This chapter covers Hybrid Identity with Entra Connect, a core component of the MS-102 exam that accounts for approximately 15-20% of the Identity Access domain. You will learn how Entra Connect synchronizes on-premises Active Directory with Microsoft Entra ID, enabling single sign-on and unified identity management. This topic is critical because most enterprises operate hybrid environments, and the exam heavily tests configuration options, synchronization mechanics, and troubleshooting.
Jump to a section
Imagine a company with two countries: on-premises (Country A) and cloud (Country B). Employees need to travel freely between both countries. The Entra Connect server is like a permanent, two-way immigration bridge with automated passport control. Each employee has a "passport" (user object) with attributes like name (displayName), employee ID (employeeID), and department (department). The bridge has a set of rules: it scans passports from Country A every 30 minutes (sync cycle), checks for changes (delta import), and then stamps each passport with a unique global ID (immutableID) that links the on-premises passport to the cloud passport. If a passport is updated in Country A (e.g., new department), the bridge automatically updates the cloud copy. If someone is fired in Country A, the bridge can either delete their cloud passport or disable it (soft delete). The bridge also handles password changes: when a user changes their password in Country A, the bridge encrypts and sends it to Country B (password hash sync). However, if Country B wants to issue its own passports (cloud-only users), the bridge ignores them. The bridge has a control room (Azure AD Connect wizard) where administrators configure which attributes to sync, which OUs to include, and whether to enable features like password writeback (allowing Country B to change Country A passwords). The bridge also has a fail-safe: if the bridge goes down, existing passports remain valid, but no updates flow until the bridge is restored.
What is Hybrid Identity and Why Does It Exist?
Hybrid identity is the practice of maintaining a single user identity across both on-premises Active Directory (AD) and cloud-based Microsoft Entra ID (formerly Azure AD). Before cloud services, organizations managed all users in on-premises AD. With the adoption of Microsoft 365, users need cloud identities to access Exchange Online, SharePoint, Teams, etc. Manually creating and maintaining separate identities for each user in both environments is error-prone and inefficient. Hybrid identity solves this by synchronizing on-premises AD objects to Entra ID, ensuring that changes made in one place are reflected in the other.
How Entra Connect Works Internally
Entra Connect is the tool that performs synchronization. It runs on a Windows server (or can be installed on a domain-joined server) and uses a set of synchronization rules to copy objects from on-premises AD to Entra ID. The process involves three main stages:
Import: The sync engine reads objects from the on-premises AD (connector space) and from Entra ID (metaverse). It checks for changes since the last sync cycle.
Synchronization: The sync engine compares the imported data with the metaverse and applies synchronization rules to determine which attributes to flow and in which direction. The default rules create a one-way sync from on-premises to cloud, but attributes can be configured to flow back (e.g., password writeback).
Export: The sync engine writes changes to the target directory (on-premises AD or Entra ID).
Key Components, Values, Defaults, and Timers
Sync Cycle Interval: By default, Entra Connect syncs every 30 minutes. You can trigger a manual sync using Start-ADSyncSyncCycle -PolicyType Delta.
Delta vs Full Sync: A delta sync only imports and exports changes since the last sync. A full sync re-evaluates all objects and is typically done after a configuration change.
ImmutableID: This is the anchor attribute that links an on-premises user to a cloud user. By default, it is the on-premises objectGUID, base64-encoded.
SourceAnchor: The attribute used to create the immutableID. By default it is objectGUID, but you can choose another attribute during installation (e.g., ms-DS-ConsistencyGuid).
Password Hash Sync (PHS): Synchronizes the hash of the on-premises password to Entra ID. It runs every 2 minutes for new passwords.
Pass-Through Authentication (PTA): Validates passwords directly against on-premises AD without storing hashes in the cloud. Requires agents on-premises.
Seamless SSO: Integrates with PHS or PTA to automatically sign users in on domain-joined devices.
Synchronization Scope: You can filter by OU, domain, or attribute (e.g., only sync users with department=Sales).
Soft Delete: When an object is deleted from on-premises AD, Entra Connect soft-deletes it in Entra ID (marks as deleted). The object can be restored within 30 days.
Hard Delete: If the number of deletions exceeds a threshold (default 500), the sync stops to prevent accidental mass deletion. This threshold is configurable.
Configuration and Verification Commands
To install Entra Connect, you download the AzureADConnect.msi from the Microsoft 365 admin center. During installation, you choose the synchronization method (PHS, PTA, or federation with AD FS). After installation, you can manage settings via:
Azure AD Connect wizard (GUI)
PowerShell module: ADSync
Key PowerShell commands:
# Trigger a delta sync
Start-ADSyncSyncCycle -PolicyType Delta
# Trigger a full sync
Start-ADSyncSyncCycle -PolicyType Initial
# Check sync status
Get-ADSyncScheduler | fl
# View synchronization errors
Get-ADSyncExportError
# Force a full import from a specific connector
Start-ADSyncSyncCycle -PolicyType Delta -ConnectorName "contoso.com - AAD"How It Interacts with Related Technologies
Microsoft Entra ID: The target for synchronized objects. Entra ID uses the immutableID to match on-premises objects to cloud objects.
Active Directory Federation Services (AD FS): An alternative to PHS/PTA for hybrid identity. AD FS provides federated authentication but is more complex to manage. Entra Connect can manage AD FS farm configuration.
Microsoft Identity Manager (MIM): An advanced identity management solution that can synchronize with Entra Connect for more complex scenarios (e.g., multi-forest with custom rules).
Azure AD PowerShell: Used to manage cloud-only attributes and troubleshoot sync issues.
Microsoft Graph: Programmatic access to Entra ID objects; sync writes to Entra ID, which can then be read via Graph.
Synchronization Rules and Attribute Flow
Entra Connect uses declarative provisioning rules. The default rules are built-in, but you can create custom rules for advanced attribute mapping. Rules have a precedence order (lower number = higher priority). For example:
Rule 100: In from AD – User
Rule 120: In from AAD – User
Rule 150: Out to AAD – User
You can view rules in the Synchronization Rules Editor (part of the Azure AD Connect tool). Common attributes that sync:
userPrincipalName
sAMAccountName
displayName
givenName
sn
mail
proxyAddresses
department
manager
Filtering and Scope
You can limit which objects sync:
Domain-based filtering: Only certain domains in a multi-domain forest.
OU-based filtering: Only objects in specific OUs.
Attribute-based filtering: Using group membership or custom attributes (requires custom rules).
Troubleshooting Common Issues
Object not syncing: Check if object is in scope (OU, domain, attribute filter). Use Get-ADSyncCSObject to see connector space object.
Sync errors: Export errors often due to attribute conflicts (e.g., duplicate UPN in cloud). Use the Synchronization Service Manager UI.
Password sync not working: Ensure PHS is enabled and the user has a valid password hash. Check event logs on the sync server.
Soft delete threshold exceeded: The sync will stop. You can increase the threshold or re-enable sync after verifying deletions are intentional.
Security Considerations
The sync server should be hardened and not exposed to the internet.
Use a dedicated service account with minimal privileges for synchronization.
Enable PHS only if required; PTA is more secure for password validation.
Monitor sync logs for unauthorized changes.
Install Entra Connect
Download the AzureADConnect.msi from the Microsoft 365 admin center. Run the installer on a domain-joined Windows Server 2016 or later. During installation, you choose the synchronization method: Password Hash Sync (PHS), Pass-Through Authentication (PTA), or Federation with AD FS. You also configure the sync service account, which must have permissions to read on-premises AD and write to Entra ID. The installer creates the synchronization engine and configures the initial sync schedule.
Configure Sync Scope
After installation, use the Azure AD Connect wizard to define which objects to sync. You can filter by domain, OU, or attribute. For example, select only the 'Sales' OU to sync sales users. You can also enable optional features like password writeback, device writeback, and group writeback. This step determines which objects appear in Entra ID.
Initial Full Sync
Upon completion of configuration, Entra Connect performs an initial full sync. It imports all in-scope objects from on-premises AD, evaluates synchronization rules, and exports matching objects to Entra ID. This creates the user objects in the cloud with the immutableID linking them to on-premises. The initial sync can take hours for large directories (e.g., 100,000+ users).
Delta Sync Cycle
After the initial sync, Entra Connect runs delta syncs every 30 minutes by default. During a delta sync, it imports changes (new users, modified attributes, deleted objects) from on-premises AD, compares them with the metaverse, and exports changes to Entra ID. The sync engine uses a watermark to track what has changed since the last import.
Password Hash Sync
If PHS is enabled, the sync engine extracts password hashes from on-premises AD every 2 minutes for users whose passwords have changed. The hash is encrypted and sent to Entra ID, where it is stored for authentication. PHS allows users to sign in with the same password to cloud services. It also enables hybrid identity features like Azure AD Domain Services.
Enterprise Scenario 1: Large Multinational Corporation
A global company with 150,000 users in a multi-domain forest needs to synchronize to Microsoft 365. They choose Password Hash Sync for simplicity and enable Seamless SSO for domain-joined devices. The Entra Connect server is installed on a dedicated VM with 8 vCPUs and 16 GB RAM. They configure OU-based filtering to exclude legacy domains that are being decommissioned. The initial sync takes 6 hours. After deployment, delta syncs complete in under 5 minutes. A common issue is that when a user is disabled on-premises, the account in Entra ID is not immediately blocked because the sync cycle runs every 30 minutes. They mitigate this by enabling password writeback so that admins can disable cloud accounts immediately if needed.
Enterprise Scenario 2: Healthcare Provider with Compliance Needs
A hospital system with strict compliance requirements chooses Pass-Through Authentication to avoid storing password hashes in the cloud. They deploy two PTA agents on separate servers for high availability. They also enable password writeback to allow users to reset their passwords from the cloud. The sync server is configured with custom sync rules to ensure that sensitive attributes (e.g., SSN) are not synced. They use attribute-based filtering to only sync employees, not contractors. A performance consideration is that PTA requires all authentication requests to be proxied to on-premises, so they ensure low-latency connectivity between Entra ID and the agents.
Common Misconfigurations and Their Consequences
Incorrect SourceAnchor selection: If you change the SourceAnchor attribute after initial sync, you may need to re-sync all objects, causing duplicates. Always choose a persistent attribute like objectGUID or ms-DS-ConsistencyGuid.
OU filtering mistakes: Accidentally excluding an OU that contains critical users (e.g., admins) results in those users being deleted from Entra ID if they were previously synced. The soft delete threshold prevents immediate hard deletion, but recovery can be complex.
Password sync failure: If PHS stops working (e.g., due to permission changes), users cannot sign in with their on-premises password. Monitoring alerts for sync errors is crucial.
What MS-102 Tests on This Topic
The exam objective 2.2 covers implementing and managing hybrid identity with Entra Connect. Key areas:
Synchronization methods: Differences between PHS, PTA, and federation. Know that PHS is the simplest and most common, PTA is for organizations that cannot store password hashes in the cloud, and federation is for complex SSO scenarios with third-party IdPs.
Sync configuration: How to filter objects (OU, domain, attribute), configure optional features (password writeback, device writeback, group writeback), and set sync schedule.
Troubleshooting: Common errors like duplicate UPN, soft delete threshold, and export errors.
Authentication: How Seamless SSO works with PHS/PTA, and the difference between PHS and PTA in terms of password validation.
Common Wrong Answers and Why
'Password Hash Sync stores passwords in plain text in the cloud': Wrong. PHS stores a salted hash of the password, not the password itself.
'Pass-Through Authentication requires password hashes to be synced': Wrong. PTA does not sync password hashes; it validates passwords against on-premises AD directly.
'You can change the SourceAnchor after initial sync without impact': Wrong. Changing SourceAnchor after sync requires re-syncing all objects, which can cause duplicates or orphaned objects.
'Entra Connect syncs all attributes by default': Wrong. Only a subset of attributes are synced by default; you can extend the schema with custom rules.
Specific Numbers and Terms to Memorize
Default sync interval: 30 minutes
PHS sync interval for password changes: 2 minutes
Soft delete threshold: 500 objects (configurable)
Soft delete retention: 30 days
ImmutableID: base64-encoded objectGUID
SourceAnchor default: objectGUID
PTA agent: must be installed on at least two servers for high availability
Seamless SSO: works with PHS and PTA, not with federation
Edge Cases the Exam Loves
What happens if a user is deleted from on-premises AD? The user is soft-deleted in Entra ID (if within threshold). You can restore the user within 30 days.
What if the sync server fails? Sync stops, but users can still authenticate using cached credentials or cloud-only sign-in if PHS is enabled.
Can you sync from multiple forests? Yes, Entra Connect supports multi-forest synchronization with a single sync server.
How to Eliminate Wrong Answers
Always check the authentication method: if the question mentions password validation against on-premises AD, it's PTA. If it mentions storing hashes in the cloud, it's PHS. If it mentions third-party identity provider, it's federation. For sync issues, look for answers that involve checking the sync schedule or export errors.
Entra Connect syncs on-premises AD objects to Entra ID using a sync engine that runs every 30 minutes by default.
The immutableID (base64-encoded objectGUID) links on-premises users to their cloud accounts.
Password Hash Sync stores password hashes in the cloud; Pass-Through Authentication validates passwords on-premises.
Soft delete threshold is 500 objects; if exceeded, sync stops to prevent accidental mass deletion.
You can filter sync by domain, OU, or attribute to limit which objects are synced.
Seamless SSO works with both PHS and PTA, providing automatic sign-in on domain-joined devices.
Changing SourceAnchor after initial sync requires careful planning and may cause duplicates.
These come up on the exam all the time. Here's how to tell them apart.
Password Hash Sync (PHS)
Password hashes are synced to Entra ID every 2 minutes for changed passwords.
Authentication happens in the cloud against the stored hash.
No need for on-premises agents after initial sync.
Supports Seamless SSO on domain-joined devices.
Simplest to deploy and maintain.
Pass-Through Authentication (PTA)
No password hashes are stored in the cloud.
Authentication is validated against on-premises AD in real-time.
Requires at least one PTA agent (recommended two for HA) on-premises.
Supports Seamless SSO as well.
Ideal for organizations with compliance requirements that forbid cloud password storage.
Mistake
Password Hash Sync stores your actual password in Azure AD.
Correct
PHS stores a cryptographic hash of the password (salted and iterated), not the plaintext password. The hash cannot be reversed to obtain the original password.
Mistake
Pass-Through Authentication requires you to sync password hashes as a fallback.
Correct
PTA does not sync password hashes at all. All password validation happens on-premises. However, you can enable PHS alongside PTA as a backup for cloud-only scenarios (e.g., Azure AD Domain Services).
Mistake
You can change the SourceAnchor attribute after initial sync without issues.
Correct
Changing SourceAnchor after initial sync requires a full re-sync and can cause duplicate objects or orphaned cloud accounts. It should be planned carefully before deployment.
Mistake
Entra Connect syncs all attributes from on-premises AD to Entra ID.
Correct
Only a default set of attributes are synced. You can extend sync with custom synchronization rules to include additional attributes.
Mistake
If you delete a user from on-premises AD, they are immediately and permanently deleted from Entra ID.
Correct
The user is soft-deleted in Entra ID (if within the soft delete threshold). They can be restored within 30 days. After 30 days, they are hard-deleted.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default sync interval is 30 minutes. You can change it using the PowerShell command `Set-ADSyncScheduler -CustomizedSyncCycleInterval`. A delta sync runs every 30 minutes; password hash sync runs every 2 minutes for changed passwords.
Yes, Entra Connect supports multi-forest synchronization. You can add multiple on-premises AD forests during installation or later via the wizard. The sync engine merges objects from different forests using the SourceAnchor attribute, which must be unique across forests.
If the sync server is offline, no synchronization occurs. Users can still authenticate using cached credentials or, if PHS is enabled, using the stored hash in the cloud. Once the server is restored, the next sync cycle will catch up on changes.
To force a full sync, run `Start-ADSyncSyncCycle -PolicyType Initial` in PowerShell. This re-evaluates all objects and is typically done after a configuration change like adding a new attribute or changing filters.
Soft delete marks an object as deleted in Entra ID but retains it for 30 days, allowing restoration. Hard delete permanently removes the object. Soft delete occurs when an on-premises object is deleted; if the number of soft deletes exceeds the threshold (default 500), the sync stops to prevent accidental mass deletion.
Yes, you can configure OU-based filtering in the Azure AD Connect wizard. During installation or later, you can choose which OUs to include or exclude. Objects outside the selected OUs will not be synced.
Yes, PTA agents need outbound HTTPS connectivity to specific Azure endpoints (e.g., *.ptahub.aadhi.azure.com). Inbound connections to the agents are not required. You should also ensure that the agents can reach on-premises domain controllers.
You've just covered Hybrid Identity with Entra Connect — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?