Close Menu
    Install and Configure Microsoft Entra Cloud Sync
    Exchange

    Install and Configure Microsoft Entra Cloud Sync

    You want to sync your on-premises Active Directory with Microsoft Entra. But don’t want to keep the software up to date on-premises and want the cloud to do the work. An excellent tool to accomplish this is to use the Microsoft Entra Cloud Sync. In this article, you will learn how to install and configure Microsoft Entra Cloud Sync.

    Table of contents

    What is Microsoft Entra Cloud Sync

    Microsoft Entra Cloud Sync is a lightweight and modern identity synchronization tool designed to enable hybrid identity scenarios. It allows you to sync on-premises Active Directory (AD) users, groups, and contacts to Microsoft Entra ID without the overhead of Microsoft Entra Connect.

    This solution is ideal when:

    • You have multiple Active Directory forests.
    • You want to simplify high availability deployments.
    • You need to avoid complex on-prem infrastructure.
    • You want faster and more reliable sync with Microsoft Entra ID.

    Microsoft Entra Cloud Sync uses a cloud provisioning agent that runs on a Windows Server machine in your on-premises environment. Unlike Microsoft Entra Connect, it offloads most of the sync logic to the cloud, which simplifies management and scaling.

    Prerequisites for Microsoft Entra Cloud Sync

    Before proceeding, make sure you have:

    1. A Microsoft Entra ID tenant.
    2. An Entra ID Global Administrator account for initial setup.
    3. At least one Windows Server 2016 or later machine (domain-joined) to host the provisioning agent.
    4. Necessary firewall ports open: HTTPS (443) and HTTP (80) to Microsoft cloud endpoints.
    5. Proper DNS resolution from the server to your domain controllers and to external internet.

    Step 1. Download the Cloud Sync Agent

    1. Sign in to the Microsoft Entra admin center.
    2. Navigate to Identity > Show more
    Microsoft Entra admin center show more in IdentityMicrosoft Entra admin center show more in Identity
    1. Select Hybrid management > Microsoft Entra Connect
    2. Click on Cloud Sync
    Microsoft 365 admin center Microsoft Entra cloud syncMicrosoft 365 admin center Microsoft Entra cloud sync
    1. Select Agents
    2. Click on Download on-premises agent
    Download on-premises agentDownload on-premises agent
    1. Click on Accept terms & download
    2. Save the executable file to your Windows Server machine
    Accept terms and downloadAccept terms and download

    Step 2. Install Provisioning Agent on Windows Server

    1. Start File Explorer
    2. Go to the downloaded Provisioning Agent setup executable file
    3. Run the downloaded Microsoft Entra Connect Provisioning Agent installer as Administrator
    Install and Configure Microsoft Entra Cloud Sync agent setup fileInstall and Configure Microsoft Entra Cloud Sync agent setup file
    1. Accept the license terms and conditions
    2. Click Install
    Microsoft Entra Provisioning Agent package installation guideMicrosoft Entra Provisioning Agent package installation guide
    1. The setup starts installing the Microsoft Entra Provisioning Agent
    Provisioning Agent package setup progressProvisioning Agent package setup progress
    1. Click Next in the Welcome to the Microsoft Entra provisioning agent configuration wizard screen
    Microsoft Entra provisioning agent configuration wizardMicrosoft Entra provisioning agent configuration wizard
    1. Select HR-driven provisioning (Workday and SuccessFactors) / Microsoft Entra Cloud Sync
    2. Click Next
    Install and Configure Microsoft Entra Cloud Sync select extensionInstall and Configure Microsoft Entra Cloud Sync select extension
    1. Click Authenticate
    2. Sign in with your Microsoft Entra ID administrator credentials
    Connect to Microsoft Entra IDConnect to Microsoft Entra ID
    1. Select Create gSMA
    2. Enter your On-Premises domain admin credentials
    3. Click Next
    Install and Configure Microsoft Entra Cloud Sync configure service accountInstall and Configure Microsoft Entra Cloud Sync configure service account
    1. Click Next
    Connect to Active DirectoryConnect to Active Directory
    1. Click Confirm
    Install and Configure Microsoft Entra Cloud Sync confirm agent configurationInstall and Configure Microsoft Entra Cloud Sync confirm agent configuration
    1. Click Exit
    Install and Configure Microsoft Entra Cloud Sync exit agent configurationInstall and Configure Microsoft Entra Cloud Sync exit agent configuration

    Step 3. Verify Provisioning Agent status

    1. Sign in to the Microsoft Entra admin center
    2. Click Agents and verify that the machine name appears and the status is Active
    Microsoft Entra admin center cloud sync agents statusMicrosoft Entra admin center cloud sync agents status
    1. Start Windows Services
    2. Verify that the Microsoft Azure AD Connect Provisioning Agent service is running
    Install and Configure Microsoft Entra Cloud Sync services.mscInstall and Configure Microsoft Entra Cloud Sync services.msc
    1. Start Active Directory Users and Computers
    2. Navigate to Domain (exoip.local) > Managed Service Accounts
    3. Verify that the provAgentgMSA service account appears
    provAgentgMSA service accountprovAgentgMSA service account

    Step 4. Set up Microsoft Entra Cloud configuration

    1. Sign in to Microsoft Entra admin center
    2. Click on Configurations
    3. Select + New configuration > AD to Microsoft Entra ID sync
    Install and Configure Microsoft Entra Cloud Sync configurationsInstall and Configure Microsoft Entra Cloud Sync configurations
    1. Select the Active Directory domain
    2. Check the checkbox for Enable password hash sync
    3. Click Create
    New cloud sync configurationNew cloud sync configuration
    1. Click Overview
    2. Select Properties
    3. Click on the pencil icon to edit the Basics
    Configuration propertiesConfiguration properties
    1. Configure the basics:
    • Enable password hash sync
    • Enable Exchange hybrid writeback
    • Add email address for notifications
    • Enable prevent accidental deletion
    • Set accidental deletion treshold to 500
    1. Select Apply
    Microsoft Entra admin center new cloud sync configuration edit basicsMicrosoft Entra admin center new cloud sync configuration edit basics
    1. Click Scoping filters
    2. Select Selected organizational units
    3. Fill in the distinguished name of the on-premises OU that you want to sync with Microsoft Entra ID
    4. Click Add
    5. Click Save
    Cloud sync scoping filters add selected organizational unitCloud sync scoping filters add selected organizational unit
    1. Click Overview
    2. Click Review and enable
    Cloud sync review and enableCloud sync review and enable
    1. Click Enable configuration

    Note: Cloud provisioning is scheduled to run every 2 mins. Every 2 mins, any user, group, and password hash changes are provisioned to Microsoft Entra ID.

    Cloud sync enable configurationCloud sync enable configuration
    1. Verify that the configuration sync from AD to Microsoft Entra ID shows the status Healthy
    Cloud sync AD to Microsoft Entra ID healthy statusCloud sync AD to Microsoft Entra ID healthy status

    Step 5. Enable Password Writeback

    Allow password changes in Microsoft Entra ID to sync back to On-Premises AD by following the steps below:

    1. Sign in to the Microsoft Entra admin center
    2. Go to Protection > Password reset > On-premises integration
    3. Turn on:
    • Enable password write back for synced users
    • Write back passwords with Microsoft Entra Connect cloud sync
    • Allow users to unlock accounts with resetting their password
    1. Click Save
    Enable password writebackEnable password writeback

    Step 6. Check Microsoft Entra Cloud Sync logs

    1. Sign in to the Microsoft Entra admin center
    2. Select Provisioning logs
    Microsoft Entra cloud sync provisioning logsMicrosoft Entra cloud sync provisioning logs
    1. Sign in to your Windows Server
    2. Check the logs stored locally on the server where the agent is installed:
    C:\ProgramData\Microsoft Entra Connect Provisioning Agent\Logs

    That’s it!

    Read more: How to check Microsoft Entra Connect version »

    Conclusion

    You learned how to install and configure Microsoft Entra Cloud Sync. It’s an excellent choice for organizations that want hybrid identity management with minimal overhead. It offers a complete yet lightweight solution for syncing on-premises objects to the cloud.

    Did you enjoy this article? You may also like Conditional Access MFA breaks Azure AD Connect synchronization. Don’t forget to follow us and share this article.

    Share.

    Related Posts

    Add A Comment

    Comments are closed.