Overview
In this blog I will describe basic functionality of Azure AD Cloud Sync. I might update and extend this blog when I am evaluating more features of Cloud Sync.
The biggest limitation of Cloud Sync today is
- We are not able to hybrid join for domain joined Windows devices.
- Does not support Exchange Hybrid Configuration.
The great benefits of Cloud Sync is if we run disconnected AD Forest that we can sync them much more easily. If we also move client management and identity management to Intune and Azure AD we can benefit from using cloud sync.
You can read more of the feature comparison between AD Connect and Cloud Sync on this link.
Here you can find a good FAQ with common questions about cloud sync.
Configuration of Azure Cloud Sync
You can also read Microsoft configuration guide in this link.
To configure cloud sync visit https://entra.microsoft.com and select:
Show more->Hybrid management->Azure AD Connect->Manage Azure AD cloud sync
Select download agent:
This agent can be installed on a domain joined Server connected to the domain that will be synchronized. Download and start the installation of the Agent. The installation and configuration guide on the server will just create an endpoint. The Actual configuration will be done from Azure. It can be done in Entra portal.
You need a Global Administrator and a Domain Admin when you configure the Agent. You might also need to disable IE enhanced security on the server during the configuration of provisioning agent.
The configuration will create a gMSA account when you do initial configuration it will also create a service account in Azure AD. When you update the provisioning agent you should use existing account and use the account that is already created. You can read more about the accounts under “Services and Service Accounts”.
Services and Service Accounts
The configuration creates two service accounts.
- Cloud Azure AD Account: ADToAADSyncServiceAccount
- Local Active Directory Account: provAgentgMSA
In the picture you can see the Service running and Local Active Directory Account stored in ADDS.
If you accidentally delete the cloud service account you can follow this article to repair it.
Sync scope – OU-filter
In Cloud Sync it’s not supported to filter on attributes.
During the configuration of Cloud Sync we can setup OU filter. My trick to get the correct syntax when adding OUs to the config is to use Active Directory Administrative Center to copy the path:
OU folder structure is inherited downwards, so it’s important to consider the level at which you add OUs in Cloud Sync.
Microsoft 365 Tech blog 