Microsoft Entra Connect (formerly known as Azure AD Connect) is a Microsoft application that integrates on-premises Active Directory and Microsoft Entra ID seamlessly, in particular giving users the experience of single sign-on, or at least same sign-on.
It includes several technologies:
- Microsoft Entra Connect Sync
- Microsoft Entra Connect Health
- ADFS (Active Directory Federation Services)
- The PHS/PTA/SSSO Provisioning Connector
The primary component (and what people often mean when they say “Microsoft Entra Connect”) is Microsoft Entra Connect Sync. This is a synchronization service intended to run between AD (Active Directory) and Microsoft Entra ID (though it can do much more). The interface looks the same as the FIM or MIM synchronization service manager (and that’s because it is based on FIM 2010) but with far fewer types of Management Agents (“connectors”) available.
A significant difference is that synchronization rules bear little correspondence to those in FIM or MIM, and are configured in a special interface, entirely through a UI (no coding).
Microsoft Entra Connect is a sync engine, based on the tried and tested Microsoft Identity Manager (MIM) – and yet very different from it in many ways. It is easy to set up for several scenarios, but if you get under the covers it can do a lot more. Here is a summary:
- Microsoft Entra Connect has some clever tricks, but it can’t do everything.
- Its primary use is to connect on-premises Active Directory (AD) to in-cloud Microsoft Entra ID, synchronizing users – including their passwords – and (optionally) groups.
- You can use it in addition to MIM, but you do not have to have MIM.
- There are some simple scenarios where you can extend it to do a “MIM-like” job – a good example is the inclusion of an HR feed as an authoritative source for users to be provisioned into Active Directory and Microsoft Entra ID.
- Where it replaces MIM, there may be license savings, but don’t assume that overall implementation costs are significantly impacted (the solution still needs to be designed, implemented, and tested).
- MIM is the serious workhorse that is still needed for any fancy password management beyond Active Directory to Microsoft Entra ID, for any “GALSync-like” scenario (e.g. where you are merging global address lists across Active Directly forest), for anything involving the MIM portal (like SSPR or group management, white pages/enterprise directory, policy/set/workflow engine). However, some things done by the portal can be done in Microsoft Entra ID instead (SSPR and group management).
- Put another way, MIM is good for complex scenarios, where seasoned MIM consultants/developers would find the Microsoft Entra Connect UI very limiting.
- Microsoft Entra Cloud Sync will eventually replace Microsoft Entra Connect.
Microsoft Entra Connect is set up using a wizard. While there is nothing to stop you from manually editing all manner of configuration options, you should do any further configuration with care, as not all usage is supported. What is and is not supported is not something we can explore on this page – nor why! If you want to know about this, you need our 3-day Masterclass.
Microsoft Entra Connect Health, as the name implies, is an on-cloud service that gives you insights into the synchronizations performed by Microsoft Entra Connect Sync and lets you know (for example) about any synchronization failures.
The Provisioning Connector is a multi-purpose component that enables password hash synchronization, pass-through authentication, and seamless single sign-on, and can provision WorkDay users into Active Directory (WorkDay is a cloud HR system). Between this and the remaining components, Microsoft Entra Connect can support several authentication methods, ranging from Same Sign-On (username and password are synchronized) to pass-through authentication, to federated single sign-on. See here for further details.
Want to learn more about Microsoft Entra Connect?
Our five-star rated live, instructor-led 3-day Microsoft Entra Connect Masterclass is for architects and administrators responsible for connecting their on-premises Active Directory with a Microsoft Entra ID tenant. You will:
- Understand what Microsoft Entra Connect can do beyond its ‘out-of-the-box’ form and investigate its many additional capabilities
- Learn how to configure and maintain it, and which configurations are supported
It’s the only comprehensive, structured training course for this complex and powerful technology.
Don’t have the time to attend a course?
Whatever you need to know about Microsoft Entra Connect, we’ve got it covered.
Our series of highly practical on-demand video training courses enable you to learn exactly what you need to know about Microsoft Entra Connect when you need to know it.
Learn how to build an HR-driven provisioning solution for your Active Directory and Microsoft Entra ID with our practical video training.