This chapter covers hybrid identity with Microsoft Entra Connect, a critical topic for the SC-900 exam. You will learn how to synchronize on-premises Active Directory with Microsoft Entra ID, enabling users to use a single identity for both on-premises and cloud resources. This topic typically appears in 10-15% of SC-900 exam questions, focusing on authentication options, synchronization mechanics, and the specific components of Entra Connect.
Jump to a section
Imagine a company, Contoso, has two separate offices: Office A (on-premises Active Directory) and Office B (Microsoft Entra ID). Each office has its own employee database with different ID numbers, job titles, and department codes. The CEO wants a single unified employee directory so that anyone can access resources from either office seamlessly. To achieve this, they hire a synchronization manager (Microsoft Entra Connect) whose job is to copy employee records from Office A to Office B, ensuring that each person is recognized as the same individual in both systems. The manager uses a special mapping rule: for each employee, they compare the email address (the anchor attribute) to decide if a person in Office B matches one in Office A. If a match is found, the manager updates the Office B record with any new information from Office A, such as a new phone number or department. If no match exists, the manager creates a new record in Office B. However, the manager never deletes records in Office B unless explicitly told to do so, because that would be like firing an employee without the CEO's approval. The manager also handles password synchronization: when an employee in Office A changes their password, the manager immediately copies that new password hash to Office B, so the employee can use the same password to log into Office B resources. This synchronization happens every 30 minutes by default, but critical password changes are synced within minutes. The manager also supports a feature called 'federation' where Office B trusts Office A's authentication decisions, so when an employee tries to access a resource, Office B sends them to Office A to verify their identity before granting access.
What is Hybrid Identity and Why It Exists
Hybrid identity is the practice of maintaining a single user identity that spans both on-premises Active Directory (AD) and Microsoft Entra ID (formerly Azure AD). Many organizations already have on-premises AD and want to extend their identity infrastructure to the cloud without forcing users to remember separate passwords or maintain duplicate accounts. Microsoft Entra Connect is the tool that bridges these two directories by synchronizing identity objects (users, groups, contacts) and optionally enabling single sign-on (SSO).
How Entra Connect Works Internally
Entra Connect uses a synchronization engine that runs on a Windows server. It connects to both the on-premises AD and Microsoft Entra ID, reading changes from AD and writing them to Entra ID. The core process is:
- Import: The sync engine reads objects from the on-premises AD (the source) and from Entra ID (the target). It stores these in a staging area called the Metaverse.
- Synchronization: The engine compares the objects in the Metaverse using a matching rule based on the sourceAnchor attribute (usually objectGUID from on-premises AD). If a match is found, it updates the Entra ID object; if not, it creates a new object in Entra ID.
- Export: The engine writes changes from the Metaverse to Entra ID.
By default, synchronization runs every 30 minutes. You can force a full sync using PowerShell:
Start-ADSyncSyncCycle -PolicyType InitialKey Components and Defaults
Synchronization Service Manager: A GUI tool to monitor sync operations, view errors, and force sync cycles.
Azure AD Connect Health: A monitoring tool that provides alerts, performance metrics, and usage analytics.
Password Hash Synchronization (PHS): Syncs password hashes from on-premises AD to Entra ID. The hash is a one-way SHA256 hash of the password, salted with a per-user salt. Default sync interval for password changes is 2 minutes.
Pass-Through Authentication (PTA): Instead of syncing password hashes, PTA validates passwords directly against on-premises AD by using an agent on the sync server. This avoids storing password hashes in the cloud.
Federation (AD FS): Uses Active Directory Federation Services to authenticate users on-premises and issue tokens to Entra ID. This is the most complex option but offers the most control.
Seamless SSO: Automatically signs in users when they are on domain-joined devices inside the corporate network. It works by presenting a Kerberos ticket to Entra ID via a special service account.
Configuration and Verification
To install Entra Connect, you run the AzureADConnect.msi installer. During setup, you choose the authentication method (PHS, PTA, or federation). You also specify which attributes to sync (by default, all standard attributes are synced, but you can customize).
To verify sync status, use:
Get-ADSyncSchedulerThis shows the current sync cycle status, next scheduled sync time, and whether sync is enabled.
To see synchronization errors, open the Synchronization Service Manager and check the Export tab for objects that failed to sync.
Interaction with Related Technologies
Entra Connect works closely with: - Microsoft Entra Domain Services: Provides managed domain services (like group policy) in the cloud, but requires synchronization of users and groups from on-premises AD via Entra Connect. - Microsoft Intune: Uses synchronized user objects to manage devices and apply policies. - Microsoft 365: Exchange Online, SharePoint Online, and Teams rely on synchronized identities for mailboxes, site permissions, and team membership.
Important Numbers and Timers
Default sync interval: 30 minutes.
Password hash sync interval: 2 minutes (for changes only).
Minimum supported server OS for Entra Connect: Windows Server 2016 (as of latest version).
Maximum supported object count: 500,000 objects in a single Entra Connect instance (for larger directories, use staging mode or multiple sync servers).
The sourceAnchor attribute is immutable after the first sync. It is typically objectGUID but can be set to ms-DS-ConsistencyGuid if you need to change it later.
Trap Patterns on the Exam
Common wrong answers include: - Choosing federation when the question describes password hash sync: If the question mentions 'no need for on-premises infrastructure' or 'simplest deployment', the correct answer is usually Password Hash Synchronization, not federation. - Selecting Azure AD Connect Health as the sync tool: Health is a monitoring tool, not the sync engine. - Thinking that Entra Connect is used for syncing between two on-premises directories: It only syncs between on-premises AD and Entra ID. - Assuming that Seamless SSO works without any prerequisites: It requires the user's device to be domain-joined and the corporate network to be reachable.
Install Entra Connect Server
Install the AzureADConnect.msi on a Windows Server that can communicate with both on-premises AD and the internet (for Entra ID). The server should be domain-joined and have a stable connection to the domain controllers. During installation, you choose the authentication method: Password Hash Synchronization (recommended for simplicity), Pass-Through Authentication, or Federation with AD FS. You also specify the on-premises AD forest and the global administrator account for Entra ID.
Configure Synchronization Scope
After installation, you configure which objects to sync. You can filter by organizational unit (OU), domain, or attribute-based filtering. For example, you might exclude disabled user accounts or specific OUs containing service accounts. The default sync scope includes all users, groups, and contacts in the entire forest. Filtering reduces sync time and cloud storage costs.
Initial Full Synchronization
The first sync is a full import and export of all objects from on-premises AD to Entra ID. This can take hours for large directories (500,000+ objects). During this step, the sync engine reads every object, applies transformation rules (like mapping `displayName` to `DisplayName`), and writes to Entra ID. You can monitor progress in the Synchronization Service Manager.
Enable Password Hash Sync
If you chose Password Hash Synchronization, the sync engine will start copying password hashes from on-premises AD to Entra ID. Password changes are synced within 2 minutes. The hash is a one-way SHA256 hash of the password, so the original password cannot be retrieved. This allows users to use the same password for cloud services.
Enable Seamless SSO (Optional)
Seamless SSO allows users to automatically sign in to cloud services when they are on domain-joined devices inside the corporate network. You enable this during Entra Connect installation or later via PowerShell. It creates a computer account in on-premises AD named `AZUREADSSOACC` that represents the cloud authentication service. When a user accesses a cloud app, Entra ID requests a Kerberos ticket from the on-premises domain controller, which the user's device provides automatically.
Monitor Sync Health
After deployment, you should monitor sync health using Azure AD Connect Health. This tool provides alerts for sync failures, performance metrics, and usage analytics. You can also view the last sync time and number of objects synced. Regular monitoring helps catch issues like attribute mismatches or connectivity problems.
Enterprise Scenario 1: Contoso Corporation
Contoso has 50,000 users across 200 locations worldwide. They use on-premises AD for authentication and want to migrate to Microsoft 365. They deploy Entra Connect with Password Hash Synchronization and Seamless SSO. The sync server is installed on a Windows Server 2019 VM in a central data center. They configure OU-based filtering to exclude service accounts and disabled users. The initial sync takes 4 hours. After deployment, password changes are synced within 2 minutes, and users can access Exchange Online and SharePoint without re-entering passwords. They use Azure AD Connect Health to monitor sync errors – a common issue is when an attribute (like proxyAddresses) exceeds the character limit, causing the object to fail sync. They resolve this by cleaning up invalid attributes.
Enterprise Scenario 2: Fabrikam Bank
Fabrikam has strict security requirements and cannot store password hashes in the cloud. They choose Pass-Through Authentication (PTA) with an on-premises agent. The PTA agent runs on the same server as Entra Connect and forwards authentication requests to on-premises AD. They deploy two agents for high availability. When a user tries to sign in to Azure Portal, Entra ID sends the password to the agent, which validates it against the on-premises domain controller. The response is sent back, and the user is granted access. This avoids any password hash in the cloud but requires the on-premises server to be always available. A common pitfall is when the PTA agent goes offline – users cannot authenticate until the agent is restored. They set up monitoring to alert if the agent stops responding.
Common Misconfigurations
Mismatched `sourceAnchor`: If you change the sourceAnchor attribute after initial sync, objects may be duplicated or orphaned. Always plan this before deployment.
Incorrect filter rules: Excluding the wrong OUs can leave users without cloud accounts, causing access issues.
Staging mode not used for testing: Always deploy Entra Connect in staging mode first to verify sync behavior before enabling writeback or user sign-in.
What SC-900 Tests on Hybrid Identity
The SC-900 exam objective 2.1 specifically asks you to 'describe the identity authentication options for Microsoft Entra ID'. This includes: - Password Hash Synchronization: Understand that it syncs password hashes, not plain text passwords, and that it enables automatic password change sync. - Pass-Through Authentication: Know that it uses an on-premises agent to validate passwords without storing hashes in the cloud. - Federation: Know that it uses AD FS or other identity providers to delegate authentication. - Seamless SSO: Understand that it works on domain-joined devices inside the corporate network.
Common Wrong Answers
Seamless SSO requires Azure AD Premium: Wrong. Seamless SSO is available with any Azure AD license (Free, Basic, or Premium). The trap is that many think SSO features require premium licenses.
Password Hash Sync stores passwords in plain text: Wrong. It stores a one-way SHA256 hash, not the original password.
Pass-Through Authentication requires a federation server: Wrong. PTA uses a simple agent, not a full AD FS farm.
Entra Connect can sync between two on-premises AD forests: Wrong. It only syncs from on-premises AD to Entra ID.
Specific Values and Terms
Default sync interval: 30 minutes
Password hash sync interval: 2 minutes
sourceAnchor attribute: Typically objectGUID or ms-DS-ConsistencyGuid
Seamless SSO computer account name: AZUREADSSOACC
PTA agent version: Currently v2.x
Edge Cases the Exam Loves
What happens if the PTA agent is offline?: Users cannot authenticate using cloud apps that rely on PTA. They can still use cached credentials for some apps, but new sign-ins fail.
Can you change authentication method after deployment?: Yes, you can switch between PHS, PTA, and federation by running the Entra Connect wizard again. However, switching from federation to PHS requires disabling federation first.
What is the maximum number of objects supported?: 500,000 objects per Entra Connect instance. For larger directories, use multiple sync servers or staging mode.
How to Eliminate Wrong Answers
If the question mentions 'simplest deployment' or 'no additional on-premises infrastructure', eliminate federation and PTA – the correct answer is Password Hash Synchronization.
If the question says 'passwords are never stored in the cloud', eliminate PHS – the correct answer is PTA or federation.
If the question mentions 'single sign-on on corporate devices', look for Seamless SSO as an additional feature, not the primary authentication method.
Microsoft Entra Connect is an on-premises tool that syncs objects from on-premises AD to Entra ID.
Default sync interval is 30 minutes; password hash changes sync every 2 minutes.
Authentication options: Password Hash Sync (simplest), Pass-Through Auth (no cloud password hash), Federation (full control).
Seamless SSO works on domain-joined devices inside the corporate network and does not require premium licenses.
sourceAnchor attribute is immutable after first sync – plan before deployment.
Azure AD Connect Health monitors sync health and provides alerts.
Maximum supported objects per Entra Connect instance is 500,000.
Staging mode allows testing sync without affecting production users.
These come up on the exam all the time. Here's how to tell them apart.
Password Hash Synchronization (PHS)
Password hashes are synced to Entra ID every 2 minutes for changes.
Simplest to deploy – no on-premises agents beyond the sync server.
Users can authenticate even if on-premises AD is unreachable (using cached cloud credentials).
Stores password hashes in the cloud (one-way hash, not plain text).
Supports Seamless SSO and identity protection features like leaked credential detection.
Pass-Through Authentication (PTA)
Passwords are validated on-premises – no password hash is stored in the cloud.
Requires a PTA agent on the sync server, plus optional high-availability agents.
If the on-premises agent is offline, users cannot authenticate to cloud apps.
Ideal for organizations with strict compliance requirements against cloud password storage.
Supports Seamless SSO and identity protection, but leaked credential detection is limited.
Mistake
Microsoft Entra Connect is a cloud service that runs in Azure.
Correct
Entra Connect is an on-premises tool installed on a Windows Server. It must be able to reach both on-premises AD and the internet. It is not a SaaS service.
Mistake
Password Hash Synchronization stores user passwords in plain text in the cloud.
Correct
PHS stores a one-way SHA256 hash of the password, salted with a per-user salt. The original password cannot be recovered from this hash.
Mistake
Seamless SSO requires Azure AD Premium P1 or P2.
Correct
Seamless SSO is available with any Azure AD license, including Free. It is a feature of the Azure AD free tier.
Mistake
Pass-Through Authentication requires a federation server like AD FS.
Correct
PTA uses a lightweight agent installed on the Entra Connect server. It does not require AD FS or any federation infrastructure.
Mistake
You can change the sourceAnchor attribute after initial synchronization without re-creating objects.
Correct
The sourceAnchor is immutable after the first sync. Changing it will cause objects to be orphaned or duplicated. You must plan this before deployment.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Password Hash Synchronization (PHS) copies a one-way hash of the user's password from on-premises AD to Entra ID. This allows users to sign in with the same password, and if the on-premises AD is unavailable, users can still authenticate using the cloud-stored hash. Pass-Through Authentication (PTA) does not store any password hash in the cloud; instead, it uses an on-premises agent to validate passwords directly against the on-premises domain controller. PTA is more secure for organizations that cannot store password hashes in the cloud, but it requires the agent to be always available.
No, Entra Connect is designed to sync from on-premises Active Directory to Microsoft Entra ID only. It does not support syncing between two on-premises forests. For on-premises forest-to-forest sync, you would use Active Directory replication or Microsoft Identity Manager (MIM).
Seamless SSO automatically signs users in when they are on domain-joined devices inside the corporate network. It works by having the user's device present a Kerberos ticket to Entra ID. When a user accesses a cloud app, Entra ID requests a Kerberos ticket from the on-premises domain controller via a special service account (AZUREADSSOACC). If the user is already authenticated to the domain, the ticket is provided silently, and the user is signed in without entering credentials.
If the PTA agent is offline, users cannot authenticate to cloud applications that rely on Entra ID (like Office 365, Azure Portal). However, users who are already signed in may still have access through cached tokens or session cookies until they expire. It is recommended to deploy at least two PTA agents for high availability.
You can force a full sync using PowerShell. Run the command `Start-ADSyncSyncCycle -PolicyType Initial` on the Entra Connect server. This will perform a full import and export of all objects. Alternatively, you can use the Synchronization Service Manager GUI to trigger a full sync.
No, Azure AD Connect Health is an optional monitoring tool. It provides alerts, performance metrics, and usage analytics, but it is not required for synchronization to work. The core sync engine runs independently.
Yes, you can switch between Password Hash Sync, Pass-Through Authentication, and Federation by running the Entra Connect wizard again. However, switching from federation to another method requires disabling federation first, which can cause downtime.
You've just covered Hybrid Identity with Entra Connect — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?