Connecting On-Premises Active Directory to Microsoft Entra ID: A Complete Implementation Guide
A practitioner’s walkthrough of deploying Microsoft Entra Cloud Sync for a mid-size organisation — from infrastructure preparation through to validated synchronisation — including every error you will encounter and exactly how to resolve it.
Organisations running Windows Server Active Directory on-premises routinely need to extend those identities to Microsoft 365, Intune, and Azure — without replacing the directory that line-of-business applications depend on. Microsoft Entra Cloud Sync is the modern answer to this challenge. This guide documents a complete deployment, including the four categories of failure I consistently encounter across client engagements and the precise resolution for each.
Infrastructure engineers and IT administrators managing Windows Server AD who are deploying hybrid identity for the first time, or investigating why an existing Entra Connect deployment is not synchronising as expected.
Understanding the two sync options
Microsoft offers two products under the Entra Connect umbrella. Choosing the wrong one for your environment adds unnecessary complexity. The decision comes down to topology and management preference.
| Criterion | Cloud Sync | Connect Sync |
|---|---|---|
| Agent model | Lightweight agent, cloud-orchestrated | Full on-premises application server |
| Best suited for | Single forest, cloud-first strategy, disconnected forests | Complex topologies, custom attribute flows, legacy integrations |
| High availability | Built-in — deploy multiple agents | Manual staging server required |
| Maintenance overhead | Low — agent auto-updates | Medium to high |
| Provisioning scope | Users, groups, contacts | All object types, full writeback |
| Recommendation (2026) | Preferred for new deployments | Legacy or complex environments only |
For a single-forest deployment with standard user and group objects, Cloud Sync is the right choice. The operational simplicity and built-in resilience make it preferable to the full Connect Sync application for the majority of organisations I work with.
Architecture and network requirements
Before deployment begins, the network team needs to understand what the provisioning agent actually does — and more importantly, what it does not require. This is where many firewall change requests get over-engineered.
The provisioning agent communicates outbound over HTTPS port 443 only. No inbound rules, no VPN tunnel, no DMZ placement required. This is the most common point of confusion in firewall change requests — the agent initiates all connections to Azure.
Pre-deployment checklist
In my experience, skipping this checklist accounts for roughly 80% of failed initial deployments. Each item is a dependency, not a preference. Verify every one before running the installer.
- Domain functional level is Windows Server 2012 R2 or higher
- Dedicated sync server is provisioned — never install on the domain controller itself
- Sync server is domain-joined to the target AD forest
- DNS on the sync server resolves the AD domain to the domain controller’s private IP — not a public address
- LDAP port 389 and Kerberos port 88 are reachable from the sync server to the domain controller
- All user UPN suffixes use the public domain (e.g. @contoso.com) — not .local or an internal suffix
- The domain is verified in Entra ID under Custom domain names
- The admin account used for agent setup is a cloud-only account — not synchronised from AD
- MFA is fully configured on the admin account before beginning setup
- Microsoft Edge is installed on the sync server
- Outbound HTTPS to *.msappproxy.net and *.microsoftonline.com is permitted
Preparing the on-premises directory
The most common pre-deployment misconfiguration I find is a mismatch between the UPN suffix used in Active Directory and the domain verified in Azure. Legacy environments frequently use a .local or internal suffix that has no public DNS presence and cannot be verified in Azure. This must be corrected before installation.
# Step 1 — Check what UPN suffixes currently exist in the forest
Get-ADForest | Select-Object UPNSuffixes
# Step 2 — Add your verified public domain as an accepted suffix
Set-ADForest -UPNSuffixes @{Add="contoso.com"}
# Step 3 — Update existing user accounts to use the correct UPN
# Scope to a specific OU in production to avoid updating service accounts
Get-ADUser -Filter * -SearchBase "OU=Corporate Users,DC=contoso,DC=com" |
ForEach-Object {
Set-ADUser $_ -UserPrincipalName "$($_.SamAccountName)@contoso.com"
}
# Step 4 — Verify the change before proceeding
Get-ADUser -Filter * -SearchBase "OU=Corporate Users,DC=contoso,DC=com" |
Select-Object Name, UserPrincipalName | Format-Table -AutoSize
Scope the UPN update to user OUs only. Changing the UPN on service accounts used by applications, scheduled tasks, or IIS application pools can break those services immediately. Identify and exclude them before running a bulk update.
Installing the provisioning agent
Download from the Entra admin center
Navigate to Microsoft Entra ID → Microsoft Entra Connect → Cloud Sync → Get started and select Download Provisioning Agent. Run the installer as a local Administrator on the dedicated sync server — not the domain controller.
Authenticate with a cloud-only Global Administrator account
The account used during setup must be a cloud-only account (source: Azure Active Directory, not Windows Server AD) and must have MFA configured and registered before this step. If MFA registration has not been completed, do it from a separate device at https://aka.ms/mysecurityinfo before launching the wizard.
Enter domain credentials in UPN format
When the wizard prompts for Active Directory credentials, always use UPN format: Administrator@contoso.com. The NetBIOS format (CONTOSO\Administrator) causes the domain validation step to fail with a misleading “domain does not exist” error — even when the domain is perfectly reachable.
Allow gMSA creation to complete
The installer creates a Group Managed Service Account to run the agent service. This requires the KDS Root Key to exist in the domain. The installer handles KDS creation automatically on Windows Server 2012 R2 and later. The sync server’s computer account must be in the gMSA’s allowed principals list — covered under troubleshooting below.
Confirm and exit
The final confirmation screen shows the Active Directory domain, the gMSA service account, and the Entra ID tenant the agent has registered with. If all three are present and correct, click Exit. The agent service starts automatically and registers with the Entra backend within 2–3 minutes.
The four errors you will encounter — and their resolutions
These are not edge cases. In over a dozen Entra Cloud Sync deployments I have led or reviewed, these four failure patterns appear consistently. Knowing them in advance turns a frustrating half-day into a 20-minute resolution.
What happens: The agent wizard opens an embedded browser to authenticate against Entra ID. This embedded component is a legacy WebView implementation. When the tenant has Conditional Access or Security Defaults requiring MFA registration, the modern authentication flow cannot render inside the legacy WebView, and the user sees an “unsupported browser” prompt.
Why it happens: The agent does not use the system browser. Installing or updating Microsoft Edge has no effect on the embedded WebView used by the wizard.
Register MFA on the admin account from a separate device — a mobile phone or a different workstation — before launching the agent wizard. Open https://aka.ms/mysecurityinfo, sign in, and add the Microsoft Authenticator app. Once MFA is registered, return to the wizard and authenticate. The embedded browser can complete the auth code exchange without needing to render the MFA registration flow.
What happens: Domain credential validation fails, and the agent cannot proceed past the Connect Active Directory step. This error also appears when attempting to join the sync server to the domain.
Root cause in most deployments: The sync server’s DNS server is set to the default gateway or router, which forwards all queries to the internet. The AD domain resolves to a public IP address rather than the domain controller’s private IP. The domain controller is unreachable at the resolved address.
Run Resolve-DnsName contoso.com on the sync server. If the result is a public IP address, DNS is misconfigured. Run nltest /dsgetdc:contoso.com to confirm whether a domain controller can be located.
# Point DNS directly at the domain controller's private IP
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses "10.0.0.10"
# Flush the resolver cache
ipconfig /flushdns
# Verify — result must be a private RFC 1918 address, not a public IP
Resolve-DnsName contoso.com
# Confirm a domain controller is now locatable
nltest /dsgetdc:contoso.com
# Test the LDAP port directly
Test-NetConnection -ComputerName "10.0.0.10" -Port 389
What happens: Azure AD authentication succeeds, Global Administrator role is confirmed in the logs, local AD credentials validate correctly, and the gMSA is created — but the final connector registration step fails with: “The registration request was denied. Your username and password must exist in the Azure AD directory you are attempting to access.”
Why this is confusing: The error message implies a credential problem, but credentials are not the issue. The registration endpoint requires a specific role assignment beyond Global Administrator.
Assign the Hybrid Identity Administrator role to the setup account in Entra ID, in addition to Global Administrator. Navigate to Entra ID → Roles and administrators → Hybrid Identity Administrator → Add assignment. After saving, return to the agent wizard’s confirmation screen and click Confirm again — no reinstallation is required.
Additionally, verify the setup account is a cloud-only account. Accounts synchronised from on-premises AD cannot register the connector, even with all required roles assigned.
What happens: The agent shows as Active in the Entra portal’s Agents tab, but when creating a new Cloud Sync configuration the domain dropdown is empty. The portal shows no available domains to configure.
Root cause: The sync server’s computer account is not listed in the Group Managed Service Account’s PrincipalsAllowedToRetrieveManagedPassword attribute. The agent service cannot authenticate to Active Directory to enumerate the domain, so it reports nothing to the Entra backend.
Run Test-ADServiceAccount -Identity "<gMSA-name>$" on the sync server. A result of False with a Kerberos warning confirms this is the issue.
# Retrieve the sync server's computer account from AD
$SyncServer = Get-ADComputer -Identity "SYNC-SERVER-01"
# Grant it permission to retrieve the gMSA password
Set-ADServiceAccount -Identity "provAgentgMSA$" `
-PrincipalsAllowedToRetrieveManagedPassword $SyncServer
# Verify the assignment was applied
Get-ADServiceAccount -Identity "provAgentgMSA$" `
-Properties PrincipalsAllowedToRetrieveManagedPassword |
Select-Object -ExpandProperty PrincipalsAllowedToRetrieveManagedPassword
# Purge cached Kerberos tickets so the new permission takes effect
klist purge
# Restart the provisioning agent service
Restart-Service "AADConnectProvisioningAgent" -Force
# Confirm the gMSA test now passes
Import-Module ActiveDirectory
Test-ADServiceAccount -Identity "provAgentgMSA$"
# Expected: True
# Refresh the Entra portal — the domain should now appear in the dropdown
“Every failure pattern in an Entra Cloud Sync deployment shares a common theme: the sync server is not trusted by the domain in some dimension — DNS resolution, Kerberos delegation, or gMSA permissions. Resolve the trust chain methodically and the deployment completes without issue.”
Creating the sync configuration
Installation of the agent does not start synchronisation. A configuration object must be explicitly created in the Entra admin center to define scope, attribute mappings, and which features — such as password hash sync — are active.
- Navigate to Entra ID → Microsoft Entra Connect → Cloud Sync → New configuration
- Select the AD domain from the dropdown — now populated after resolving the gMSA permission
- Confirm Enable password hash sync is checked unless your security policy prohibits cloud-stored password hashes
- Click Create to generate the configuration object
- On the configuration overview page, set Provisioning Status to On and click Save
A newly created configuration defaults to Disabled. It will not sync until you explicitly set Provisioning Status to On and save. This is the most common reason clients report that “nothing is syncing” after a successful installation.
Validating the deployment
Do not treat the Active status indicator in the portal as confirmation that synchronisation is working correctly. Validate the full chain: agent health, sync cycle execution, and user object integrity in Entra ID.
# Confirm the agent service is running
Get-Service -Name "AADConnectProvisioningAgent" | Select-Object Status, DisplayName
# Create a test user in AD to verify end-to-end sync
New-ADUser `
-Name "Sync Test User" `
-SamAccountName "synctestuser" `
-UserPrincipalName "synctestuser@contoso.com" `
-AccountPassword (ConvertTo-SecureString "TempPass@2026!" -AsPlainText -Force) `
-Enabled $true `
-Path "OU=Corporate Users,DC=contoso,DC=com"
# Wait approximately 5 minutes, then verify in Entra ID
Connect-MgGraph -Scopes "User.Read.All", "Directory.Read.All"
# List all users with on-premises sync enabled
Get-MgUser -Filter "onPremisesSyncEnabled eq true" |
Select-Object DisplayName, UserPrincipalName, AccountEnabled |
Format-Table -AutoSize
# Verify a specific user synced correctly
Get-MgUser -UserId "synctestuser@contoso.com" |
Select-Object DisplayName, OnPremisesDistinguishedName, OnPremisesSyncEnabled, AccountEnabled
Confirm the following in the Entra portal under Users → All Users:
- Synced users show source as Windows Server AD
- On-premises sync enabled is set to Yes
- A synced user can authenticate successfully at
https://myapps.microsoft.comusing their on-premises password
What to build on top of this foundation
A working identity sync is the prerequisite, not the destination. With users flowing from AD into Entra ID, the following workstreams become available and should be scoped into a phase-two engagement.
- Conditional Access policies — enforce MFA, compliant device requirements, and location-based controls across Microsoft 365 and third-party SaaS applications
- Hybrid Entra ID Join — register existing domain-joined Windows 10/11 devices with Entra ID for SSO to cloud resources without re-enrolment
- Microsoft Intune co-management — bring existing SCCM-managed devices under Intune policy management progressively, workload by workload
- Self-Service Password Reset with writeback — allow users to reset passwords from the cloud, with changes synchronised back to on-premises AD immediately
- Entra ID Protection — apply risk-based sign-in and user risk policies against the synchronised identity pool, with automatic remediation workflows
- Privileged Identity Management (PIM) — time-bound, approval-gated elevation for administrative roles, replacing standing privilege assignments
Cloud Sync itself is included in all Microsoft Entra ID tiers, including the free tier. However, Conditional Access, Identity Protection, PIM, and SSPR writeback require Entra ID P1 or P2 licensing. Scope the licensing conversation early — these capabilities are where the business value of hybrid identity is realised.