How to setup Microsoft Entra Connect Cloud Sync (manual)
When Microsoft launched Azure AD/Entra ID we could synchronize with the Azure AD connector. Since a few years there is a new solution to synchronize on-premise resources with Entra ID. In this manual we will show you how to setup Entra Cloud Sync.
What are the differences between Cloud Sync and the Connector sync?
| Cloud Sync (recommended)Solution for a multi-national org that wants to consolidate your identities or if you are building a cloud strategy to reduce your on-premises footprint. | Connect SyncOn-premises solution that takes all the operations that are related to synchronize identity data between your on-premises environment and Microsoft Entra ID. | |
| Sync cycle | 10 minutes | 30 minutes |
| Connect to single and multiple on-premises AD forests | Yes | Yes |
| Connect to multiple on-premises AD forests | Yes | Yes |
| Connect to multiple disconnected on-premises AD forests | Yes | No |
| Lightweight agent installation model | Yes | No |
| Multiple active agents for high availability | Yes | No |
| Connect to LDAP directories | No | Yes |
| Synchronize Exchange Online attributes | Yes | Yes |
| Support for Password Hash Sync | Yes | Yes |
| Support for writeback (passwords, devices, groups) | Yes | Yes |
| On-demand provisioning | Yes | Yes |
Scenarios supported by Cloud Sync
- Single forest, single Microsoft Entra tenant
- Multi-forest, single Microsoft Entra tenant
- Existing forest with Microsoft Entra Connect, new forest with cloud provisioning
- Piloting Microsoft Entra Connect cloud sync in an existing hybrid AD forest
Manual:
STEP 1: Download provisioning Agent.
From the Azure Portal download the provisioning agent: https://portal.azure.com/#view/Microsoft_AAD_Connect_Provisioning/AADConnectMenuBlade/~/GetStarted
STEP 2: Install the agent on a desired server. This may be a Domain controller or another server.
Now execute the installation wizard on the desired server.
STEP 3: Configure the Agent
Now we are going to configure the provisioning agent. Before we begin make sure that the logged in user is a admin account with enough permissions! (Domain/Enterprise admin) Make sure to select the checkbox to connect to your on-premises domain:
Now login with an Entra Global admin account to setup a link with your tenant:
After successful logging in to your tenant we need to create an group managed service account with the wizard.
Now make sure that your domain is visible and click Next
in the last step confirm the configuration, after confirming it can take up to 10 minutes to finalize the process, so please be patient.
STEP 4: configure Cloud sync
Now we need to configure the cloud sync itself. Again go to the Azure portal: https://portal.azure.com/#view/Microsoft_AAD_Connect_Provisioning/CloudSyncMenuBlade/~/CloudSyncConfigurations
Now select the domain matching the on-premises environment and click Create at the bottom of the page.
After completing the above steps the sync isn’t enabled yet. We now need to configure the filters and enable the sync. From the overview page click on Add scoping filters if you don’t want to synchronize all objects.
You can choose to use All users, security groups or organizational units.
Before enabling synchronisation it is recommended to test the setup first. From the overview page you can run the test:
Now fill in a test user. Use the UPN.
When the test is completed without warnings or errors continue with the enablement of the connector:
About The Author
