Plan for directory synchronization using Microsoft Entra Connect cloud sync

Completed

The following list describes the various on-premises and Microsoft Entra topologies that support Microsoft Entra Connect cloud sync:

  • Single forest, single Microsoft Entra tenant. The simplest topology is a single on-premises forest, with one or multiple domains, and a single Microsoft Entra tenant. For an example of this scenario, see Tutorial: A single forest with a single Microsoft Entra tenant.
  • Multi-forest, single Microsoft Entra tenant. A common topology includes multiple AD forests, with one or multiple domains, and a single Microsoft Entra tenant.
  • Existing forest with Microsoft Entra Connect, new forest with cloud provisioning. This scenario is similar to the multi-forest scenario; however. this one involves an existing Microsoft Entra Connect environment and then bringing on a new forest using Microsoft Entra Connect cloud sync. For an example of this scenario, see Tutorial: An existing forest with a single Microsoft Entra tenant
  • Piloting Microsoft Entra Connect cloud sync in an existing hybrid AD forest. The piloting scenario involves the existence of both Microsoft Entra Connect and Microsoft Entra Connect cloud sync in the same forest. In this scenario, an object should be in scope in only one of the tools. For an example of this scenario, see Tutorial: Pilot Microsoft Entra Connect cloud sync in an existing synced AD forest.

Organizations should keep the following information in mind when considering these topologies:

  • Users and groups must be uniquely identified across all forests.
  • Matching across forests doesn't occur with Microsoft Entra Connect cloud sync.
  • A user or group must be represented only once across all forests.
  • The source anchor for objects is chosen automatically. It uses ms-DS-ConsistencyGuid if present; otherwise, ObjectGUID is used.
  • You can't change the attribute that's used for the source anchor.

Caution

Microsoft doesn't support modifying or operating Microsoft Entra Connect cloud sync outside the configurations or actions that are formally documented. Any of these unapproved configurations or actions may result in an inconsistent or unsupported state of Microsoft Entra Connect cloud sync. As a result, Microsoft can't provide technical support for such deployments.

Prerequisites for Microsoft Entra Connect cloud sync

Organizations need the following to use Microsoft Entra Connect cloud sync:

  • A group Managed Service Account (gMSA). Microsoft Entra Connect cloud sync supports and uses a gMSA for running the lightweight Cloud Sync agent. A gMSA is a managed domain account that:
    • provides automatic password management.
    • provides simplified service principal name (SPN) management.
    • delegates the management to other administrators.
    • extends this functionality over multiple servers.
  • Domain Administrator or Enterprise Administrator credentials to create the Microsoft Entra Connect cloud sync gMSA (group Managed Service Account) to run the agent service.
  • A hybrid identity administrator account for your Microsoft Entra tenant that's not a guest user.
  • An on-premises server for the Cloud Sync agent with Windows 2016 or later. This server should be a tier 0 server based on the Active Directory administrative tier model. Installing the Cloud Sync agent on a domain controller is supported.
  • High availability refers to the Microsoft Entra Connect cloud sync's ability to operate continuously without failure for a long time. By having multiple active Cloud Sync agents installed and running, Microsoft Entra Connect cloud sync can continue to function even if one agent should fail. It's recommended that organizations have three active agents installed for high availability.
  • On-premises firewall configurations.