Entra Connect Sync vs Entra Cloud Sync

Introduction

Microsoft Entra provides two primary synchronization tools for hybrid identity:

• Entra Connect Sync (formerly Azure AD Connect), and
• Entra Cloud Sync (formerly Azure AD Connect Cloud Sync).

Both bridge your on-premises Active Directory (AD) with Microsoft Entra ID (cloud). But their architectures, capabilities, and intended use cases differ significantly.

This guide breaks down their key differences, shared capabilities, migration considerations, and Microsoft’s future direction so you can decide which sync engine best fits your environment.

What Each Sync Tool Does

Entra Connect Sync

• Full on-premises installation (Windows Server)
• Contains SQL LocalDB, sync scheduler, and complete configuration locally (external SQL DB option available)
• Best suited for complex enterprise topologies, hybrid Exchange, and advanced customization
• Formerly known as Azure AD Connect

Entra Cloud Sync

• Lightweight agent-based solution
• Configuration and sync logic run in the cloud (Entra portal)
• Ideal for multiple AD forests or cloud-first environments seeking minimal infrastructure
• No full sync server – just install one or more agents

Comparison between Connect and Cloud Sync

Below is a comparison table between the two versions of Entra Sync. Review to ensure that you select the right client for the needs of your organization:

Feature	Connect sync	Cloud sync
Connect to single on-premises AD forest	●	●
Connect to multiple on-premises AD forests	●	●
Connect to multiple disconnected on-premises AD forests		●
Lightweight agent installation model		●
Multiple active agents for high availability		●
Support for user objects	●	●
Support for group objects	●	●
Support for contact objects	●	●
Support for device objects	●
Allow basic customization for attribute flows	●	●
Synchronize Exchange online attributes	●	●
Synchronize extension attributes 1-15	●	●
Synchronize customer defined AD attributes (directory extensions)	●	●
Support for Password Hash Sync	●	●
Support for Pass-Through Authentication	●
Support for federation	●	●
Seamless Single Sign-on	●	●
Supports installation on a Domain Controller	●	●
Support for Windows Server 2022, Windows Server 2019, and Windows Server 2016	●	●
Filter on Domains/OUs/groups	●	●
Filter on objects’ attribute values	●
Allow minimal set of attributes to be synchronized (MinSync)	●	●
Allow removing attributes from flowing from AD to Microsoft Entra ID	●	●
Allow advanced customization for attribute flows	●
Support for password writeback	●	●
Support for device writeback	●	Customers should use Cloud Kerberos trust for this moving forward
Support for group writeback		●
Support for merging user attributes from multiple domains	●
Microsoft Entra Domain Services support	●
Exchange hybrid writeback	●	●
Unlimited number of objects per AD domain	●
Support for up to 150,000 objects per AD domain	●	●
Groups with up to 50,000 members	●	●
Large groups with up to 250,000 members	●
Cross domain references	●	●
Cross forest references	●
On-demand provisioning		●
Support for US Government	●	●

Common Features

Capability	Description
Identity sync	Users, groups, and contacts from on-prem AD to Entra ID
Password Hash Sync (PHS)	Synchronizes password hashes to Entra ID for cloud authentication
Basic filtering	Limit which domains/OUs/groups are synchronized
High availability	Supported in both (via staging server or multiple agents)
Security-anchored sync	TLS 1.2+, encrypted channels, secure credential handling
Server requirements	Windows Server 2022 is preferred (Server 2025 is NOT supported)

Key Differences

Feature	Entra Connect Sync	Entra Cloud Sync
Deployment	On-premises server with SQL LocalDB	Lightweight on-prem agent(s)
Management	Local GUI and PowerShell; full rule editing	Managed in Entra portal; simplified UI
Attribute mappings	Full transformation engine	Basic one-to-one mappings
Filtering options	Domain, OU, group, and attribute-based	Domain, OU, or group only
Supported scenarios	Multi-forest, hybrid Exchange, device write-back, PTA, federation	Multiple disconnected forests, PHS only
Authentication modes	PHS, Pass-Through Authentication (PTA), or Federation	PHS only
Write-back features	Password, device, and group write-back supported	Limited (password write-back only)
Hybrid join / device sync	Fully supported	Not supported (as of 2025)
High availability	Requires staging server	Native multi-agent support
Scaling limits	Millions of objects	Approx. 150,000 objects per domain (soft limit)
Management model	Local sync rules editor	Portal-based configuration
Sync cycle	30 Minutes (can be customized)	10 Minutes

Architectural Model

Aspect	Entra Connect Sync	Entra Cloud Sync
Architecture	Stateful – maintains a local SQL database, configuration state, and sync history. Requires OS patching, backups, and lifecycle management.	Stateless – no local database or state. The lightweight agent only brokers communication to the cloud service, which holds sync logic and configuration.
Maintenance	Requires patching, version upgrades, and monitoring of the sync engine and Windows Server.	Minimal maintenance. The agent auto-updates and depends on Microsoft’s cloud-managed sync service.
Resilience	Recovery depends on server restore or rebuild using backups.	Resilience achieved by deploying multiple agents; no database recovery required.

When to Use Each

Choose Connect Sync if you:

• Have a complex AD topology with multiple forests or domains
• Rely on Hybrid Exchange, Pass-Through Authentication, or Federation
• Require device write-back or hybrid join
• Need custom attribute transformations or advanced filtering logic
• Manage large object counts or hybrid workloads

Choose Cloud Sync if you:

• Want a cloud-first, low-maintenance hybrid setup
• Have simple or disconnected forests (for example, mergers and acquisitions)
• Do not need advanced write-back or device sync features
• Prefer high availability without staging servers
• Need fast onboarding for multiple AD environments

Migration and Coexistence

Microsoft supports running both sync engines side-by-side as long as they synchronize different objects.
For example, you can:

• Keep Entra Connect Sync for your core domain
• Use Entra Cloud Sync for newly acquired or isolated forests

Migration Steps (High-Level)

1. Assess dependencies such as Hybrid Exchange, PTA, and device write-back
2. Review feature parity to ensure Cloud Sync supports your requirements
3. Deploy Cloud Sync agents and pilot a limited OU or group
4. Run both sync engines in coexistence and validate synchronization results
5. Switch the synchronization scope and decommission legacy Connect Sync servers

For Microsoft’s official coexistence guidance, refer to: Microsoft Learn — What is Entra Connect Sync

Microsoft’s Direction

“Microsoft Entra Connect Cloud Sync is the long-term solution for directory synchronization.” – Microsoft Learn (2025)

While Entra Connect Sync remains fully supported, Microsoft is clearly moving toward Cloud Sync as the preferred model.

Future feature parity will include:

• Group write-back
• Device synchronization
• Advanced attribute mappings

Once these reach general availability, Connect Sync will begin its phased retirement.

Summary

Scenario	Recommended Sync Engine
Complex hybrid environment	Entra Connect Sync
Multi-forest (lightweight)	Entra Cloud Sync
Hybrid Exchange or Device Join	Entra Connect Sync
Cloud-first / minimal servers	Entra Cloud Sync
Advanced attribute mapping	Entra Connect Sync
Multiple ADs in M&A setup	Entra Cloud Sync

Final Thoughts

If you are deploying hybrid identity in 2025:

• Start with Cloud Sync for new or simple environments.
• Retain Connect Sync where advanced hybrid or legacy features are still required.
• Begin migration planning early; Cloud Sync’s cloud-native model will eventually simplify long-term management and reduce infrastructure overhead.