install the Microsoft Entra Connect provisioning agent on a server running the Windows Server OS:

1. Sign into the Microsoft 365 admin center using an account with Global admin permissions.
2. In the left-hand navigation pane, select Show all, and then under the Admin centers group, select Identity.
3. In the Microsoft Entra admin center, select Show more in the navigation pane.
4. Select Hybrid management and then select Microsoft Entra Connect.
5. On the Microsoft Entra Connect | Get started page, in the middle navigation pane, select Cloud Sync.
6. On the Cloud sync | Configurations page, in the middle navigation pane, under the Monitor section, select Agents.
7. On the Cloud sync | Agents page, select the Download on-premises agent option that appears in the menu bar at the top of the page.
8. On the Microsoft Entra Provisioning Agent pane that appears, select the Accept terms & download button.
9. Once the agent finishes downloading, select Open file in the Downloads notification window. This option starts the installation wizard.
10. On the Microsoft Entra Provisioning Agent Package wizard, accept the licensing terms and then select Install.
11. On the Welcome to the Microsoft Entra provisioning agent configuration wizard page, note the different integration scenarios the wizard supports and then select Next.
12. On the Select Extension page, select the extension applicable to your organization and then select Next.
13. On the Sign in dialog box that appears, sign in with a Global administrator account.
14. If you selected the HR-driven provisioning option on the Select Extension page, then you must configure a group managed service account and connect to Active Directory through the following step (otherwise, if you selected On-premises application provisioning, then proceed to the next step):
    1. On the Configure Service Account page, select either Create gMSA or Use custom gMSA.
    2. If you allow the agent to create the account, enter the domain administrator credentials to create the group managed service account. This account runs the agent service. The account that was created is named provAgentgMSA$. Select Next.
    3. If you specify Use custom gMSA, the installation wizard prompts you for this account.
    4. On the Connect Active Directory page, select Next. Your current domain is automatically displayed. If you wish to add more domains, enter them and select Add Directory. Then sign in with an administrator account from that domain.
    5. You can optionally manage the preference of domain controllers the agent uses. To do so, select Add Directory and then select the Select domain controller priority checkbox. A list of domain controllers appears. Order the list of domain controllers and then select OK.
15. On the Agent configuration page, confirm the settings and then select Confirm.
16. After this operation finishes, a message should appear that indicates the agent installation is complete. Select Exit.
17. If you still see the initial Microsoft Entra Provisioning Agent Package screen, select Close.

Task 2 - Verify the agent is installed

Agent verification occurs in the Microsoft Entra admin center and on the local server that's running the agent. You should complete this task to verify that Microsoft Entra ID sees the agent:

1. After finishing the prior task of installing the Microsoft Entra provisioning agent, you should still be on the Cloud sync | Agents page in the Microsoft Entra admin center.
2. Refresh this page by selecting the Refresh icon in your browser.
3. On the Cloud sync | Agents page, verify the agent you installed appears and that its Status is active
   

Task 3 - Verify the agent is running

On the local server in which you installed the agent, you should then complete this task to verify the agent is running:

1. Sign in to the server with an administrator account.
2. Select the Search (magnifying glass) icon on the taskbar, enter Services in the search field, and then select the Services desktop app.
3. Maximize the Services window that appears.
4. Verify that Microsoft Azure AD Connect Agent Updater and Microsoft Azure AD Connect Provisioning Agent are present, and that their status is Running.
5. Close the Services window.

Task 4 - Configure Microsoft Entra Cloud Sync provisioning

Once you install the agent, you must configure Microsoft Entra Cloud Sync and enable it before it synchronizes users. Complete this task to configure the agent:

1. After finishing the prior task of verifying the Microsoft Entra Connect provisioning agent services are running, you should still be on the Cloud sync | Agents page in the Microsoft Entra admin center.
2. On the Cloud sync | Agents page, at the top of the middle navigation pane, select Configurations.
3. On the Cloud sync | Configurations page, select **+**New configuration on the menu bar at the top of the page.
4. In the drop-down menu that appears, select AD to Microsoft Entra ID sync.
5. On the New cloud sync configuration page, select the domain you want to sync and whether to enable password hash sync. Select Create.
6. The Edit cloud sync configuration screen appears. Update the following sections of this screen to configure the agent:
   1. Scope. Configure whether all users are in scope, or configure scoping filters to provision specific users and groups.
   2. Manage attributes. You can map attributes between your on-premises user/group objects and the objects in Microsoft Entra ID. You can customize the default attribute-mappings according to your business needs. In doing so, you can change or delete existing attribute-mappings, or create new attribute-mappings.
   3. Validate (recommended). Select the Provision a user button. This option verifies that synchronization is working as expected before enabling the configuration. It does so by testing with individual users that you enter after selecting the Provision a user button.
   4. Settings. Enter a Notification email address. The system notifies this email address when provisioning isn't healthy. Microsoft recommends that you keep the Prevent accidental deletion checkbox selected. You should also set the Accidental deletion threshold to a number that you want to be notified about.
   5. Deploy. Select Enable to sync the users and groups that are in scope as defined in the Scope section.
7. Move the selector to Enable and then select Save.

Continue