Plan for directory synchronization using Microsoft Entra Cloud Sync

Completed

The following list describes the various on-premises and Microsoft Entra topologies that support Microsoft Entra Cloud Sync:

  • Single forest, single Microsoft Entra tenant. The simplest topology is a single on-premises forest, with one or multiple domains, and a single Microsoft Entra tenant. For an example of this scenario, see Tutorial: A single forest with a single Microsoft Entra tenant.
  • Multi-forest, single Microsoft Entra tenant. A common topology includes multiple AD forests, with one or multiple domains, and a single Microsoft Entra tenant.
  • Existing forest with Microsoft Entra Connect Sync, new forest with cloud provisioning. This scenario is similar to the multi-forest scenario; however. this one involves an existing Microsoft Entra Connect Sync environment and then bringing on a new forest using Microsoft Entra Cloud Sync. For an example of this scenario, see Tutorial: An existing forest with a single Microsoft Entra tenant
  • Piloting Microsoft Entra Cloud Sync in an existing hybrid AD forest. The piloting scenario involves the existence of both Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync in the same forest. In this scenario, an object should be in scope in only one of the tools. For an example of this scenario, see Tutorial: Pilot Microsoft Entra Cloud Sync in an existing synced AD forest.

Organizations should keep the following information in mind when considering these topologies:

  • They should uniquely identify users and groups across all forests.
  • Matching across forests doesn't occur with Microsoft Entra Cloud Sync.
  • They should represent a user or group only once across all forests.
  • The system automatically chooses the source anchor for objects. It uses ms-DS-ConsistencyGuid if present; otherwise, it uses ObjectGUID.
  • You can't change the attribute used for the source anchor.

Caution

Microsoft doesn't support modifying or operating Microsoft Entra Cloud Sync outside the formally documented configurations or actions. Any of these unapproved configurations or actions may result in an inconsistent or unsupported state of Microsoft Entra Cloud Sync. As a result, Microsoft can't provide technical support for such deployments.

Prerequisites for Microsoft Entra Cloud Sync

Organizations must satisfy the following prerequisites to use Microsoft Entra Cloud Sync:

  • A group Managed Service Account (gMSA). Microsoft Entra Cloud Sync supports and uses a gMSA for running the lightweight Cloud Sync agent. A gMSA is a managed domain account that:
    • Provides automatic password management.
    • Provides simplified service principal name (SPN) management.
    • Delegates the management to other administrators.
    • Extends this functionality over multiple servers.
  • Domain Administrator or Enterprise Administrator credentials to create the Microsoft Entra Cloud Sync gMSA (group Managed Service Account) to run the agent service.
  • A hybrid identity administrator account for your Microsoft Entra tenant that's not a guest user.
  • An on-premises server for the Cloud Sync agent with Windows 2016 or later. This server should be a tier 0 server based on the Active Directory administrative tier model. The system supports Installing the Cloud Sync agent on a domain controller.
  • High availability refers to the Microsoft Entra Cloud Sync's ability to operate continuously without failure for a long time. By having multiple active Cloud Sync agents installed and running, Microsoft Entra Cloud Sync can continue to function even if one agent should fail. Microsoft recommends that organizations have three active agents installed for high availability.
  • On-premises firewall configurations.