This chapter covers Entra Connect Cloud Sync, a modern synchronization service that bridges on-premises Active Directory with Entra ID (formerly Azure AD) using lightweight, cloud-managed agents. For the MS-102 exam, this topic falls under Objective 2.2: Implement and manage identity synchronization. Expect roughly 10-15% of exam questions to touch on sync technologies, with Cloud Sync being a significant focus due to its increasing adoption and distinct differences from Azure AD Connect. This chapter provides the deep technical understanding needed to configure, troubleshoot, and differentiate Cloud Sync in the exam and real-world deployments.
Jump to a section
Imagine a large corporation with hundreds of branch offices, each with its own local directory of employees. Headquarters wants a unified global directory, but the network links to some branches are slow, unreliable, or intermittently disconnected. Instead of sending a single, heavily loaded truck that must traverse every branch in a fixed route (like Azure AD Connect), headquarters deploys a fleet of small, autonomous courier drones. Each drone is assigned to one or a few branches, carries only the changes from those branches, and can operate independently. Each drone constantly checks its assigned branch for new or changed employee records, picks up the changes, and flies directly to headquarters to deliver them. If a drone malfunctions or loses connection, only its branches are affected—other drones continue. The drones communicate with headquarters via a lightweight protocol, and headquarters can add or remove drones without disrupting the fleet. This is exactly how Entra Connect Cloud Sync works: multiple lightweight sync agents (drones) run on-premises or in VMs, each synchronizing a subset of OUs or domains to Entra ID (headquarters), providing resilience, scalability, and simplified management compared to a single monolithic sync engine.
What is Entra Connect Cloud Sync?
Entra Connect Cloud Sync (formerly Azure AD Connect Cloud Sync) is a Microsoft identity synchronization service that syncs users, groups, and contacts from on-premises Active Directory (AD) to Entra ID. Unlike Azure AD Connect, which runs as a single Windows service on a dedicated server and requires a persistent SQL database, Cloud Sync uses a lightweight agent model. The service is managed from the Entra admin center, and the sync engine runs in Microsoft's cloud infrastructure. The on-premises component is the Microsoft Entra Connect Provisioning Agent, a small installer that can run on domain-joined or non-domain-joined machines, even on Windows Server Core or in containers.
Why Cloud Sync Exists
Cloud Sync addresses several limitations of Azure AD Connect: - Scalability: Azure AD Connect has a practical limit of about 150,000 objects per sync engine instance. Cloud Sync can handle up to 150,000 objects per agent, but you can deploy multiple agents to scale horizontally, supporting millions of objects. - Resilience: If the single Azure AD Connect server fails, sync stops entirely. Cloud Sync supports multiple agents for redundancy; if one agent fails, others continue syncing their scoped objects. - Flexible scoping: Azure AD Connect requires filtering by OUs or domains at the connector level, which is static. Cloud Sync allows dynamic scoping using group-based filtering or OU filters per agent. - Simplified management: No need for SQL Server; configuration is done via the Entra admin center or Graph API. Updates are automatic via the agent's auto-update feature. - Support for disconnected scenarios: Agents can sync over the internet without requiring a VPN or ExpressRoute, as they use outbound HTTPS to the Entra cloud service.
How Cloud Sync Works Internally
The sync process involves three main components: 1. Provisioning Agent: A Windows service (Microsoft Entra Connect Provisioning Agent) that reads from on-prem AD via LDAP. It can be installed on any Windows Server 2016 or later, or Windows 10/11 (for testing). It communicates only outbound over HTTPS (TCP 443) to the Entra cloud service. 2. Cloud Sync Service: A Microsoft-managed service in Azure that orchestrates sync, stores configuration, and manages agents. It receives changes from agents, processes them through the sync engine (same engine as Azure AD Connect but in the cloud), and writes to Entra ID. 3. Entra ID: The target directory.
The sync flow:
The agent performs an initial full sync of scoped objects. It reads attributes from AD using LDAP queries.
After initial sync, the agent uses the DirSync (Delta Sync) mechanism. It queries the USNChanged attribute in AD to detect changes (modifications, additions, deletions). The default polling interval is 30 seconds.
Changes are serialized into JSON and sent via HTTPS to the Cloud Sync service. The service uses a queue to process changes in order.
The cloud sync engine applies transformation rules (attribute mapping, filtering) and writes to Entra ID.
Deletion handling: By default, deletions from on-prem AD are not synced; they are logged and require manual approval via the Entra admin center. You can enable automatic deletion sync, but with a threshold (default 500 deletions).
Key Components, Values, and Defaults
Provisioning Agent version: As of 2024, the current agent version is 1.1.1370.0 (check for updates).
Agent heartbeat: Agents send a heartbeat every 5 minutes to the cloud service. If an agent fails to send a heartbeat for 30 minutes, it is marked as unhealthy.
Delta sync interval: 30 seconds by default. This is not configurable.
Full sync trigger: You can trigger a full sync from the Entra admin center or via PowerShell. A full sync also occurs if the agent is restarted.
Deletion threshold: 500 objects by default. You can adjust this from 10 to 100,000.
Supported AD attributes: All standard AD attributes are synced. Custom attributes can be added via attribute mapping.
Maximum objects per agent: 150,000. You can deploy up to 20 agents per tenant.
Protocol: HTTPS (TLS 1.2+). The agent connects to *.msappproxy.net and *.servicebus.windows.net.
Configuration and Verification Commands
Cloud Sync is configured primarily through the Entra admin center under "Identity > External Identities > Cloud Sync". However, you can use PowerShell for advanced scenarios.
Install the provisioning agent:
# Download the agent from Microsoft Download Center
# Run the installer silently:
AADConnectProvisioningAgentSetup.exe /quietRegister the agent with your tenant:
# After installation, use the wizard or run:
Register-AADConnectProvisioningAgent -AccountType ServiceAccount -ServiceAccountCredential (Get-Credential)Create a sync configuration:
# Use the Entra admin center or Graph API. Example Graph call:
POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/synchronization/jobsVerify sync status:
# Using AzureAD module (deprecated) or Microsoft Graph PowerShell:
Get-MgServicePrincipal -Filter "displayName eq 'Cloud Sync'" | Get-MgServicePrincipalSynchronizationJobCheck agent health:
# On the agent machine, check services:
Get-Service -Name "Microsoft Entra Connect Provisioning Agent"
# Or view logs in Event Viewer under Applications and Services Logs/Microsoft/Entra Connect Provisioning AgentInteraction with Related Technologies
Azure AD Connect: Cloud Sync can coexist with Azure AD Connect, but they must not sync the same objects. You can use Cloud Sync for specific OUs or groups while Azure AD Connect handles the rest. This is useful for mergers or pilot deployments.
Entra ID Governance: Cloud Sync supports syncing attributes used by Entra ID Governance features like access reviews and entitlement management.
Microsoft Identity Manager (MIM): Cloud Sync does not replace MIM; MIM is for complex hybrid identity scenarios with on-premises applications. Cloud Sync is for simple AD-to-Entra ID sync.
Azure AD Domain Services: Cloud Sync is often used to synchronize users to AAD DS for legacy application authentication.
Limitations
No support for writeback (device, password, group writeback) — those require Azure AD Connect.
No support for Exchange hybrid deployment (Exchange writeback requires Azure AD Connect).
No support for sync of on-premises Exchange attributes (like proxyAddresses) unless you use Azure AD Connect.
No support for FIM/MIM integration.
Limited to 150,000 objects per agent (though you can add more agents).
Install the Provisioning Agent
Download the Microsoft Entra Connect Provisioning Agent installer from the Microsoft Download Center or the Entra admin center. Run the installer on a Windows Server 2016 or later (or Windows 10/11 for testing). The installer prompts you to sign in with a Global Administrator or Hybrid Identity Administrator account. It then registers the agent with your tenant by creating a service principal in Entra ID. The agent runs as a Windows service named 'Microsoft Entra Connect Provisioning Agent'. By default, it uses the Network Service account, but you can configure a gMSA for enhanced security. The agent communicates outbound over HTTPS to the cloud service; no inbound ports are required. After installation, the agent appears in the Entra admin center under 'Cloud Sync > Agents'.
Configure Sync Scope and Mappings
In the Entra admin center, navigate to 'Identity > External Identities > Cloud Sync' and create a new sync configuration. You specify the domain(s) to sync (forest trust is supported). Then define the scope: you can select specific OUs or use group-based filtering (only members of a security group are synced). Next, configure attribute mappings. By default, a set of standard mappings is provided (e.g., userPrincipalName to userPrincipalName, displayName to displayName). You can add custom mappings for extension attributes. You can also enable or disable sync of specific attributes. The configuration is stored in the cloud and assigned to one or more agents. Each agent can handle multiple configurations, but typically one agent per configuration is recommended for simplicity.
Initial Full Sync
Once the configuration is saved and assigned to an agent, the agent initiates a full sync. It performs an LDAP search against the on-premises AD for all objects within the scoped OUs or groups. The agent reads all attributes defined in the mapping. Each object is serialized into a JSON payload and sent to the cloud sync service via HTTPS. The cloud service processes the objects through the sync engine, which applies transformation rules (e.g., sourceAnchor, attribute flow) and creates or updates the corresponding objects in Entra ID. For a large directory (e.g., 50,000 users), the initial sync may take several hours. You can monitor progress in the Entra admin center under 'Cloud Sync > Configuration > Provisioning logs'.
Delta Sync Cycle
After the initial sync, the agent enters delta sync mode. Every 30 seconds, the agent queries AD for changes using the DirSync control (USNChanged attribute). It retrieves only objects that have changed since the last sync. The agent sends these changes to the cloud service. The cloud service processes the deltas and updates Entra ID. This near-real-time sync ensures that changes in on-prem AD (e.g., new user, password change, group membership update) are reflected in Entra ID within seconds to minutes. If the agent cannot connect to the cloud (e.g., network outage), changes are queued locally. The agent stores up to 10 MB of changes; if the queue exceeds that, a full sync is triggered when connectivity resumes.
Monitor and Troubleshoot
Use the Entra admin center to monitor sync health. The 'Provisioning logs' show each sync cycle, including successes, skips, and errors. Common errors include attribute format mismatches (e.g., invalid proxyAddresses), duplicate UPNs, or permission issues. The agent logs are stored in Event Viewer under 'Applications and Services Logs/Microsoft/Entra Connect Provisioning Agent/Operational'. You can also use PowerShell cmdlets like `Get-AADConnectProvisioningAgent` and `Get-AADConnectProvisioningSyncConfiguration` to retrieve agent status. If an agent goes offline, a warning appears in the admin center. To force a full sync, you can restart the agent service or trigger a full sync from the admin center.
Enterprise Scenario 1: Mergers and Acquisitions
A large enterprise acquires a smaller company with its own on-premises AD forest. The acquired company's IT team wants to sync their users to the parent company's Entra ID tenant without disrupting the existing Azure AD Connect deployment. The solution: deploy a Cloud Sync agent in the acquired company's domain, configure it to sync only the OUs containing the acquired users, and set up attribute mappings to match the parent's schema. The agent runs on a low-cost VM in the acquired company's environment, connecting to the parent's tenant over the internet. This avoids the need for network integration or changes to the existing Azure AD Connect server. The parent company can gradually migrate users to the main forest while maintaining sync continuity. In production, the agent handles 20,000 users with no performance issues. The key consideration is that Cloud Sync does not support Exchange hybrid writeback, so if the acquired company uses on-premises Exchange, it must be migrated to Exchange Online or use a separate solution.
Enterprise Scenario 2: Remote Branch Offices with Limited Connectivity
A multinational corporation has hundreds of branch offices, each with a local AD domain controller. The WAN links to some branches are slow or unreliable. Deploying a single Azure AD Connect server at headquarters would sync all branches over the WAN, causing delays and potential sync failures. Instead, the company deploys a Cloud Sync agent at each branch. Each agent syncs only its local domain's users to Entra ID. Because the agent uses lightweight outbound HTTPS, it works over any internet connection. If a branch loses connectivity, the agent queues changes and syncs when the link is restored. The cloud service aggregates all changes. This architecture provides resilience: if one branch's agent fails, only that branch's sync is affected. The company manages all agents from a single pane in the Entra admin center. They monitor agent health via heartbeat alerts. A common misconfiguration is forgetting to set the deletion threshold; without it, accidental deletions in AD could propagate to Entra ID. They set the threshold to 500 and require manual approval for deletions.
Scenario 3: Pilot Migration from Azure AD Connect
An organization wants to test Cloud Sync before fully migrating from Azure AD Connect. They deploy a Cloud Sync agent in a test OU containing 1,000 pilot users. They configure Cloud Sync to sync only that OU, while Azure AD Connect continues to sync the rest of the organization. Both sync engines run concurrently, but they must ensure no overlapping scopes. During the pilot, they verify attribute mapping accuracy and sync latency. They discover that Cloud Sync does not support custom attribute mappings for extension attributes that are not in the default set; they need to add them via the mapping editor. After successful testing, they plan to gradually move OUs from Azure AD Connect to Cloud Sync. The migration involves disabling Azure AD Connect for those OUs, enabling Cloud Sync, and running a full sync to ensure consistency. The exam tests this coexistence scenario heavily: candidates must know that Cloud Sync and Azure AD Connect cannot sync the same object, but they can coexist if scopes are disjoint.
MS-102 Exam Focus: Objective 2.2 – Implement and Manage Identity Synchronization
The MS-102 exam tests Cloud Sync in the context of hybrid identity. You must understand its capabilities, limitations, and how it differs from Azure AD Connect. Key exam areas: - Scenarios: When to use Cloud Sync vs. Azure AD Connect. The exam presents scenario-based questions where you must choose the appropriate sync tool based on requirements like scale, resilience, writeback needs, or network constraints. - Agent deployment: You need to know the supported OS versions (Windows Server 2016+), required ports (outbound HTTPS 443), and authentication methods (service account or gMSA). - Configuration: How to scope sync using OUs or groups, configure attribute mappings, and set deletion thresholds. - Coexistence: The exam loves questions about running Cloud Sync alongside Azure AD Connect. The correct answer is that they can coexist as long as their scopes don't overlap. A common wrong answer is that they cannot coexist or that they require a staging server. - Limitations: Know that Cloud Sync does not support device writeback, password writeback, group writeback, or Exchange hybrid. Candidates often confuse this with Azure AD Connect, which does support those features. - Monitoring: The exam may ask about the agent heartbeat interval (5 minutes) and the deletion threshold default (500).
Common Wrong Answers and Traps
'Cloud Sync requires SQL Server' – FALSE. Cloud Sync uses no local database; configuration is stored in the cloud. Azure AD Connect requires SQL Server (Express or full).
'Cloud Sync can sync passwords for password writeback' – FALSE. Cloud Sync does support password hash sync (PHS) and pass-through authentication (PTA)? Actually, Cloud Sync does not support PTA or password writeback. It only supports PHS for cloud-only authentication. The exam may test this: Cloud Sync supports PHS but not PTA or writeback.
'Cloud Sync requires a domain-joined server' – FALSE. The agent can run on non-domain-joined machines, but it needs to communicate with AD via LDAP, which typically requires network access to a domain controller. It can use a service account with appropriate permissions.
'Cloud Sync supports device synchronization' – FALSE. Device sync is only available in Azure AD Connect.
'Cloud Sync cannot sync more than 150,000 objects' – PARTIALLY TRUE. Each agent has a 150,000 object limit, but you can deploy multiple agents to scale beyond that. The exam may present a scenario with 200,000 objects and ask if Cloud Sync is suitable; the answer is yes, with multiple agents.
Specific Numbers and Terms
Agent heartbeat: 5 minutes
Delta sync interval: 30 seconds
Deletion threshold default: 500
Maximum objects per agent: 150,000
Maximum agents per tenant: 20
Supported OS: Windows Server 2016, 2019, 2022 (also Windows 10/11 for testing)
Required port: HTTPS 443 outbound
Protocols: LDAP to AD, HTTPS to Entra
Edge Cases and Exceptions
Soft Match vs. Hard Match: Cloud Sync uses the sourceAnchor attribute (by default ms-DS-ConsistencyGuid, or objectGUID if not present) to match objects. If an object in Entra ID exists with the same userPrincipalName but different sourceAnchor, it's a soft match and may fail. The exam may ask about conflict resolution.
Group scope: Cloud Sync can sync group memberships, but only if the group is in scope. Nested groups are not supported.
Deletion handling: If you enable automatic deletion sync, the threshold applies. If the number of deletions in a single sync cycle exceeds the threshold, the sync stops and requires manual approval. The exam tests that you can adjust the threshold.
How to Eliminate Wrong Answers
When you see a question about Cloud Sync, first identify the key requirement: writeback? If yes, eliminate Cloud Sync. Need Exchange hybrid? Eliminate Cloud Sync. Need to sync devices? Eliminate Cloud Sync. Need high availability for sync? Cloud Sync with multiple agents is correct. Need to sync a subset of users? Cloud Sync with group filtering is correct. By understanding the mechanisms, you can quickly rule out options that violate the technology's limitations.
Cloud Sync uses lightweight agents that sync on-prem AD to Entra ID via outbound HTTPS only.
Default delta sync interval is 30 seconds; agent heartbeat is every 5 minutes.
Each agent supports up to 150,000 objects; deploy multiple agents for larger directories.
Cloud Sync does NOT support writeback (password, device, group, Exchange).
Cloud Sync can coexist with Azure AD Connect if scopes are disjoint.
Deletion threshold defaults to 500; automatic deletion sync requires manual approval if exceeded.
Supported on Windows Server 2016 or later; client OS only for testing.
Configuration is stored in the cloud; no on-premises database required.
These come up on the exam all the time. Here's how to tell them apart.
Entra Connect Cloud Sync
Lightweight agent-based architecture; no SQL Server required
Scales horizontally with multiple agents (up to 20 per tenant)
Supports up to 150,000 objects per agent
No writeback features (password, device, group, Exchange)
Managed from Entra admin center; no on-premises server management
Azure AD Connect
Requires a dedicated server with SQL Server (Express or full)
Single server, scale-up only (supports up to 150,000 objects per instance, but can use staging mode)
Supports up to 150,000 objects per sync engine instance
Supports password writeback, device writeback, group writeback, and Exchange hybrid
Managed via Synchronization Service Manager, PowerShell, or Azure AD Connect wizard
Mistake
Cloud Sync requires a dedicated server like Azure AD Connect.
Correct
Cloud Sync uses lightweight agents that can run on any Windows Server 2016 or later, even on a domain controller or a non-domain-joined machine. No dedicated server is required; multiple agents can be deployed for redundancy.
Mistake
Cloud Sync supports password writeback and device writeback.
Correct
Cloud Sync does not support any writeback scenarios (password, device, group, or Exchange). Those features require Azure AD Connect. Cloud Sync only supports password hash sync (PHS) for cloud authentication.
Mistake
Cloud Sync can sync all objects in a forest without limitation.
Correct
Each agent has a 150,000 object limit. For larger directories, you must deploy multiple agents and distribute the scope (e.g., by OUs) across them. The total tenant limit is not explicitly defined but scales with agents.
Mistake
Cloud Sync uses the same sync engine as Azure AD Connect and is always bidirectional.
Correct
Cloud Sync uses the same sync engine but runs in the cloud. It is unidirectional from on-premises AD to Entra ID only. No attributes are written back to on-prem AD.
Mistake
Cloud Sync can be installed on any Windows version, including client OS like Windows 10.
Correct
While Windows 10/11 are supported for testing, production deployments require Windows Server 2016 or later. Client OS versions are not recommended for production due to lack of support and stability.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, Cloud Sync supports password hash synchronization (PHS). When you enable PHS, the agent reads the password hash from on-prem AD and syncs it to Entra ID. This allows users to sign in with their on-premises password. However, Cloud Sync does not support pass-through authentication (PTA) or password writeback.
Each Cloud Sync agent can handle up to 150,000 objects. You can deploy up to 20 agents per tenant, allowing you to scale beyond 150,000 objects by distributing the scope across agents. For example, you can sync 300,000 users by using two agents, each syncing different OUs.
No, the provisioning agent does not need to be domain-joined. However, it must be able to communicate with a domain controller via LDAP to read directory data. You can configure the agent to use a service account that has read permissions on the AD. The agent communicates with Entra ID over HTTPS, so it only needs outbound internet access.
Yes, Cloud Sync supports multi-forest scenarios. You can deploy agents in each forest and configure them to sync to the same Entra ID tenant. Ensure that there are no duplicate object IDs across forests. Cloud Sync uses the sourceAnchor attribute to uniquely identify objects.
You can trigger a full sync from the Entra admin center by selecting the configuration and clicking 'Restart sync' or 'Full sync'. Alternatively, you can restart the provisioning agent service on the on-premises machine. A full sync will also occur if the agent detects a significant mismatch between its local state and the cloud state.
The agent queues changes locally (up to 10 MB). When connectivity is restored, the agent sends the queued changes. If the queue exceeds 10 MB, the agent triggers a full sync to ensure consistency. During the outage, no changes are synced, and the agent's heartbeat stops, causing a health alert in the Entra admin center.
Yes, Cloud Sync can sync group memberships, but only if the group itself is in the sync scope. Nested group memberships are not supported; only direct members are synced. If a group is not in scope, its memberships will not be synced.
You've just covered Entra Connect Cloud Sync — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?