Time to migrate to Entra Cloud Sync!
Microsoft Entra Cloud Sync is a new synchronization tool that uses the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. It offers a simpler and more efficient way to sync your on-premises Active Directory objects to Microsoft Entra ID. Until now, Microsoft Entra Cloud sync has been missing some features that many organizations need. One of them was Group writeback, the other Device sync.
Using Group Writeback? Then you must migrate!
Now, Group Writeback is added to Microsoft Cloud Sync. The fact is that Group Writeback in Microsoft Entra Connect Sync has been in preview for many years. And now, it will be depreciated June 30, 2024:
Feature compare
Entra Connect Sync and Entra Cloud Sync are both synchronization tools that sync your on-premises Active Directory objects to Microsoft Entra ID. However, they have some differences in terms of features, installation, configuration, and High availability.
Features: Entra Connect Sync supports synchronizing a single or multiple on-premises AD forests, while Entra Cloud Sync also support disconnected AD forests. Entra Cloud Sync also supports group writeback feature, which allows you to write group changes from Microsoft Entra ID back to your on-premises AD.
Installation: Entra Connect Sync requires you to install the Microsoft Entra Connect application on your on-premises server and configure the sync settings in the on-premises Entra connect settings console. Entra Cloud Sync requires you to install the Microsoft Entra Cloud Provisioning Agent on one or more servers and then configure the sync settings in the Microsoft Entra admin center in cloud.
Configuration: With Entra Connect Sync, you can create filters and custom sync rules that filters in or out the objects that you want to sync. With Entra Cloud Sync, you can use OU or group filters to specify sync. You can also add attribute mapping rules, or create your own custom rules. All done in Entra Portal in cloud.
High Availability: With Entra Connect Sync, You can only have one primary active server. It allows for standby passive servers to be manually activated in case of disaster. With Entra Cloud Sync, you can have multiple agents active on multiple servers.
This is a compare list from Microsoft Learn:
| Feature | Connect sync | Cloud sync |
| Connect to single on-premises AD forest | ✔️ | ✔️ |
| Connect to multiple on-premises AD forests | ✔️ | ✔️ |
| Connect to multiple disconnected on-premises AD forests | ❌ | ✔️ |
| Lightweight agent installation model | ❌ | ✔️ |
| Multiple active agents for high availability | ❌ | ✔️ |
| Connect to LDAP directories | ✔️ | ❌ |
| Support for user objects | ✔️ | ✔️ |
| Support for group objects | ✔️ | ✔️ |
| Support for contact objects | ✔️ | ✔️ |
| Support for device objects | ✔️ | ❌ |
| Allow basic customization for attribute flows | ✔️ | ✔️ |
| Synchronize Exchange online attributes | ✔️ | ✔️ |
| Synchronize extension attributes 1-15 | ✔️ | ✔️ |
| Synchronize customer defined AD attributes (directory extensions) | ✔️ | ✔️ |
| Support for Password Hash Sync | ✔️ | ✔️ |
| Support for Pass-Through Authentication | ✔️ | ❌ |
| Support for federation | ✔️ | ✔️ |
| Seamless Single Sign-on | ✔️ | ✔️ |
| Supports installation on a Domain Controller | ✔️ | ✔️ |
| Support for Windows Server 2016 | ✔️ | ✔️ |
| Filter on Domains/OUs/groups | ✔️ | ✔️ |
| Filter on objects’ attribute values | ✔️ | ❌ |
| Allow minimal set of attributes to be synchronized | ✔️ | ✔️ |
| Allow removing attributes from flowing from AD to Microsoft Entra ID | ✔️ | ✔️ |
| Allow advanced customization for attribute flows | ✔️ | ❌ |
| Support for password writeback | ✔️ | ✔️ |
| Support for device writeback | ✔️ | ❌ |
| Support for group writeback | ❌(depreciated) | ✔️ |
| Support for merging user attributes from multiple domains | ✔️ | ❌ |
| Microsoft Entra Domain Services support | ✔️ | ❌ |
| Exchange hybrid writeback | ✔️ | ✔️ |
| Unlimited number of objects per AD domain | ✔️ | ❌ |
| Support for up to 150,000 objects per AD domain | ✔️ | ✔️ |
| Groups with up to 50,000 members | ✔️ | ✔️ |
| Large groups with up to 250,000 members | ✔️ | ❌ |
| Cross domain references | ✔️ | ✔️ |
| On-demand provisioning | ❌ | ✔️ |
| Support for US Government | ✔️ | ✔️ |
Device Sync and Device Writeback, don´t we need that?
Entra ID Connect Sync support both Device Sync and Device Writeback, this could be one of the features that will help you decide to use one or the other. When migrating t Entra Cloud Sync, this feature is lost and Hybrid Entra Join will not work anymore. But in a modern world, we should not need that anymore. We should go for Cloud only Entra joined clients. And to get on-premise access, we use Kerberos cloud trust.
Migrate
To migrate from Microsoft Entra Connect Sync to Microsoft Entra Cloud Sync, you need to follow these steps:
- Update your Microsoft Entra Connect Sync to the latest version.
- Back up your Microsoft Entra Connect Sync configuration.
- Stop the Microsoft Entra Connect Sync scheduler.
- Create a custom sync rule that filters out the objects that you want to migrate to cloud sync.
- Install the Microsoft Entra Cloud Sync agent on a server running Windows Server 2016 or later.
- Configure the Microsoft Entra Cloud Sync settings in the Microsoft Entra admin center.
- Start the sync and verify the results.
Conclusion
It is time to migrate! Entra Connect Sync starts to deprecate features and Entra Cloud Sync is getting feature complete. Would be grate if it also get Device support, but we should not need that. But many organizations are not there yet. So if you still need hybrid join, stay on Entra Connect Sync and start planning for cloud only devices.
About The Author
