Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Entra Connect vs Entra Cloud Sync

The two ways to sync on-prem Active Directory to Entra ID — what each does, and which to use today.

If you run on-premises Active Directory and Microsoft 365, you need to sync user and group objects from AD to Entra ID so the same identities work in both places. Microsoft offers two products: the older Entra Connect (formerly Azure AD Connect) and the newer Entra Cloud Sync (formerly Azure AD Connect Cloud Sync). They overlap, and choosing well matters.

Entra Connect

The traditional Entra Connect Sync is a Windows server you install on-prem. It synchronises objects from one or more AD forests to Entra ID using a sync engine that runs every 30 minutes by default.

Strengths:

  • Mature, widely deployed.
  • Supports password hash sync, pass-through authentication, and federation (ADFS).
  • Supports password writeback from Entra ID to AD.
  • Rich filtering and attribute transformation rules.
  • Required for some advanced scenarios — Exchange hybrid writeback, group writeback (for some scenarios).

Weaknesses:

  • Runs on a Windows server you maintain (and that becomes a single point of failure unless you stand up a staging server).
  • Heavyweight install and configuration.
  • Per-server, not built for active-active resilience.

Entra Cloud Sync

Entra Cloud Sync runs as a lightweight agent on a Windows server (or several), with the sync configuration and engine running in the cloud. Up to ~150,000 objects per agent group, with active-active agents for HA.

Strengths:

  • Configured entirely in the cloud, not in a thick Windows app.
  • Lightweight agents — install in minutes.
  • Active-active multi-agent for high availability.
  • Password hash sync and password writeback both supported.
  • New features ship to Cloud Sync first.

Weaknesses:

  • Doesn't support pass-through authentication or federation directly.
  • Some Exchange hybrid attribute writebacks still need full Entra Connect.
  • Custom transformation rules are more constrained than the classic engine (though improving fast).

Which to use today

  • New deployment: start with Entra Cloud Sync. It's where Microsoft is investing.
  • Existing Entra Connect deployment, Exchange hybrid in use: stay on Entra Connect for now; plan migration when you decommission Exchange on-prem.
  • Multiple disconnected forests that should each sync independently: Cloud Sync is the cleaner answer.
  • You need PTA, federation, or specific hybrid writebacks: Entra Connect.

Coexistence

You can run Cloud Sync alongside Entra Connect during a migration — one tool per organisational unit, gradually migrating OUs from one to the other. Microsoft provides a guided migration assessment in the Entra admin center to support that.

Long-term, Microsoft has signalled Cloud Sync as the strategic product. New tenants should default to it; existing ones should plan a path off Entra Connect over the next couple of years.