Install and Configure Directory Synchronization with Microsoft Entra Connect
Microsoft Entra Connect requires a domain-joined computer to host the synchronization service. Most organizations deploy a dedicated server for synchronization.
Requirements
Once you have configured Azure with an Active Directory tenant, you must perform the main tasks to deploy directory synchronization by following the steps below:
- Add your AD DS domain in Azure, verify the domain, then set this domain as the primary domain.
- Download and install Microsoft Entra Connect.
- Run the Microsoft Entra Connect configuration wizard. (Optionally, you can configure Microsoft Entra Connect to synchronize specific organizational units (OUs) in the on-premises AD DS environment).
- Enable optional features such as password hash synchronization, password writeback, and hybrid Exchange deployment.
- Run Microsoft Entra Connect and allow it to configure the environment for directory synchronization.
- Validate the synchronization results.
After configuring Microsoft Entra Connect and performing the initial synchronization, you can reconfigure synchronization options if necessary. Installing the Microsoft Entra Connect software includes several applications related to directory synchronization. During setup, you can choose:
- Express installation, which configures synchronization with the most commonly used settings.
- Custom installation, which allows you to customize configuration options.
Custom Installation Options
At the start of custom installation, you can:
- Use a custom SQL server instead of a local database.
- Use an existing service account instead of one created automatically.
- Specify custom synchronization groups.
By default, Microsoft Entra Connect creates the following groups:
Administrators, Operators, Browse, and Password Reset, but you can use your own custom groups.
Synchronization Modes
By default, Microsoft Entra Connect configures password hash synchronization. In custom installation, you can also choose:
- Federation with AD FS
- Pass-through authentication
- Or manually configure synchronization if you use a non-Microsoft federation server or another existing solution.
User Identification Methods
Custom installation also allows you to choose the user identification method. By default, the wizard assumes that users are represented only once across all directories. If identities exist in multiple directories, you must choose the matching attribute:
| Option | Description |
|---|---|
| mail attribute | Matches users and contacts if the mail attribute has the same value across different forests. |
| ObjectSID and msExchangeMasterAccountSID | Matches an enabled user in an account forest with a disabled user in an Exchange resource forest. Also called linked mailbox. |
| sAMAccountName and mailNickname | Matches additional attributes where the user’s login ID is expected. |
| My own attribute | Allows you to select a custom attribute. |
Source Anchor: An immutable attribute during the lifetime of the user object. It serves as the primary key to link the on-premises user object to the one in Microsoft Entra ID. The default choice is objectGUID, as it only changes if the account is moved between forests or domains.
You can also configure the UserPrincipalName attribute, used by users to sign in to Microsoft Entra ID. UPN suffixes must be verified in Microsoft Entra ID before synchronizing user objects.
Partial User Synchronization
In some cases, you may want to synchronize only a subset of users from your on-premises AD DS. Microsoft Entra Connect allows you to select a specific group of users to synchronize to Microsoft Entra ID. This group must be created before running Microsoft Entra Connect. After configuration, you can add or remove users from this group to manage synchronized objects.
You can also use local OUs as the replication scope.
In the final step, Microsoft Entra Connect allows you to configure certain optional features available in Microsoft Entra ID P1 or P2.
