You enable Microsoft Entra Cloud Sync by creating a new configuration in the admin center, defining your scope, testing the connection, and turning the sync schedule on.
Enabling Cloud Sync in Microsoft Entra ID connects on-premises Active Directory users, groups, and contacts to Azure without the full server installation Entra Connect requires. The process runs entirely from the browser. The steps are straightforward, but the setup depends on a few limits—knowing your object count and group sizes matters before you start. This walkthrough covers the exact admin center path, the scoping rules, and the common pitfalls that trip up first-time configurations.
What Are The Prerequisites To Enable Cloud Sync?
You need the right admin role and a supported directory environment before Cloud Sync will work. Sign in as a Hybrid Identity Administrator to the Microsoft Entra admin center—without this role the configuration options stay grayed out. Your on-premises Active Directory must be reachable by the provisioning agent, which you install separately as a lightweight service on a domain-joined Windows Server. The agent handles the actual data transfer, and you’ll install it during the initial setup flow.
Cloud Sync is designed for specific directory sizes. Microsoft recommends it for domains with fewer than 150,000 objects and groups with fewer than 50,000 members. If your environment runs Pass-Through Authentication (PTA), needs password writeback, or relies on Hybrid Azure AD Join, Entra Connect is the correct tool instead. Cloud Sync does not support those features.
How To Enable Cloud Sync: Step-by-Step
The setup splits into five sections in the admin center: creating the configuration, choosing your domain, setting scope, reviewing attribute mappings, and enabling the schedule. Follow this order exactly.
- Open the Microsoft Entra admin center and go to Entra ID > Entra Connect > Cloud sync.
- Select New configuration.
- Choose AD to Microsoft Entra ID sync as the sync direction.
- Pick the domain you want to synchronize and decide whether to enable Password Hash Sync. Password Hash Sync is optional but recommended for hybrid environments using cloud authentication.
- Click Create. The configuration is now created but not yet enabled.
- In Add scoping filters, decide how much of your directory to sync. Choose All users, Selected security groups, or Selected organizational units. For groups or OUs, enter the full distinguished name (e.g.,
OU=Sales,DC=contoso,DC=com). - Click Save after setting scope—forgetting to save is one of the most common mistakes that prevents the next step from working.
- Review the attribute mappings and default properties. The defaults cover standard user and group attributes. You can customize them here if needed.
- Click Test to verify the agent can reach the domain and apply the scoping rules. A successful test shows green checkmarks per scoping filter.
- Finally, select Enable. The sync schedule starts and runs automatically every 10 minutes.
The success cue is a green Enabled status on the configuration detail page. Objects begin appearing in Microsoft Entra ID within the first few sync cycles.
Scope Configuration Options
Scoping filters define exactly which objects synchronize. Using the wrong scope can either miss users or sync too many objects, so match the option to your environment.
| Scope Type | What It Syncs | When To Use It |
|---|---|---|
| All users | Every user, group, and contact in the domain | Simple environments with fewer than 150k objects and no need to exclude departments |
| Selected security groups | Members of the specific group(s)—users and nested groups included | Pilot migrations or syncing only a subset of users (e.g., IT team, specific office) |
| Selected OUs | All objects within the specified organizational unit(s) | Department-based sync where users, computers, and groups are organized by OU |
| Attribute-based scoping | Users or groups that match a custom attribute filter (e.g., department=Sales) | More granular filtering beyond group or OU membership |
| Conjunctive scoping | Combines multiple filters with AND logic | Complex environments where a user must meet several conditions to sync |
| Exclusion scoping | Excludes objects that match a filter while syncing the rest | Exclude specific OUs or groups from a broader sync scope |
| Nested groups | Members of nested groups are synced if the parent group is in scope | Organizations that use nested group membership for delegation |
The scope you choose directly affects how many objects sync and how long the initial cycle takes. For any security group or OU scope, you must provide the distinguished name in the correct format—one wrong character and the filter silently syncs nothing.
Understanding How Synchronization Behaves
Once enabled, Cloud Sync runs on a recurring schedule every 10 minutes. That interval is fixed—you cannot change it. Changes to on-premises users or groups propagate to Microsoft Entra ID within that window. The first sync after enablement performs a full import of all scoped objects. Subsequent runs are incremental, syncing only new, changed, or deleted objects.
The provisioning agent handles all data transfer. It runs as a background service on the Windows Server you installed it on. If the agent stops or loses connectivity to the domain, sync pauses but does not lose its place—it resumes from the last successful cycle once connectivity returns. You can monitor sync status from the Cloud sync configuration page under Provisioning logs.
Common Mistakes And How to Fix Them
Most first-time Cloud Sync configurations hit one of a few predictable issues. Knowing them ahead of time saves the troubleshooting headache.
| Mistake | What Happens | The Fix |
|---|---|---|
| Not saving scoping filters | Enable button stays grayed out | Go back to the scoping step, click Save before proceeding |
| Wrong distinguished name | Scope filter returns zero objects, sync appears to work but nothing appears | Verify the OU or group DN in ADUC or PowerShell; use the exact string including the domain components |
| Object count over 150k | Sync starts but fails or performs poorly | Scope down to fewer OUs or groups; Cloud Sync does not support full-domain sync above 150k objects |
| Group membership over 50k | Group sync skips or errors | Break large groups into smaller sub-groups under the limit |
| Expecting password writeback or PTA support | Cloud Sync works but missing features cause confusion | Use Entra Connect if your environment needs writeback or PTA; Cloud Sync does not support them |
| Agent not installed or disconnected | Test step fails with connectivity error | Reinstall the provisioning agent on a domain-joined server and verify the service is running |
| No Hybrid Identity Admin role | Cannot create or modify configuration | Assign the role to your account in Entra ID before starting |
If a test shows red marks, the most likely cause is an agent connectivity issue or an incorrect distinguished name. Start there.
Finish With The Right Configuration
After enabling Cloud Sync, the configuration runs every 10 minutes with the scope and mappings you defined. The final step is confirming that objects appear in Microsoft Entra ID. Check the Provisioning logs in the Cloud sync page to see each sync cycle and any skipped objects. If everything looks clean, you are set. For any configuration change—updating scope, adding a new domain, or adjusting attribute mappings—you can go back to the same configuration page, edit the relevant section, save, and the next sync cycle picks up the changes automatically.
References & Sources
- Microsoft Learn. “How to configure Microsoft Entra Cloud Sync.” Provides the official step-by-step setup process used in this article.
- Microsoft Learn. “What is Microsoft Entra Cloud Sync?” Official documentation describing Cloud Sync features, limits, and supported scenarios.