When Contoso’s IT staff implements a cloud service or an application in their IT environment, they generally want to use a single identity directory for both on-premises and cloud-based applications. By using directory synchronization, they can connect their on-premises AD DS to Microsoft Entra ID.

What is directory synchronization?
Directory synchronization enables synchronization between on-premises AD DS and Microsoft Entra ID for users, groups, and contacts. In its simplest form, you install a directory synchronization component on a server in your on-premises domain. You then provide an account with Domain Admin and Enterprise Admin permissions for on-premises AD DS, as well as another account with admin permissions for Microsoft Entra ID, and then let the process run.

The user accounts, groups, and contacts you select in AD DS are then replicated to Microsoft Entra ID. Users can then use these accounts to sign in and access Azure services that rely on Microsoft Entra ID for authentication.

Unless you enable password synchronization, users will have a separate password from their on-premises environment to sign in to an Azure resource. Even if you implement password synchronization, users are still prompted to enter their credentials when accessing an Azure resource from a domain-joined computer. The advantage of password synchronization is that users can use the same username and password as their on-premises login. Do not confuse this with SSO. The behavior provided by password synchronization is called same sign-in.

With Azure, the synchronization flow is one-way: from on-premises AD DS to Azure. However, with Microsoft Entra ID P1 or P2 features, some attributes can be replicated in the other direction. For example, you can configure Azure to write back passwords to on-premises AD DS, as well as groups and devices from Microsoft Entra ID. If you do not want to synchronize your entire on-premises AD DS, directory synchronization for Microsoft Entra ID supports limited filtering and customization of attribute flow based on the following values:

• Organizational Unit (OU)
• Domain
• User attributes
• Applications

Microsoft Entra Connect
You can use Microsoft Entra Connect to perform synchronization between on-premises AD DS and Microsoft Entra ID. Microsoft Entra Connect is a wizard-based tool designed to enable connectivity between an on-premises identity infrastructure and Azure. Through the wizard, you can choose your topology and requirements, and the wizard deploys and configures all required components for you. Depending on the selected needs, this may include:

• Azure Active Directory Sync (Azure AD Sync)
• Hybrid Exchange deployment
• Password writeback
• AD FS servers and AD FS proxies or Web Application Proxy
• Microsoft Graph PowerShell module

Note
Most organizations deploy a dedicated synchronization server to host Microsoft Entra Connect.

When you run Microsoft Entra Connect, the following actions occur:

• New user, group, and contact objects in on-premises AD DS are added to Microsoft Entra ID. However, licenses for cloud services like Microsoft 365 are not automatically assigned to these objects.
• Modified attributes of existing objects in on-premises AD DS are updated in Microsoft Entra ID. However, not all AD DS attributes are synchronized. You can configure which attributes to synchronize via the Synchronization Manager component of Microsoft Entra Connect.
• Deleted objects in on-premises AD DS are also deleted in Microsoft Entra ID.
• Locally disabled objects are disabled in Azure. However, licenses are not automatically removed.

Microsoft Entra ID requires a single source of authority for each object. Therefore, it is important to understand that in a Microsoft Entra Connect scenario, when you run Active Directory synchronization, you manage objects from on-premises AD DS using tools like Active Directory Users and Computers or Windows PowerShell. After the first synchronization cycle is complete, the source of authority is transferred from the cloud to on-premises AD DS. All subsequent changes to cloud objects (except for licenses) are managed from on-premises AD DS. The corresponding cloud objects become read-only, and Microsoft Entra administrators cannot modify them unless you implement technologies that allow writeback.

Permissions and accounts required to run Microsoft Entra Connect
To implement Microsoft Entra Connect, you must have accounts with the required permissions both in on-premises AD DS and in Microsoft Entra ID. Installing and configuring Microsoft Entra Connect requires the following accounts:

• An Azure account with Global Administrator permission in the Azure tenant (such as an organizational account), which is not the account used to set up the tenant.
• A local account with Enterprise Admin permissions in on-premises AD DS. In the Microsoft Entra Connect wizard, you can choose to use an existing account or let the wizard create one for you.

Microsoft Entra Connect uses the Azure Global Administrator account to provision and update objects during the configuration wizard. It is recommended to create a dedicated service account in Azure for directory synchronization, as you cannot use the Azure tenant administrator account. This restriction is due to the fact that the account used to configure Azure may not have a domain name suffix matching the domain. The account must be a member of the Global Administrators role group.

In the on-premises environment, the account used to install and configure Microsoft Entra Connect must have the following permissions:

• Enterprise Admin in AD DS (required to create the synchronization user account in Active Directory)
• Local Administrator on the machine (required to install the Microsoft Entra Connect software)

The account used to configure Microsoft Entra Connect and run the configuration wizard must belong to the local ADSyncAdmins group. By default, the account used for installation is automatically added to this group.

The Enterprise Administrator account is only required during the installation and configuration of Microsoft Entra Connect, but its credentials are neither stored nor recorded by the configuration wizard. Therefore, it is recommended to create a specific administrator account for Microsoft Entra Connect, intended for its installation and configuration, and assign this account to the Enterprise Administrators group during the setup of Microsoft Entra Connect. However, this Microsoft Entra Connect administrator account should be removed from the Enterprise Administrators group once the configuration is complete.

The following table details the accounts created during the configuration of Microsoft Entra Connect:

Account	Description
MSOL_	This account is created during the installation of Microsoft Entra Connect and is configured to synchronize with the Azure tenant. It has directory replication permissions in the on-premises Active Directory (AD DS) and write rights on certain attributes to enable hybrid deployment.
AAD_	This is the synchronization engine service account. It is created with a randomly generated complex password, automatically configured to never expire. When the directory synchronization service runs, it uses this service account’s credentials to read the on-premises Active Directory and then write the contents of the synchronization database to Azure. This is done using the tenant administrator credentials you enter in the Microsoft Entra Connect configuration wizard.

📘 Further Reading

For more information, see the following document:
Topologies for Microsoft Entra Connect

📍 Next unit: Prepare on-premises Active Directory for directory synchronization