Entra Connect Sync Best Practices

Overview

Microsoft Entra Connect Sync (formerly Azure AD Connect) continues to be the backbone of many hybrid identity environments. Even with Cloud Sync gaining popularity, Connect Sync is still the right choice for complex setups, hybrid Exchange scenarios, device writeback, and environments that need deeper customization. The tool is powerful, but it needs to be designed and maintained with care. The tips in this guide focus on practical, real-world best practices that keep Connect Sync stable, predictable, and easier to support over the long term.

1. Architecture and Design

Use a Dedicated Server

Connect Sync runs best when it is on its own server. Avoid installing it on a domain controller or a shared server. A dedicated VM keeps performance consistent and simplifies troubleshooting.

Always Deploy a Staging Server

A staging server gives you a fast and safe recovery option. If the primary server fails or needs maintenance, you can switch the staging server to active within minutes. Keep the configurations aligned using export and import so failover is smooth. Staging server is a must. Simply non-negotiable. I recently ran into an issue at an organization which didn’t have one and had a sync outage for the entire day. If you haven’t built one, do it today and follow the Microsoft setup article (source).

External SQL Works Best for Larger Environments

If you have more than a small environment or you want cleaner backup routines, use an external SQL Server instance. Each Connect Sync server needs its own database. Production, staging, and test servers should never share the same database.

Follow Least Privilege

Use a Group Managed Service Account (gMSA) for the sync engine whenever possible. Give it only what it needs: db_owner on its own ADSync database along with the required Active Directory permissions. As of version 1.1.613.0 Entra Connect Sync supports pre-configuring the database by a DBA and handing it over to an Entra admin with db_owner rights. No elevation to SA needed (source).

2. Synchronization Configuration

Filter Carefully

OU-based filtering is the simplest and most reliable method. Group-based filtering works too, but attribute-based filtering can become complicated and harder to support.

Do Not Sync AD Admin Accounts

Microsoft strongly recommends against synchronizing on-premises accounts with preexisting administrative accounts in Microsoft Entra ID. This introduces a security risk because you would be exposing privileged accounts to the cloud (source).

Keep Custom Rules Minimal

Custom attribute flows and transformations should be used only when needed. Too many rules make troubleshooting harder. Document everything you add and keep exported configurations with version history. Avoid extra custom rule filtering, as it can slow down the sync process significantly, especially if you have a large enterprise environment with tens of thousands of objects.

Choose the Right Authentication Method

Password Hash Sync (PHS) is usually the best choice because it is simple, fast, and low maintenance. If your environment needs Pass Through Authentication (PTA), deploy at least two PTA agents for redundancy. Also, only PHS is fully supported by Entra Cloud Sync, so you’re future proofing your environment by selecting PHS. See my other article on Entra Cloud Sync vs Entra Connect Sync (source).

3. Security and Accounts

Service Accounts

Use a group managed service account (gMSA) for the synchronization service. This reduces password management risks and helps maintain security. Make sure the gMSA account is only set to support AES128 and AES256 or you might run into issues if your server is hardened. I literelly just ran into this issue with a legacy gMSA account and had to drop RC4 support from it (source).

SQL Permissions

The synchronization service account only needs db_owner rights on the database it will use. If a DBA pre-creates the database, the service account does not need SQL server-level roles like SA (see Follow Least Privilege section above).

Active Directory Permissions

Grant the sync account the standard permissions required for proper directory synchronization: Replicating Directory Changes and Replicating Directory Changes All. These are the only permissions needed in typical environments. DO NOT give the sync account Domain Admin or other elevated privileges. It’s not required and the wizard will actually detect and prevent you from proceeding.

4. Monitoring and Operations

Use Entra Connect Health

If you have Entra ID P1 or P2, enable Connect Health. It provides visibility into sync errors, performance issues, and alerts that are easy to miss if you only watch local logs.

Back Up What Matters

If you are using LocalDB, you need full server backups. If you use an external SQL Server, back up the ADSync database the same way you back up other production databases. Export the Connect configuration regularly as part of your backup plan.

Review Logs

Check the Synchronization Service logs and Windows Event Viewer on a regular basis. Many sync issues provide early warnings before they grow into bigger problems.

5. Updates and Version Management

Keep Connect Sync updated and within a supported version range. Updates often include important fixes and compatibility improvements. When updating, switch the staging server to active, update the old primary, and switch back if desired. This avoids downtime and provides a rollback path.

6. High Availability and Disaster Recovery

Primary and Staging Servers

Treat the staging server as part of your production design. Test a failover on a regular basis to confirm it works as expected.

SQL Resilience

If you use external SQL, consider using Always On or regular full backups. The ADSync database is small but very important.

Configuration Backups

Export the Connect Sync configuration after every change. Store the exports safely so you can rebuild quickly if needed.

7. Security Hardening

Enforce TLS 1.2 and turn off outdated protocols. Restrict RDP access to the Connect Sync server. Allow gMSA keys to rotate on schedule. Use PIM or a break glass process for the Entra admin account used during setup. These small steps help reduce long-term risk.

8. Planning Ahead

Microsoft is encouraging organizations to adopt Entra Cloud Sync for simpler and cloud-first environments. Connect Sync is still required for certain scenarios such as hybrid Exchange or device writeback, but Cloud Sync is clearly the direction Microsoft is taking. A practical approach is to use Connect Sync where it fits, use Cloud Sync where it makes sense, and document a long-term strategy.

Summary

Connect Sync can run quietly for years when it is designed and maintained correctly. A dedicated server, a staging server, proper SQL planning, clean filtering, and steady monitoring form the foundation of a stable and secure hybrid identity environment.