Identity is the new perimeter. In a multi-cloud world, how you synchronise that identity determines the speed of your transformation and the strength of your security posture.
The Evolution of Hybrid Identity
For years, Microsoft Entra Connect (formerly Azure AD Connect) was the gold standard for bridging on-premises Active Directory with the cloud. However, as enterprise environments grew more complex — involving mergers, acquisitions, and multi-tenant architectures — the need for a more lightweight, cloud-governed solution became apparent.
Enter Microsoft Entra Cloud Sync. Unlike its predecessor which relies on a heavy on-premises engine, Cloud Sync moves the heavy lifting to the cloud, using a lightweight provisioning agent to bridge the gap.
Cloud Sync vs. Connect Sync
Understanding the distinction is critical for architects planning a migration or a new greenfield deployment:
Lightweight Footprint
Provisioning agents are lightweight and only require outbound connections. No complex local database or heavy compute requirements.
Cloud-Managed
Configuration and management happen entirely in the Entra admin center. Updates are pushed automatically from the cloud.
Multi-Forest Support
Easily sync from multiple disconnected AD forests to a single Microsoft Entra tenant without needing complex network trust relationships.
Multi-Cloud Identity Strategies
In a multi-cloud environment (Azure, AWS, GCP), Microsoft Entra ID often serves as the root Identity Provider (IdP). Cloud Sync enables two powerful scenarios:
1. Disconnected Forest Integration
During mergers and acquisitions, you often inherit AD forests that cannot immediately be bridged via VPN or ExpressRoute. Cloud Sync agents can be deployed in these isolated environments to sync identities to your central Entra tenant over HTTPS, enabling Day 1 collaboration (Teams/SharePoint) across the whole organisation.
2. Cross-Cloud Synchronization
Microsoft has recently introduced Cross-Cloud synchronization (in public preview), which leverages the same underlying provisioning service to sync users across different Microsoft cloud environments (e.g., Azure Commercial to Azure Government). This is a game-changer for organisations operating in highly regulated sectors or across geographic boundaries.
Architecture and High Availability
Resiliency is paramount. For production environments, I always recommend:
- Multiple Agents: Deploy at least two provisioning agents per domain for automatic failover.
- gMSA Support: Use Group Managed Service Accounts for the agents to eliminate manual password management.
- Outbound-Only: Ensure your firewalls only allow outbound traffic on 443; no inbound ports are required.
- Automatic agent updates
- Integrated monitoring via Entra ID Provisioning Logs
- Password Hash Synchronization (PHS) support
- Password Writeback support (via Entra Connect)Conclusion
Microsoft Entra Cloud Sync isn't just a replacement for Entra Connect; it's a fundamental shift towards cloud-managed identity. By reducing on-premises overhead and simplifying multi-forest scenarios, it provides the agility needed for modern multi-cloud architectures.
Are you looking to streamline your hybrid identity or planning a complex multi-forest synchronization? Let's discuss how we can optimize your identity plane.
20+ years of enterprise technology leadership across cloud, infrastructure, and digital workplace. Passionate about sharing practitioner knowledge and advancing the profession.