Microsoft Entra Cloud Sync

Microsoft Entra Cloud Sync: Complete Guide for SC-300

Microsoft Entra Cloud Sync is a critical topic for the SC-300 (Microsoft Identity and Access Administrator) exam. Understanding how it works, when to use it, and how it differs from Microsoft Entra Connect (formerly Azure AD Connect) is essential for passing the exam.

Why Is Microsoft Entra Cloud Sync Important?

Organizations often maintain on-premises Active Directory environments while also leveraging cloud services through Microsoft Entra ID (formerly Azure AD). Synchronizing identities between these environments is fundamental to enabling a seamless hybrid identity experience. Microsoft Entra Cloud Sync provides a lightweight, simplified approach to achieving this synchronization, making it especially valuable for:

- Organizations with multiple disconnected Active Directory forests
- Scenarios requiring high availability with minimal infrastructure overhead
- Companies undergoing mergers and acquisitions where forest isolation exists
- Environments where a lighter footprint is preferred over the full Microsoft Entra Connect server

What Is Microsoft Entra Cloud Sync?

Microsoft Entra Cloud Sync is a synchronization service that uses lightweight provisioning agents installed on-premises to synchronize users, groups, and contacts from Active Directory Domain Services (AD DS) to Microsoft Entra ID. Unlike Microsoft Entra Connect, which processes synchronization rules on a dedicated on-premises server, Cloud Sync moves the synchronization logic to the cloud. The on-premises agent acts simply as a bridge between AD DS and the cloud service.

Key characteristics include:

- Lightweight provisioning agent: A small agent installed on a domain-joined Windows server (or multiple servers for high availability). It does not require a dedicated server like Entra Connect.
- Cloud-managed configuration: All synchronization rules and configurations are managed from the Microsoft Entra admin center (cloud-based portal), not on-premises.
- Support for multiple disconnected forests: Cloud Sync natively supports synchronizing from multiple AD forests that have no network connectivity between them, a scenario that is more complex with Entra Connect.
- Auto-upgrade: The provisioning agent updates automatically, reducing maintenance burden.

How Does Microsoft Entra Cloud Sync Work?

The architecture of Microsoft Entra Cloud Sync involves three main components:

1. Microsoft Entra Cloud Provisioning Agent
This lightweight agent is installed on one or more on-premises Windows servers that are domain-joined. The agent connects outbound to the Microsoft Entra provisioning service over HTTPS (port 443). No inbound firewall rules are required. Multiple agents can be installed for high availability.

2. Microsoft Entra Provisioning Service (Cloud)
This is the cloud-based engine that performs the actual synchronization logic. It uses SCIM (System for Cross-domain Identity Management) based provisioning to process identity data. The synchronization rules, attribute mappings, and scoping filters are all configured and stored in the cloud.

3. On-Premises Active Directory Domain Services
The source directory from which user, group, and contact objects are read.

Synchronization Flow:
1. The provisioning agent connects to on-premises AD DS and reads identity objects.
2. The agent sends the identity data to the Microsoft Entra provisioning service in the cloud.
3. The cloud service applies transformation rules, attribute mappings, and scoping filters.
4. The cloud service provisions or updates objects in Microsoft Entra ID.
5. The process runs on a fixed interval (approximately every 2 minutes) for incremental syncs.

Key Features:
- Password hash synchronization (PHS): Cloud Sync supports PHS, enabling users to sign in with the same password they use on-premises.
- Attribute mapping: You can customize which attributes are synchronized and how they are transformed using expression-based mappings in the portal.
- Scoping filters: You can filter which users and groups are synchronized based on OU, group membership, or attribute values.
- Accidental delete prevention: A threshold can be set to prevent mass deletions.
- On-demand provisioning: You can test synchronization for a single user before applying it broadly, which is very useful for troubleshooting.

Microsoft Entra Cloud Sync vs. Microsoft Entra Connect: Key Differences

This comparison is heavily tested on the SC-300 exam:

Synchronization Engine Location:
- Cloud Sync: In the cloud
- Entra Connect: On-premises server

Agent/Server Requirements:
- Cloud Sync: Lightweight agent (can install multiple for HA)
- Entra Connect: Dedicated server required; only one active instance in staging mode for HA

Multiple Disconnected Forests:
- Cloud Sync: Natively supported
- Entra Connect: Requires complex configuration or is not supported in some scenarios

Group Writeback:
- Cloud Sync: Supported (group writeback to AD with Microsoft 365 groups)
- Entra Connect: Supported

Device Writeback:
- Cloud Sync: Not supported
- Entra Connect: Supported

Exchange Hybrid Writeback:
- Cloud Sync: Not supported
- Entra Connect: Supported

Pass-through Authentication (PTA):
- Cloud Sync: Not supported
- Entra Connect: Supported

Federation (AD FS) Integration:
- Cloud Sync: Not supported
- Entra Connect: Supported

Large groups (50,000+ members):
- Cloud Sync: Supported
- Entra Connect: Supported

Configuration Management:
- Cloud Sync: Azure portal (cloud-managed)
- Entra Connect: On-premises wizard and Synchronization Rules Editor

When to Use Cloud Sync (Exam Scenarios):
- You need to sync from multiple disconnected AD forests
- You want high availability without complex staging server setups
- You want a lightweight, easy-to-deploy solution
- You do NOT need device writeback, PTA, or federation
- You are in a merger/acquisition scenario with isolated forests

When to Use Entra Connect Instead:
- You need pass-through authentication (PTA)
- You need device writeback (for Hybrid Azure AD Join managed by Entra Connect)
- You need Exchange hybrid writeback
- You need AD FS federation management
- You have complex custom synchronization rules that require the Synchronization Rules Editor

Installation and Configuration Steps:

1. Verify prerequisites: Domain-joined Windows Server (2016 or later recommended), .NET Framework 4.7.2+, outbound HTTPS connectivity to Microsoft Entra endpoints.
2. Download the provisioning agent from the Microsoft Entra admin center under Hybrid management > Microsoft Entra Connect > Cloud sync.
3. Install the agent on one or more servers. During installation, authenticate with a Hybrid Identity Administrator or Global Administrator account.
4. Configure cloud sync in the Microsoft Entra admin center: create a new configuration, set scoping filters, configure attribute mappings, and enable password hash synchronization.
5. Test with on-demand provisioning to verify a single user syncs correctly.
6. Enable the configuration to start continuous synchronization.

Troubleshooting Cloud Sync:
- Use on-demand provisioning to test individual users
- Check provisioning logs in the Microsoft Entra admin center
- Verify agent health in the Agent health dashboard
- Ensure outbound connectivity on port 443 to Microsoft endpoints
- Review quarantine status if sync is paused due to errors

Coexistence with Entra Connect:
Cloud Sync and Entra Connect can coexist in the same tenant, but they cannot sync the same objects. For example, you might use Entra Connect for your primary forest (where you need device writeback) and Cloud Sync for a newly acquired company's disconnected forest.

---

Exam Tips: Answering Questions on Microsoft Entra Cloud Sync

Tip 1: Know the Differences Table
The SC-300 exam frequently presents scenarios asking you to choose between Cloud Sync and Entra Connect. Memorize the key capabilities that are exclusive to Entra Connect: device writeback, pass-through authentication, Exchange hybrid writeback, and AD FS federation management. If the question mentions any of these, the answer is Entra Connect, not Cloud Sync.

Tip 2: Disconnected Forests = Cloud Sync
If a question describes multiple AD forests with no trust relationships or network connectivity between them, Cloud Sync is almost always the correct answer. This is one of its primary advantages.

Tip 3: Lightweight and High Availability
If the question emphasizes minimal infrastructure, easy deployment, or high availability without staging servers, think Cloud Sync. Multiple agents can be deployed for HA, unlike Entra Connect which requires a staging server approach.

Tip 4: Configuration Location
Cloud Sync is configured entirely in the cloud portal. Entra Connect is configured on-premises using a wizard. If a question asks about where to manage sync rules, this distinction matters.

Tip 5: Password Hash Sync Is Supported
Cloud Sync does support password hash synchronization. Do not confuse this with pass-through authentication, which is not supported by Cloud Sync.

Tip 6: On-Demand Provisioning
If the question asks about testing synchronization for a single user before enabling full sync, the answer involves the on-demand provisioning feature of Cloud Sync.

Tip 7: Role Requirements
Installing and configuring Cloud Sync requires at minimum the Hybrid Identity Administrator role. For the provisioning agent installation, Global Administrator or Hybrid Identity Administrator credentials are needed. Know which role is least privileged for the task.

Tip 8: Coexistence Rules
Remember that Cloud Sync and Entra Connect can coexist but must not sync the same objects. If a question asks about a hybrid setup using both, ensure the scoping is non-overlapping (e.g., different OUs or different forests).

Tip 9: Merger and Acquisition Scenarios
These are common exam scenarios. When a company acquires another and needs to quickly integrate identities from an isolated forest, Cloud Sync is the preferred solution due to its ease of deployment and disconnected forest support.

Tip 10: Automatic Agent Updates
Cloud Sync agents update automatically. If a question asks about maintaining or updating synchronization infrastructure, Cloud Sync requires less maintenance than Entra Connect, which requires manual upgrades or explicit auto-upgrade configuration.