Hybrid identity sync sounds simple until you pick the tool that runs it.
Microsoft Entra Connect Sync gives you a full sync engine on a Windows Server, with deep control over flows, sign-in options, and hybrid features. Microsoft Entra Cloud Sync shifts most configuration into Entra, then uses lightweight agents to bridge on-prem AD to the cloud.
This guide on Microsoft Entra Connect vs Microsoft Entra Cloud Sync compares architecture, feature gaps, scaling, and real-world scenarios so you can choose with confidence.
What is Microsoft Entra Connect?
Microsoft Entra Connect is Microsoft’s on-premises tool for hybrid identity. You install it on a Windows Server to connect Active Directory (AD DS) with Microsoft Entra ID, then you sync identities and related data into the cloud.
It also supports common sign-in options like Password Hash Sync and Pass-through Authentication, so you can keep one identity across on-prem and cloud apps while you control the configuration from your environment.
What is Microsoft Entra Cloud Sync?
Microsoft Entra Cloud Sync is Microsoft’s cloud-managed sync option for hybrid identity. You sync users, groups, and contacts from on-prem AD to Microsoft Entra ID, but instead of running the full Entra Connect application, you use the Microsoft Entra cloud provisioning agent.
You manage the sync configuration in Entra, and the agent handles the connection to your directory for provisioning and deprovisioning. Microsoft also allows Cloud Sync to run alongside Entra Connect Sync in some setups.
Let’s continue our Microsoft Entra Connect vs Microsoft Entra Cloud Sync comparison.
Microsoft Entra Connect vs Microsoft Entra Cloud Sync: Quick Decision Snapshot
Pick Microsoft Entra Cloud Sync when you want a lighter on-prem footprint, multiple active agents for high availability, on-demand provisioning, and support for some “messy reality” cases like disconnected forests after mergers.
Pick Microsoft Entra Connect Sync when you need the classic sync engine features, advanced sync-rule control, Pass-Through Authentication, device object sync and device writeback, or topologies where Microsoft explicitly supports Connect Sync and you already rely on its operational patterns (like staging mode).
Installation and Prerequisites
Cloud Sync Agent Requirements
Cloud Sync relies on the provisioning agent, and Microsoft ties that agent to specific Windows Server versions. Install the agent on a domain-joined server that runs Windows Server 2016, 2019, or 2022. Microsoft calls out Windows Server 2025 as not supported and even notes a known issue scenario around it.
A few details matter in real deployments:
- Give the server at least 4 GB RAM and .NET 4.7.1+.
- Don’t use Windows Server Core for the agent box.
- Make sure the agent server can reach domain controllers on TCP 389 (LDAP) and TCP 3268 (Global Catalog).
If you plan group writeback through Cloud Sync, Microsoft also expects Active Directory schema support for msDS-ExternalDirectoryObjectId (Windows Server 2016 schema and later).
Entra Connect Sync Prerequisites
Connect Sync also runs on Windows Server and requires typical “hybrid identity” prerequisites (domain join, supported Windows Server versions, TLS 1.2, .NET requirements, and a compatible AD forest functional level).
In other words, both tools need a real Windows Server footprint. Cloud Sync usually needs less of it, but it still needs something solid and well-managed.
What You Can Sync: Objects and References
1. Users, Groups, Contacts: Both Tools Cover the Basics
Both Connect Sync and Cloud Sync support user objects, group objects, and contact objects. That “baseline parity” covers the core hybrid identity goal for a lot of organizations.
2. Device Objects: Connect Sync Carries the Weight
Connect Sync supports device objects. Cloud Sync does not list device object support in Microsoft’s comparison table. If your environment relies on device objects flowing through sync for specific hybrid scenarios, treat that as a serious decision point.
3. Cross-forest References
Microsoft’s comparison table calls out cross-domain references support for both tools, and cross-forest references support for Cloud Sync. That matters in enterprises where groups and users reference each other across boundaries.
4. Password Hash Sync
Both tools support Password Hash Sync. So if you want cloud authentication with synced password hashes (a common setup), either tool can fit.
5. Pass-Through Authentication: Connect Sync Only
Microsoft lists Pass-Through Authentication support under Connect Sync, not Cloud Sync. If you rely on PTA, keep Connect Sync in your plan or plan a sign-in redesign.
To Sum Up
If you want the classic sync engine, Pass-through Authentication, and certain hybrid features like device scenarios, Microsoft Entra Connect Sync often fits best.
If you want cloud-managed configuration, multiple active agents for high availability, and stronger support for some complex forest setups, Microsoft Entra Cloud Sync usually makes more sense.
Use your requirements as the filter, then pilot in a small scope before you standardize across the directory.
Frequently Asked Questions
Microsoft Entra Connect Sync runs as the sync engine inside Microsoft Entra Connect. It syncs identity data between your on-premises Active Directory environment and Microsoft Entra ID, and it handles the core sync operations end to end. Microsoft also positions it as the successor to DirSync and Azure AD Sync.
What does Microsoft Entra Cloud Sync do?
Microsoft Entra Cloud Sync syncs users, groups, and contacts from on-premises Active Directory to Microsoft Entra ID, but it does it through the Microsoft Entra cloud provisioning agent instead of the full Entra Connect app.
How do the architectures differ?
Entra Connect Sync puts the sync engine on your server, and you run the client there. Cloud Sync shifts orchestration into Microsoft Online Services, and you only run lightweight agents on-prem while you manage configuration in Microsoft Entra ID.
Which one should you start with for new hybrid sync projects?
Microsoft encourages you to review Cloud Sync’s features before you deploy Entra Connect Sync, and Microsoft recommends Cloud Sync when it fits your requirements. Microsoft also provides an evaluation wizard to help you decide.
Can Cloud Sync handle disconnected forests after mergers or acquisitions?
Yes, Cloud Sync supports syncing to a single tenant from multiple disconnected Active Directory forests, and Microsoft calls out merger and acquisition scenarios as common drivers. Entra Connect Sync supports multiple forests too, but Cloud Sync specifically targets the “disconnected forests” reality.
