Most organizations still run Active Directory on-premises while their users work in Microsoft 365 every day. Microsoft Entra Connect is what closes that gap. It keeps the two directories in sync, so the identity that IT manages in AD is the same identity users authenticate with in the cloud.
What is Microsoft Entra Connect?
Microsoft Entra Connect is a Microsoft tool installed on a Windows server inside your on-premises environment. It reads user accounts, groups, and attributes from Active Directory and synchronizes them to Microsoft Entra ID, the cloud identity platform that underlies Microsoft 365, Azure, and thousands of connected SaaS applications.
Without it, your on-premises AD and your cloud tenant are two separate identity stores. Users would need separate accounts and passwords for on-premises systems and cloud services. With Entra Connect running, a change made in AD, whether a new hire, a job title update, a password reset, or a group membership change, propagates to the cloud automatically.
It also handles authentication. Depending on the sign-in method you configure, Entra Connect determines whether users' passwords are validated against a cloud copy, validated by an on-premises agent, or handed off entirely to a federation service like AD FS. This choice affects what happens when on-premises infrastructure is unavailable, how quickly account policy changes take effect in the cloud, and what compliance requirements you can satisfy.
The old name: Azure AD Connect
Microsoft Entra Connect was previously named Azure AD Connect. When Microsoft rebranded its identity portfolio in July 2023, renaming Azure Active Directory to Microsoft Entra ID, and the sync tool was renamed from Azure AD Connect to Microsoft Entra Connect as part of the same rebrand.
The product itself did not change. The underlying sync engine, configuration wizard, sign-in method options, and supported scenarios are the same. Only the name changed. Some organizations and documentation still refer to the tool as Azure AD Connect, particularly those who set it up before July 2023 and have not updated their internal documentation.
The search term 'Entra ID Connect' is also widely used by admins who combine the platform name (Microsoft Entra ID) with the tool's function. The correct product name is Microsoft Entra Connect. There is no separate product called Entra ID Connect.
How Microsoft Entra Connect works
Entra Connect installs on a dedicated Windows Server in your on-premises environment. During setup, you connect it to one or more Active Directory forests and authenticate it to your Microsoft Entra tenant. From that point, the sync engine runs continuously in the background.
The sync process works in two directions by default, though most organizations configure it as primarily one-directional, from AD to Entra ID. The sync engine reads objects and attributes from the on-premises directory, transforms them according to rules you configure, and writes them to Entra ID. By default, a full delta sync runs every 30 minutes. Password hash synchronization runs on a separate two-minute cycle when enabled.
Entra Connect uses a local SQL database (SQL Server Express is sufficient for most deployments) to maintain a connector space, a local staging area for each connected directory. Objects flow from AD into the connector space, through a metaverse where transformation rules apply, and then out to the Entra ID connector space for export to the cloud.
Staging mode
You can install a second Entra Connect server in staging mode. It processes sync operations but does not export changes to Entra ID. This serves as a warm standby for high availability. If the active server fails, you can promote the staging server by disabling staging mode and allowing it to export.
What Microsoft Entra Connect synchronizes
Entra Connect syncs directory objects and their attributes. You control which OUs and domains are in scope using OU-level and domain-level filtering during setup or post-configuration.
Object type
What syncs
Users
Display name, UPN, email addresses, job title, department, manager, phone numbers, group memberships, account enabled/disabled status, and password hashes (if Password Hash Sync is enabled).
Groups
Group name, description, membership lists. Both security groups and distribution groups sync. The 50,000-member limit applies unless specifically increased.
Contacts
Mail-enabled contacts from AD. Appear as contacts in Exchange Online.
Devices
Hybrid Entra ID join registers on-premises domain-joined devices in Entra ID so they can participate in Conditional Access and SSO scenarios.
Attributes
You can extend sync to include custom attributes from AD schema extensions using attribute-based filtering and custom sync rules.
The three sign-in methods
When you install Entra Connect, you choose how users authenticate to cloud services. This is one of the most important decisions in a hybrid identity deployment and affects infrastructure requirements, security posture, and resilience.
Method
How authentication works
Best for
Password Hash Sync (PHS)
A hash of each user's AD password is synced to Entra ID. Entra ID validates sign-ins directly using the cloud copy of the hash.
Most organizations. Simplest to deploy, no additional servers required, and provides a resilient fallback if on-premises infrastructure fails. Microsoft recommends this as the default.
Pass-Through Authentication (PTA)
Sign-in requests are forwarded to lightweight authentication agents running on-premises. The agents validate the user's password directly against AD in real time.
Organizations that need on-premises AD account policies (expired passwords, locked accounts, logon hours) to take effect immediately in the cloud without syncing password hashes.
Federation with AD FS
Authentication is handed off to a separate federation service (AD FS or a third-party provider). Entra ID trusts the federation service to validate credentials.
Organizations with complex authentication requirements: smart card sign-in, third-party MFA, certificate-based authentication, or existing AD FS infrastructure they want to reuse.
Password Hash Sync as backup
If you deploy Pass-Through Authentication or Federation, Microsoft recommends enabling Password Hash Sync as a backup authentication method. If your on-premises authentication infrastructure fails, you can manually switch to Password Hash Sync to restore cloud authentication without waiting for on-premises recovery.
Microsoft Entra Connect vs Microsoft Entra Cloud Sync
Microsoft offers two tools for syncing on-premises AD to Microsoft Entra ID. Entra Connect is the full-featured, server-based sync engine. Entra Cloud Sync is a newer, lighter alternative that uses provisioning agents and moves most configuration into the cloud portal.
Microsoft positions Entra Cloud Sync as the preferred option for new deployments where it meets your requirements. Entra Connect remains fully supported and is still the right choice for complex hybrid scenarios that Cloud Sync does not yet cover.
Microsoft Entra Connect
Microsoft Entra Cloud Sync
Architecture
Full sync engine installed on a Windows server on-premises
Lightweight provisioning agents; sync logic managed in the cloud portal
Infrastructure footprint
Requires a dedicated server; local SQL database; optional staging server
Agents install on domain controllers or member servers; no dedicated sync server needed
Configuration
Wizard-based setup on the server; custom sync rules via Synchronization Rules Editor
Configured through the Entra admin center; simpler rule set; less granular control
Multi-forest support
Full support for complex multi-forest topologies
Supports multi-forest, but with more constraints on topology
Writeback support
Group writeback, device writeback, password writeback to AD
Password writeback supported; group writeback available; device writeback not available
Pass-Through Authentication
Supported
Not supported: PHS or federation only
AD FS federation
Supported
Not supported
Preferred for new deployments?
Supported but heavier: use for complex scenarios
Yes, where feature requirements are met
Which to choose
Start with Entra Cloud Sync for new deployments if you do not need Pass-Through Authentication, AD FS federation, or advanced writeback. If your environment has multiple AD forests with complex trust relationships, existing custom sync rules, or a requirement for PTA, Entra Connect is still the right tool.
The September 2026 upgrade deadline
Action required by September 30, 2026
All Microsoft Entra Connect Sync installations must be running version 2.5.79.0 or later by September 30, 2026. Installations running an older version will stop syncing on that date due to a Microsoft backend security hardening change. This is not a complete retirement of directory synchronization. It is a mandatory minimum version requirement.
Microsoft is introducing a dedicated first-party service principal for Entra Connect Sync as a security hardening measure. The new service principal ID is 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016. Older versions of Entra Connect do not use this service principal, and after September 30, 2026, they will no longer be permitted to connect.
This affects all organizations running Microsoft Entra Connect Sync version 2.x, regardless of how recently they installed or upgraded it. It does not affect organizations that have already migrated to Entra Cloud Sync.
What to do now
Check your current version: open the Microsoft Entra Connect wizard on the sync server and note the version number, or check the Entra admin center under Entra ID > Microsoft Entra Connect.
If you are on version 2.5.79.0 or later, no immediate action is needed. Continue monitoring for newer releases, as each 2.x version retires 12 months after the next version is released.
If you are on an older 2.x version, upgrade to the latest release before the deadline. In-place upgrade is supported; download the latest version from the Microsoft Download Center.
If you are on any 1.x version: those versions stopped working on October 1, 2023. If synchronization is still running, you are on a 2.x version. If sync stopped in late 2023, upgrade immediately.
Consider evaluating Entra Cloud Sync now for future migration, particularly for simpler environments or new forest additions.
Security risks from changes to Entra Connect configuration
Entra Connect sits at the intersection of your on-premises identity infrastructure and the cloud. Unauthorized changes to its configuration can compromise both environments.
Sync scope changes
An attacker or misconfigured admin who modifies the OU or domain filtering scope can cause objects to appear or disappear from Entra ID. Removing an OU from sync scope deletes the corresponding cloud objects, causing users to lose access to cloud resources. Adding an OU inadvertently can expose previously unsynced accounts, including service accounts or legacy accounts, to cloud authentication.
Authentication method changes
Switching from Pass-Through Authentication to Password Hash Sync, or disabling federation, is a major change that affects how every user in the tenant authenticates. These changes can be made through the Entra Connect wizard by anyone with the Hybrid Identity Administrator role. If a malicious actor makes this switch, it can bypass on-premises account policy controls. For example, locked accounts in AD may still be able to authenticate to the cloud if password hashes have synced.
Entra Connect service account compromise
The AD DS Connector account that Entra Connect uses to read from Active Directory has Replicate Directory Changes and Replicate Directory Changes All permissions, the same permissions required to perform a DCSync attack. An attacker who compromises this account can extract all password hashes from Active Directory without ever touching a domain controller directly.
Staging server promoted without authorization
If a staging mode server is promoted to active without authorization (by disabling staging mode), it begins exporting changes to Entra ID based on whatever sync state it holds. If the staging server was not kept up to date with the active server, this can overwrite or delete objects in Entra ID. Unauthorized promotion of a staging server is difficult to detect without real-time audit monitoring.
Sync rule modifications
Custom synchronization rules control which attributes flow between AD and Entra ID and how they are transformed. A modified sync rule can suppress attributes, change attribute values before they reach the cloud, or introduce incorrect mappings. These changes are not visible in the Entra admin center and require direct access to the sync server to review.
All configuration changes made through the Entra Connect wizard and Synchronization Service Manager are captured in the Entra ID audit log under the Hybrid Identity category. ManageEngine ADAudit Plus monitors these events in real time and alerts your security team immediately when sync configuration is changed, with before-and-after values for modified settings.
When Entra Connect configuration changes, the effect propagates to both your on-premises AD and your cloud tenant. Detecting these changes requires monitoring at the sync server, in the AD audit log, and in the Entra ID audit log simultaneously.
Entra Connect service account activity: use of the AD DS Connector account, including replication operations that could indicate a DCSync attempt
Microsoft Entra ID hybrid identity audit events: sync cycle completions, export errors, object deletions triggered by scope changes
Staging mode changes: when a staging server is promoted to active or a new server is configured
On-premises AD changes that affect sync, including account enable/disable, group membership changes, and password resets, with correlation to their cloud impact
ADAudit Plus vs native monitoring for Entra Connect
Capability
Native options
ADAudit Plus
Entra Connect config change alerts
No real-time alerts; check Entra admin center manually
Immediate email and SMS alerts on configuration changes
On-premises + cloud correlation
Separate logs in AD event log and Entra audit log (no unified view)
Unified report correlating on-premises AD changes with cloud sync outcomes
Connector account monitoring
AD security event log (Event ID 4662, 4624): requires manual filtering
Pre-built reports for replication-permission account activity
Log retention
Entra ID audit log: 30 days (free), up to 2 years (P1/P2)
Microsoft Entra ID is the cloud identity platform. It is the directory that manages users, groups, and authentication for Microsoft 365, Azure, and and connected applications. Microsoft Entra Connect is a tool you install on-premises that synchronizes identities from Active Directory into Entra ID.
Entra ID is the destination. Entra Connect is the bridge that keeps your on-premises AD and Entra ID in sync. If your organization runs entirely in the cloud with no on-premises Active Directory, you do not need Entra Connect. If you have on-premises AD and want users to access cloud services with the same credentials, Entra Connect is what makes that possible.
Microsoft Entra Connect was previously called Azure AD Connect. Microsoft renamed the product in July 2023 as part of the broader rebranding of its identity portfolio: Azure Active Directory became Microsoft Entra ID, and Azure AD Connect became Microsoft Entra Connect. The product's functionality, architecture, and configuration did not change. Only the name changed.
Yes, Microsoft Entra Connect is Azure AD Connect. It is the same product with a new name following the July 2023 rebrand. If you are running Azure AD Connect today, your installation is already what is now called Microsoft Entra Connect. No reinstallation or migration is required as a result of the rename.
Microsoft Entra Connect synchronizes user accounts, groups, contacts, and attributes from on-premises Active Directory to Microsoft Entra ID. It also handles authentication for hybrid environments. You choose whether users' passwords are validated against a cloud copy (Password Hash Sync), validated by an on-premises agent (Pass-Through Authentication), or handled by a separate federation service (AD FS). It runs as a background service on a Windows server and performs incremental sync cycles every 30 minutes, with password changes syncing every two minutes when Password Hash Sync is enabled.
Both tools sync identities from on-premises Active Directory to Microsoft Entra ID, but they have different architectures. Entra Connect is a full sync engine installed on a dedicated Windows server. It supports Pass-Through Authentication, AD FS federation, complex multi-forest topologies, and advanced custom sync rules. Entra Cloud Sync uses lightweight provisioning agents and manages configuration through the Entra admin center. It is simpler to deploy and maintain but does not support Pass-Through Authentication or AD FS federation. Microsoft recommends Entra Cloud Sync for new deployments where its feature set meets your requirements.
No, Microsoft Entra Connect is not end of life. It is actively maintained and receives regular updates. However, individual versions do retire 12 months after the next version is released, so staying current is important. There is also a mandatory upgrade deadline: all installations must run version 2.5.79.0 or later by September 30, 2026, or synchronization will stop. Microsoft has stated that Entra Connect will eventually be retired once Entra Cloud Sync reaches full feature parity, but no retirement date has been announced.
The default delta sync cycle runs every 30 minutes. Delta syncs process only the changes since the last cycle: new objects, modified attributes, and deletions. A full sync processes all objects in scope and runs automatically on first configuration and after certain configuration changes. You can trigger an immediate delta sync manually using PowerShell: Start-ADSyncSyncCycle -PolicyType Delta. Password Hash Sync runs on its own two-minute cycle, independent of the regular object sync.
