How To Migrate To Microsoft Entra Cloud Sync

  • Post author:
  • Post category:Windows Server
  • Post last modified:January 4, 2024
  • Reading time:20 mins read

Microsoft Entra Connect Cloud Sync replaces the existing Microsoft Entra Connect software with a lightweight agent that is fully configured and controlled from the Microsoft Entra Admin Center. 

In this tutorial, I will show you how to migrate to Microsoft Entra cloud sync and remove the existing software.

How does Microsoft Entra Cloud Sync work?

Microsoft Entra Cloud Sync is a quick-to-deploy and lightweight replacement for the traditional Microsoft Entra Connect software application to synchronise your on-premise identities to Microsoft Entra ID.

You simply deploy the lightweight agent in your local active directory environment, and then all the settings and configuration are stored in the cloud and managed through the Microsoft Entra admin center.

Limitations

There are still some limitations to using the Microsoft Entra Cloud Sync tool over the existing software application. These limitations include:

  • Unable to connect to other LDAP directories 
  • Does not support device objects
  • Unable to filter by attribute values
  • Does not support group writeback
  • Does not support device writeback (Cloud Kerberos trust is recommended instead)
  • Limited to 150,000 objects 
  • Limited to groups with 50,000 members
  • Does not support merging user attributes from multiple domains

Benefits of Microsoft Entra Cloud Sync

As Microsoft plan to completely migrate its identity sync tool to the cloud, its primary focus is invested in developing the new cloud sync tool. So as for any limitations, you can expect these to be included in future updates as the solution is being developed further. 

Some of the primary benefits of Microsoft Entra Cloud Sync include:

  • Quick and easy to deploy
  • Ability to connect to multiple disconnected Active Directory forests
  • Light-weight installation model with no requirement for a SQL backend on larger deployments
  • Multiple agents can be deployed on-premise for high availability with minimal to no additional configuration
  • Save costs due to the lower deployment requirements
  • Supports more complex scenarios such as for acquisitions and mergers
  • Can co-exist with Microsoft Entra Connect

Scenario: The existing Microsoft Entra Connect server

In our scenario, I have a reasonably traditional Microsoft Entra Connect configuration. A single domain controller with Microsoft Entra Connect installed synchronises a single OU to my Microsoft 365 tenant. 

Within the target OU, I have 3 user accounts configured with the UPN of ourcloudnetwork.co.uk. The source sync attribute is the mS-DS-ConsistencyGuid attribute and both Password Hash Sync and Password Writeback is enabled.

Below you can see the configuration of my selected OUs.

OU Configuration
OU Configuration

Here you can see my current Microsoft Entra Connect synchronization settings:

Azure AD Connect sync settings
Azure AD Connect sync settings

Step 1: Configuring Staging mode for Microsoft Entra Connect

I will start by setting my existing Microsoft Entra Connect server to staging mode. This is so we know that our existing server is not impacting any changes made by deploying Microsoft Entra Cloud Sync.

1. Start by opening Microsoft Entra Connect from the server is it installed on.

2. Select Configure.

Select Configure
Select Configure

3. Select Configure staging mode and click Next.

Configure staging mode
Configure staging mode

4. Log in with your Microsoft Entra Global administrator user and click Next

Login and click Next
Login and click Next

5. Check Enable staging mode and click Next.

Enable staging mode
Enable staging mode

6. Lastly, ensure the Start the synchronisation process check box is ticked and click Configure, then Exit.

Click Configure
Click Configure

To verify your configuration change was successful, open PowerShell and run Get-ADSyncScheduler. You will see the StagingModeEnabled attribute is set to True.

Staging Mode Enabled

Step 2: Download and install Microsoft Entra Cloud Sync

Now we have our existing server in staging mode, let’s look at downloading and configuring the lightweight Microsoft Entra Cloud Sync agent and installing it on the same server we used the existing software on.

1. Start by logging into the Microsoft Entra admin center: https://entra.microsoft.com.

2. Under Identity, select Hybrid Management > Microsoft Entra Connect.

Select Microsoft Entra Connect
Select Microsoft Entra Connect

3. Select Cloud Sync; this will take you to the Cloud Sync configuration page.

Select Cloud Sync
Select Cloud Sync

4. To download the installation media for Microsoft Entra Cloud Sync, click Agents > Download on-premises agent.

Download Microsoft Entra Cloud Sync Agent

5. On your existing server, copy over the downloaded file and run the installer. When prompted, agree to the terms and conditions and click Install.

Install Microsoft Entra Cloud Sync
Install Microsoft Entra Cloud Sync

6. When the deployment wizard launches, click Next.

Click next to start the configuration wizard
Click next to start the configuration wizard

7. Select HR-drive provisioning (Workday and SuccessFactors /Microsoft Entra Cloud Sync, then click Next.

Click HR-driven provisioning
Click HR-driven provisioning

8. On the Connect Microsoft Entra ID page, click Authenticate and sign is with your Global Administrator account.

Authenticate
Authenticate

If you run into any problems at this point, ensure you add https://aadcdn.msftauth.net/ to your trusted sites list.

9. On the Configure Service Account page, select the Create gMSA option, then enter your domain administrator credentials for your Active Directory domain and click Next.

Create gMSA
Create gMSA

10. You should see your Active Directory already connected, if you do not, click Add Directory and click Next.

Connect Active Directory and click Next
Connect Active Directory and click Next

11. On the final page, click Confirm. On the screen, you will see the name of the group-managed service account that will be created.

Click Confirm
Click Confirm

The configuration will take around 2 minutes to complete and all subsequent settings are configured in the Microsoft Entra admin center.

Step 3: Configure Microsoft Entra Cloud Sync

Once the sync agent is deployed on your server, the rest of the configuration is done through the Microsoft Entra admin center.

Starting by heading back to the Microsoft Entra Cloud Sync configuration page. This is accessed this by logging into https://entra.microsoft.com and expanding Identity, then selecting Hybrid management > Microsoft Entra Connect > Cloud Sync.

1. On the Configurations tab, will see that the new configuration option is no longer greyed out. Select New configuration then AD to Microsoft Entra ID sync.

AD to Microsoft Entra ID sync
AD to Microsoft Entra ID sync

2. Choose the Active Directory domain you want to sync (there will likely be only 1), enable password hash sync if you had this enabled prior and click Create.

Choose your Active Directory Domain
Choose your Active Directory Domain

3. The cloud sync configuration will take about 30-60 seconds to create and you will be automatically redirected to the Overview (Get started) page.

4. Work your way down the Get Started page, starting with clicking Add scoping filters.

Add scoping filters
Add scoping filters

5. A new window will appear on the right. Here you have the option to filter by all users, security groups or organizational units. I am going to filter by organization units, so I will need to obtain the ‘distinguished name’ of the OU object from my Active Directory.

user scope filter settings
user scope filter settings

6. To get the distinguished name of the target OU, open Active Directory Users and Computers.

7. Click View, then Advanced Features.

Click View then Advanced Features
Click View then Advanced Features

8. Right-click on your target OU and select properties. Select the Attribute Editor tab and double-click on distinguishedName.

View the distinguished name
View the distinguished name

9. Copy the distinguished name and paste it into your scope user’s configuration and click Add. Repeat the process if you have additional OU’s you wish to sync. It is important you get this option correct, as by not including all of your OU’s or security groups, you may end up with needing to restore deleted user accounts. Click Save when ready.

Add the distinguished name to your user scope
Add the distinguished name to your user scope

10. You can leave the Manage attributes options as the default unless you have previously customised any attributes. If you need to make modification here, under Manage select Attribute mapping and make your changes.

Attribute mapping
Attribute mapping

11. At this point, you should test provisioning a user to ensure your settings are working as expected. Select Provision on demand.

Select provision on demand
Select provision on demand

12. Follow the same steps for finding the distinguished name, but this time do so for a user account within your target OU. Copy and page the distinguished name on the Provision on-demand page, then click Provision.

Provisioning test
Provisioning test

13. After around 10-15 seconds the provisioning should complete. Click on the View details button for each stage to ensure the settings display as expected. When you are happy, click Finish.

Successful test provisioning
Successful test provisioning

14. Configure an email address to receive error notifications. I also highly recommend you lower the accidental delete threshold from the default (500), to something more reasonable. To do this, on the Overview page, select Properties then click the Edit symbol.

Notification emails
Notification emails

15. If you are ready, click Review and Enable from the Overview page. Then click Enable configuration on the popup window.

Review and enable
Review and enable

16. After a few moments, the configuration will show as Healthy on the Configurations page.

Healthy configuration
Healthy configuration

Cloud sync automatically runs every 2 minutes, once the configuration is enabled, synchronisation will happen very quickly.

17. Verify that the agent is successfully provisioning users by selecting Provisioning Logs under Monitor.

Provisioning logs
Provisioning logs

Step 4: Removing the old Microsoft Entra Connect agent

Once the Microsoft Entra Cloud sync Agent is installed and running successfully, you will be ready to uninstall the old Microsoft Entra Connect software from your server.

1. On your server, open the Control Panel and select Uninstall a program.

Uninstall a program
Uninstall a program

2. Select Microsoft Azure AD Connect and click Uninstall.

Select Uninstall
Select Uninstall

3. Leave all the options as the defaults and click Remove.

Click remove
Click remove

4. Once removed, the only similar programs you should see left in your Programs and features is the new Microsoft Azure AD Connect Provisioning Agent and Agent updater.

Remaining products
Remaining products

Reviewing the cloud sync status

To review the status of Microsoft Entra aloud Sync you have to do so now through the Microsoft Entra admin center. Follow the previous steps to get to the Microsoft Entra Cloud Sync page, or click here: Cloud sync – Microsoft Entra admin center

On the Cloud Sync page, click on the status of your configuration.

Click on the status
Click on the status

Once the sync has completed you should see your results on the pop-out windows to the right.

Sync results
Sync results

Useful information

  • Cloud Sync runs every 2 minutes.
  • Agents are automatically upgraded by Microsoft.
  • Microsoft Entra Cloud Sync can be installed on the same server as Microsoft Entra Connect. 
  • Microsoft Entra Cloud Sync can run side-by-side with Microsoft Entra Connect.
  • Staging servers are not supported with Microsoft Entra Cloud Sync.
  • Nested groups are not supported for synchronisation. 
  • Cloud provisioning agents cannot be load-balanced.

This Post Has One Comment

  1. Christophe

    Thanks for this article, very usefull!

Leave a Reply