Microsoft Entra Connect (formerly Azure AD Connect) is the hybrid identity synchronization tool that syncs on-premises Active Directory Domain Services (AD DS) with Microsoft Entra ID in the cloud. It is effectively a mandatory component for Microsoft 365 and Azure adoption in any enterprise, and deep understanding is required across design, implementation, and operations. This article walks through choosing between Entra Connect Sync and the newer Cloud Sync, picking a sign-in method (PHS / PTA / Federated), Seamless SSO, Password Writeback, and troubleshooting.
Entra Connect replicates users, groups, contacts, and device information from on-prem AD DS to Entra ID (one-way or, in limited cases, two-way).
| Item | Entra Connect Sync | Cloud Sync |
|---|---|---|
| Category | Server-based sync tool | Lightweight agent (Microsoft-managed) |
| Install target | Dedicated Windows Server (4 vCPU, 8 GB RAM, 100 GB) | On-prem AD DC or nearby server |
| SQL Server | LocalDB or SQL Server | Not required |
| Sync interval | 30 min (Delta) | ~2 min |
| Object scale | 500K+ (large scale) | Up to 150K |
| HA / redundancy | Staging Mode (Active-Passive) | Multiple agents, auto-redundant |
| Custom attribute mapping | Yes (advanced) | Limited |
| Pass-through Authentication | Supported | Not supported (PHS only) |
| Group Writeback | Supported | Not supported |
| 2026 recommendation | Enterprises with complex requirements | New deployments and simple requirements |
Cloud Sync is recommended for new projects, while Entra Connect Sync remains valid for enterprises with complex sync requirements (PTA, Group Writeback, custom attribute mapping).
| Method | How it works | Pros | Cons |
|---|---|---|---|
| Password Hash Sync (PHS) | Syncs password hashes to Entra ID; auth completes in the cloud | Simple, highly available (cloud auth keeps working if on-prem AD is down) | Password hashes are stored in the cloud |
| Pass-through Authentication (PTA) | Forwards auth requests to on-prem AD for validation | No password hashes stored in the cloud | Requires redundant agents; auth stops if on-prem AD is down |
| Federated (AD FS) | Auth completes at on-prem AD FS; Entra ID just receives the token | Supports custom MFA and smart cards | Most complex, highest ops burden, discouraged for new builds |
As of 2026, Microsoft recommends PHS, and unless you have special requirements (custom MFA, smart card auth) it is effectively the only practical choice. Migration away from AD FS is progressing in phases, and new Federated configurations are discouraged.
Seamless SSO (Single Sign-on) automatically signs users in without a password prompt when they access services from a domain-joined device inside the corporate network.
Password Writeback replicates password changes made on the Entra ID side (SSPR, Identity Protection risk remediation, or Conditional Access force-password-change) back to on-prem AD. It requires Entra ID Premium P1 or higher, the Password Writeback option enabled in Entra Connect, and the necessary permissions granted to the on-prem AD service account.
Entra Connect Sync runs two types of sync cycles.
The Delta Sync interval can be adjusted via PowerShell, but it cannot go below 30 minutes (a Microsoft constraint). For immediate sync, run Start-ADSyncSyncCycle -PolicyType Delta manually.
Cloud Sync syncs automatically about every 2 minutes, greatly improving freshness. Even bulk-change scenarios complete much faster.
You don't need to sync every AD object — filtering lets you narrow the scope.
Get-ADSyncToolsRunHistory and Get-ADSyncObjectsErrors to retrieve detailed errorsRunning Microsoft's IdFix tool to validate AD objects ahead of time is the best preventive practice.
What is Entra Connect?
Microsoft Entra Connect (formerly Azure AD Connect) is a hybrid identity synchronization tool that syncs on-premises Active Directory Domain Services (AD DS) with Microsoft Entra ID in the cloud. It replicates users, groups, contacts, and device information from on-prem AD to Entra ID, providing a unified identity across hybrid environments. There are three sign-in methods: Password Hash Sync (PHS, most common), Pass-through Authentication (PTA), and Federated (AD FS). As of 2026, Microsoft increasingly recommends Cloud Sync (the lightweight, agent-based successor to Entra Connect Sync) for new deployments.
What is the difference between Entra Connect Sync and Cloud Sync?
Entra Connect Sync is the traditional server-based sync tool running on a dedicated Windows Server (recommended 4 vCPU, 8 GB RAM, 100 GB SSD) backed by SQL Server LocalDB or SQL Server. It supports advanced filtering, custom attribute mapping, and large-scale sync (500K+ objects). Cloud Sync is the successor: a lightweight agent (tens of MB) installed on an on-prem DC or nearby server, with sync handled by Microsoft's managed sync engine. It is simple, highly available (multiple agents auto-redundant), and supports up to 150K objects. Cloud Sync is recommended for new projects, while Entra Connect Sync remains valid for enterprises with complex requirements (Pass-through Authentication, Group Writeback, advanced password sync options).
How do I choose between PHS, PTA, and Federated authentication?
Password Hash Sync (PHS): syncs on-prem AD password hashes to Entra ID and authenticates entirely in the cloud. Simplest, highly available (cloud auth keeps working if on-prem AD is down), and the recommended choice. Pass-through Authentication (PTA): forwards auth requests to on-prem AD for validation, useful when you cannot store password hashes in the cloud. Requires redundant agents (3+ SSO agents recommended). Federated (AD FS): authentication completes at the on-prem AD FS, with Entra ID only receiving the resulting token. Most complex, highest operational burden. As of 2026 Microsoft recommends PHS, and unless you have special requirements (custom MFA, smart card auth) PHS is the only practical choice. Migration away from AD FS is progressing, and new Federated configurations are discouraged.
What is Seamless SSO (Single Sign-on)?
Seamless SSO automatically signs users in without a password prompt when they access services from a domain-joined device inside the corporate network. Enable it in Entra Connect by turning on 'Enable single sign-on', which creates an AZUREADSSOACC computer account in Active Directory. When a user accesses Microsoft 365, the browser sends a Kerberos ticket to Entra ID, which completes authentication using that ticket. It works on Domain Joined Windows machines inside the corporate network (office or VPN). On Hybrid Microsoft Entra Joined or Microsoft Entra Joined devices, the Primary Refresh Token (PRT) serves as a replacement and Seamless SSO is not required.
What is Password Writeback?
Password Writeback replicates password changes made on the Entra ID side (via SSPR, Identity Protection risk remediation, or Conditional Access force-password-change) back to on-prem AD. This keeps on-prem and Entra ID passwords in sync, providing consistent authentication across the hybrid environment. It requires Entra ID Premium P1 or higher, the Password Writeback option enabled in Entra Connect, and the necessary permissions (Replicate Directory Changes and others) granted to the on-prem AD service account. Group Writeback (writes Microsoft 365 Groups back to on-prem AD) and Device Writeback (used with Hybrid Entra Joined) are similar writeback capabilities.
How do the sync cycles (Delta / Initial / Custom) work?
Entra Connect Sync runs two types of sync cycles: Delta Sync (incremental, 30-minute default interval, sends only changes) and Initial Sync (full sync, run during initial setup or after schema changes). The Delta Sync interval can be adjusted with PowerShell (Set-ADSyncScheduler -CustomizedSyncCycleInterval) but cannot go below 30 minutes (a Microsoft constraint). For immediate sync, run Start-ADSyncSyncCycle -PolicyType Delta manually. Cloud Sync syncs automatically about every 2 minutes, dramatically improving freshness. Even Delta Sync can take tens of minutes when there are many changes, so organizational changes should be planned with sync timing in mind.
How do I troubleshoot sync errors?
Typical investigation steps: 1) Use the Synchronization Service Manager (the Entra Connect Sync GUI) to review the Sync Operations history of each connector and pinpoint problem objects. 2) Run Get-ADSyncToolsRunHistory and Get-ADSyncObjectsErrors in PowerShell to retrieve detailed errors. 3) Check Entra Connect Health (Azure Portal) for reports and Microsoft's recommended actions. 4) In the Entra ID admin center, open 'Microsoft Entra Connect' > 'Connect status' to inspect sync errors. 5) Common errors include duplicate attributes (proxyAddresses clashing with another object), invalid characters (whitespace in UPN), missing schema extensions, and insufficient service account permissions. The best preventive measure is running Microsoft's IdFix tool to validate AD objects ahead of time.
Which certifications cover this topic?
SC-300 (Identity and Access Administrator Associate) covers Entra Connect and Cloud Sync configuration and operations in depth. MS-102 (Microsoft 365 Administrator Expert) addresses it in Domain 2 (Identity and Access), AZ-800 (Windows Server Hybrid Administrator) and AZ-801 cover hybrid identity broadly, and SC-100 (Cybersecurity Architect Expert) treats it as the identity pillar of zero-trust strategy. For any engineer working with Microsoft 365 or Azure hybrid environments, Entra Connect is essential knowledge. See the Modern Workplace engineer career roadmap for more detail.
Related Articles & Deep Dives
MS-102 完全ガイド|Microsoft 365 Administrator Expert 出題範囲・学習リソース・合格戦略【2026 年版】
Microsoft Certified: Microsoft 365 Administrator Expert (MS-102) の完全ガイド。4 ドメインの出題範囲、テナント / Entra ID / Defender XDR / Purview を横断的にカバー、SC-300 / SC-200 との重複と差異、Microsoft 365 Developer Program 活用法、3-4 ヶ月の合格ロードマップ、SC-100 / MD-102 への展開ルートを日本語で網羅。
Azure Files 完全ガイド|SMB/NFS・Standard/Premium・Entra Kerberos・Azure File Sync【2026 年版】
Azure Files の完全ガイド。Standard vs Premium ティア選定、SMB vs NFS プロトコル、Active Directory 認証 (オンプレ AD・Entra DS・Entra Kerberos)、Azure File Sync によるハイブリッド、AKS Persistent Volume 利用、セキュリティベストプラクティス、関連認定試験 (AZ-104 / AZ-800) を日本語で網羅。
SC-300 完全ガイド|Microsoft Identity and Access Administrator Associate 出題範囲・学習リソース・合格戦略【2026 年版】
Microsoft Certified: Identity and Access Administrator Associate (SC-300) の完全ガイド。4 ドメインの出題範囲、Microsoft Entra ID の ユーザー / グループ / アプリ管理、Conditional Access / MFA / PIM / Entra ID Governance の実装、3-4 ヶ月の合格ロードマップ、SC-200 / SC-100 / SC-500 への展開ルートを日本語で網羅。
Microsoft Entra ID パスワードレス認証完全ガイド|Authenticator・FIDO2・Windows Hello・TAP・CBA【2026 年版】
Microsoft Entra ID のパスワードレス認証 5 方式 (Microsoft Authenticator・FIDO2・Windows Hello for Business・Temporary Access Pass・Certificate-based) を完全解説。Number Matching・段階的導入ロードマップ・特権ロール向け FIDO2・関連認定試験 (SC-300 / SC-100 / MS-102) を日本語で網羅。
Technical content in this article is based on the Microsoft Entra Hybrid Identity Documentation. This article is not an official Microsoft Corporation product and is not affiliated with or sponsored by Microsoft. Microsoft, Azure, and Microsoft Entra are trademarks of the Microsoft group of companies. Information is based on official public materials as of May 24, 2026. Always verify the latest information on the official pages.
Practice with certification-focused question sets
View Azure exam prepNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...