Azure AD Connect and recommended methods for data synchronization

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

What exactly is Azure AD Connect and do you need it for your business? Let’s take a step back and examine the big picture to find the answer to that. The Microsoft cloud is now heavily utilized by many businesses. Solutions like Microsoft 365, Microsoft Teams, SharePoint Online, and OneDrive for Business are in particular now necessary for efficient teamwork among geographically distributed workforces.


However, many businesses also maintain an on-premises Microsoft infrastructure for a variety of valid reasons. To solve unique security or regulatory compliance issues, businesses may, for instance, have outdated programs that are too challenging to move to the cloud or extremely sensitive data that must be retained locally.

But maintaining two distinct identities is simply not feasible for the majority of organizations. It’s not a good experience for corporate users, to start. They don’t want to be repeatedly reminded to enter their credentials for the “other” environment, nor do they care where a piece of content or an application they require is hosted. Additionally, it would double the provisioning labor and eventually result in errors that put security and productivity at risk. IT teams detest managing two entirely different sets of user IDs.

Microsoft thankfully offers two helpful tools: Azure AD Connect sync and Azure AD Connect Cloud sync. The application following information regarding these priceless items

Azure AD Connect: What is it?

Microsoft has created a service called Azure AD Connect to assist businesses with hybrid IT infrastructures. As part of your Azure membership, it is free. Numerous functions are available, such as federation integration and health monitoring. Today, though, we’ll concentrate on its most well-known feature: synchronisation.

Simply put, businesses utilise Azure AD Connect to automatically sync identity information between their on-premises Active Directory infrastructure and Azure AD. Users can then access cloud services like Microsoft 365 as well as on-premises apps using the same login information.

How does it operate?

On a domain-joined server in your on-site data centre, you install the application. Express Settings, which is used for the most typical scenario—synchronizing data across a single on-premises forest with one or more domains and a single Azure AD tenant—is the default installation option. Examine the alternative topologies that Microsoft supports if you have numerous forests or Azure AD tenants.

Syncing only occurs in one direction by default, from on-premises AD to Azure AD. The writeback method can be set up to sync changes from Azure AD back to your on-premises AD, though. The password will be updated in the on-premises AD, for example, if a user changes their password using the Azure AD self-service password management feature.

What types of data can the tool sync?

User accounts, groups, and credential hashes in your on-premises AD can be synchronized with Azure AD Connect. The majority of user account attributes, including the security identifier (SID) and user principal name (UPN), are synced.

The following items and characteristics, however, ARE NOT synchronized:

  • Any objects and attributes you specifically exclude from the sync
  • SidHistory attributes for users and groups
  • Group Policy objects (GPOs)
  • The contents of the Sysvol folder
  • Computer objects for computers joined to the on-premises AD environment
  • Organization unit (OU) structures

How frequently is data synchronized?

A scheduler manages the synchronization. A sync job automatically executes every 30 minutes.


PowerShell enables you to:


Examine the scheduler’s configuration and make a few changes.

sync by force.

Stop a sync task that is already executing, or even briefly turn off the scheduler (for example, so that you can modify the configuration of Azure AD Connect).

Microsoft’s suggestions for your synchronization schedule.

A sync occurs by default every 30 minutes. Microsoft states that a sync must happen at least once every seven days, but you can change the sync cycle, as follows:

A delta sync must take place within seven days after the last delta sync.

Within seven days of the completion of the last full sync, a delta sync (which comes after one) must take place.

Failure to adhere to these suggestions may lead to problems that can only be fixed by a full sync, which can take a lot of time.

New synchronization options

Azure AD Connect cloud sync, a new synchronization tool from Microsoft, is now available. You can use this option to deploy a lightweight agent that you can administer in Azure AD in both your on-premises and IaaS-hosted settings.

The functionality provided by the two sync programs is similar but not identical. For example, Azure AD Connect cloud sync enables employing multiple provisioning agents and synchronizing from a multi-forest detached Active Directory system (valuable in merger and acquisition scenarios in particular) (which can simplify high availability environments). The writeback or synchronization of customer-defined AD attributes is not supported, in contrast to Azure AD Connect.


Professional Labs is the Best Cloud Managed Services Provider, for more details contact
Contact Us | Professional labs (