Choose your directory synchronization tool

Completed

Organizations with an on-premises Active Directory Domain Services (AD DS) domain or forest can synchronize their AD DS user accounts, groups, and contacts with the Microsoft Entra tenant of their Microsoft 365 subscription. This design is known as hybrid identity for Microsoft 365.

When an organization with an on-premises Active Directory plans to implement Microsoft 365, it must bring its on-premises accounts into Microsoft Entra ID. Doing so enables its users to use Microsoft 365's cloud services, such as Exchange Online, SharePoint Online, Teams, and so on. To support Microsoft 365, most organizations want to avoid creating new user accounts in Microsoft Entra ID, and instead use their existing on-premises accounts. While providing greater efficiency, this design also saves them from having to manage different passwords for each account.

Integrating on-premises directories with Microsoft Entra ID makes users more productive by providing a common identity for accessing both cloud and on-premises resources. Users and organizations can take advantage of the following features:

  • Users can use a single identity to access on-premises applications and cloud services such as Microsoft 365.
  • Organizations can use a single tool to provide an easy deployment experience for synchronization and sign in.

User account synchronization between on-premises AD and Microsoft Entra ID is part of a set of features known collectively as identity governance. The purpose of identity governance is to ensure the right people have the right access to the right resources at the right time. This design improves security and increases productivity in your organization. Governance starts with ensuring that your users are accurately represented throughout your ecosystem. This design enables you to authenticate them, authorize their access requests, and audit their activities, which are all key to secure productivity.

Microsoft relies on Microsoft Entra ID to improve the timeliness and accuracy of managing identity related objects throughout an organization's ecosystem. Microsoft Entra ID provides a single platform that can enable identities for use between a company's HR system, its identity directories, and its applications.

There are two options to choose from to implement user account synchronization between on-premises AD and Microsoft Entra ID - Microsoft Entra Connect Sync and Microsoft Entra Connect cloud sync. The following sections outline the benefits, limitations, and features of each solution.

Microsoft Entra Connect Sync

Microsoft Entra Connect Sync is an on-premises Microsoft application that's designed to meet and accomplish your hybrid identity goals. It's typically installed on an on-premises domain-joined server, although it can be installed on a domain controller. Its only requirement is an outbound HTTPS connection to Microsoft 365 servers.

Microsoft Entra Connect Sync (formerly known as Dirsync and AD sync) was the first solution built for provisioning from on-premises AD to Microsoft Entra ID. It currently has support for the most Microsoft Entra hybrid scenarios, and it can support organizations with large directories. While Microsoft Entra Connect Sync is robust in its capabilities, it can also:

  • Require a heavy investment in infrastructure resources.
  • Be complicated to configure.
  • Result in higher maintenance costs.

Microsoft Entra Connect comes with several features you can optionally turn on or are enabled by default. Some features may require more configuration in certain scenarios and topologies.

  • Filtering. Used when an organization wants to limit which objects are synchronized to Microsoft Entra ID. By default, all users, contacts, groups, and Windows 10 computers are synchronized. The filtering can be changed based on domains, OUs, or attributes.
  • Password hash synchronization. Synchronizes the password hash in Active Directory to Microsoft Entra ID. The end user can use the same password on-premises and in the cloud but only manage it in one location. Since password hash synchronization uses an organization's on-premises Active Directory as the authority, the organization can use its own password policy.
  • Password writeback. Enables users to change and reset their passwords in the cloud and have their organization's on-premises password policy applied.
  • Device writeback. Enables a device registered in Microsoft Entra ID to be written back to on-premises Active Directory so that it can be used for Conditional Access.
  • Preventing accidental deletes. Enables an organization to protect its cloud directory from numerous deletes at the same time. By default, it allows 500 deletes per run. An organization can change this setting depending on its size. This feature is turned on by default.
  • Automatic upgrade. Ensures an organization's version of Microsoft Entra Connect is always up to date with the latest release. This option is enabled by default for express settings installations.

The following diagram shows how Microsoft Entra Connect synchronizes the fields from an on-premises AD to Microsoft Entra ID.

diagram depicts how Microsoft Entra Connect synchronizes the fields from on-premises AD to Microsoft Entra ID

When users access their on-premises resources, access is accomplished using their on-premises identities. Conversely, when users access Microsoft 365 services such as Exchange Online and SharePoint Online, they use their connected Microsoft Entra user accounts. Organizations can configure custom settings in Microsoft Entra Connect Sync when they want more options for the installation. For example, they should use these settings if they have multiple forests, or if they want to configure optional features. Custom settings should be used in all cases where express installation doesn't satisfy your deployment or topology needs.

Additional reading. For more information, see Customize an installation of Microsoft Entra Connect.

Microsoft Entra Connect Sync is made up of two primary components:

  • Synchronization services. This component is responsible for synchronizing users, groups, and other objects. It's also responsible for making sure identity information for your on-premises users and groups is matching the cloud.
  • Microsoft Entra Connect Health. This component provides robust health monitoring and a central location in the Azure portal to view this activity. For more information, see Microsoft Entra Connect Health.

image of Microsoft Entra Connect Sync Services - Directory synchronization, Azure AD Sync, and FIM plus Microsoft Entra Connector

Microsoft Entra Connect cloud sync

Microsoft Entra Connect cloud sync is also designed to meet and accomplish an organization's hybrid identity goals for synchronization of on-premises users, groups, and contacts to Microsoft Entra ID. Since Microsoft Entra Connect cloud sync and Microsoft Entra Connect Sync both synchronize identities, what makes them different? While the next section outlines the feature differences between these two directory synchronization tools, suffice it to say that Microsoft Entra Connect Sync, which is based on older synchronization technology, requires a greater investment to deploy and support. By comparison, Microsoft Entra Connect cloud sync uses a lightweight agent design that requires a minimal on-premises footprint. It also enables organizations to manage all their provisioning configuration in the cloud.

With Microsoft Entra Connect cloud sync, provisioning from on-premises Active Directory to Microsoft Entra ID is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises or IaaS-hosted environment, a light-weight agent that acts as a bridge between on-premises Active Directory and Microsoft Entra ID. The provisioning configuration is stored in Microsoft Entra ID and managed as part of the service.

Microsoft Entra Connect cloud sync supports most of the common Microsoft Entra hybrid scenarios, with one major exception - Exchange hybrid deployments.

Warning

An Exchange hybrid deployment allows for the co-existence of Exchange mailboxes both on-premises and in Microsoft 365. In an Exchange hybrid deployment, Microsoft Entra Connect synchronizes a specific set of attributes from Microsoft Entra back into the organization's on-premises directory. However, the cloud provisioning agent for Microsoft Entra Connect cloud sync doesn't currently synchronize these attributes back into the on-premises directory. Therefore, organizations that plan to implement an Exchange hybrid deployment must use Microsoft Entra Connect Sync.

For organizations that don't have, or that don't plan to have an Exchange hybrid deployment, Microsoft Entra Cloud Sync offers several advantages over Microsoft Entra Connect Sync. One of the major reasons to consider choosing Microsoft Entra Cloud Sync is cost savings. Because Microsoft Entra Cloud Sync uses a lightweight agent, organizations don't have to deploy a robust server in their data centers to run the service. And while Microsoft Entra Connect Sync requires SQL Server for larger deployments, that's not the case with Microsoft Entra Cloud Sync. This design can potentially save and organization money on licensing costs. Along with the infrastructure savings, organizations will also spend less on support and maintenance throughout the life of the service due to its simplified architecture.

Due to its smaller on-premises footprint and multi-agent support, Microsoft Entra Connect cloud sync is easier to set up. It also provides resiliency that isn't available in Microsoft Entra Connect Sync. This design enables organizations to get Microsoft Entra Connect cloud sync up and running in their deployments in a fraction of the time spent deploying Microsoft Entra Connect Sync. The simple setup is intuitive and streamlined, which enables end users to start collaborating quickly and seamlessly with minimal effort.

An organization can also deploy multiple agents to provide high availability and automatic failover. This design prevents service outages due to a server or network failure. As a result, end user frustration is eliminated. Support calls are also reduced for things like unprovisioned users and outdated group memberships.

Note

The cloud provisioning agent does not load balance if you have multiple agents installed. Only one agent is ever active.

Microsoft Entra Cloud Sync is also the ideal solution if you find yourself needing to provision users from multiple Active Directory forests that have no network connectivity between them. This scenario is often the case in complex business arrangements such as mergers and acquisitions. Microsoft Entra Cloud Sync enables an organization to deploy agents into each of the isolated networks that can communicate independently between the forest and the respective network and Microsoft Entra ID. And if you already have Microsoft Entra Connect Sync deployed in your environment, that doesn't exclude you from deploying Microsoft Entra Cloud Sync to that environment as well. Microsoft Entra Cloud Sync can be used side by side with Microsoft Entra Connect Sync.

And lastly, Microsoft Entra Cloud Sync can keep Microsoft Entra up-to-date with greater frequency than Microsoft Entra Connect Sync. As such, organizations no longer have to wait 30 minutes for on-premises changes to be seen in Microsoft Entra ID, as is the case when using Microsoft Entra Connect Sync.

Comparison between Microsoft Entra Connect and Microsoft Entra Connect cloud sync

One of the primary differences between the two tools is where the provisioning configuration is stored and where provisioning occurs:

  • Microsoft Entra Connect Sync. The provisioning configuration is stored on the on-premises sync server. Provisioning also runs on the on-premises sync server.
  • Microsoft Entra Connect cloud sync. The provisioning configuration is stored in the cloud. Provisioning also runs in the cloud as part of the Microsoft Entra provisioning service.

The following table provides a comparison of the features in Microsoft Entra Connect and Microsoft Entra Connect cloud sync.

Feature Microsoft Entra Connect Microsoft Entra Connect cloud sync
Connect to single on-premises AD forest X X
Connect to multiple on-premises AD forests X X
Connect to multiple disconnected on-premises AD forests X
Lightweight agent installation model X
Multiple active agents for high availability X
Connect to LDAP directories X
Support for user objects X X
Support for group objects X X
Support for contact objects X X
Support for device objects. X
Allow basic customization for attribute flows X X
Synchronize Exchange online attributes X X
Synchronize extension attributes 1-15 X X
Synchronize customer defined AD attributes (directory extensions) X
Support for Password Hash Sync X X
Support for Pass-Through Authentication X
Support for federation X X
Seamless Single Sign-on X X
Supports installation on a Domain Controller X X
Support for Windows Server 2016 X X
Filter on Domains/OUs/groups X X
Filter on objects' attribute values X
Allow minimal set of attributes to be synchronized (MinSync) X X
Allow removing attributes from flowing from AD to Microsoft Entra ID X X
Allow advanced customization for attribute flows X
Support for password writeback X X
Support for device writeback X
Support for group writeback X
Support for merging user attributes from multiple domains X
Microsoft Entra Domain Services support X
Exchange hybrid writeback X
Unlimited number of objects per AD domain X
Support for up to 150,000 objects per AD domain X X
Groups with up to 50,000 members X X
Large groups with up to 250,000 members X
Cross domain references X X
On-demand provisioning X X
Support for US Government X X