Unit 2: Plan, Design, and Implement Microsoft Entra Connect

1. Overview of Microsoft Entra Connect

Microsoft Entra Connect (formerly Azure AD Connect) is the core synchronization tool that enables hybrid identity. It acts as a bridge between on-premises Active Directory (AD DS) and Microsoft Entra ID, keeping identity information consistent between the two environments.

In short:

It ensures that users, groups, and credentials in AD are synchronized to the cloud.
It enables users to have a single identity across both environments — one username, one password, and one security policy.

Think of Entra Connect as the “translator” that ensures your local Active Directory and your Microsoft cloud directory speak the same language.

2. Capabilities of Microsoft Entra Connect

Microsoft Entra Connect provides several major capabilities critical for hybrid identity:

Capability	Description
Synchronization	Synchronizes users, groups, contacts, and passwords from on-premises AD DS to Microsoft Entra ID.
Password Hash Synchronization (PHS)	Syncs a hash of the hash of user passwords from AD DS to Microsoft Entra ID, allowing users to use the same password in both environments.
Pass-Through Authentication (PTA)	Validates passwords directly against on-premises AD without storing them in the cloud.
Federation Integration	Supports advanced sign-in scenarios using Active Directory Federation Services (AD FS) or third-party federation providers like PingFederate.
Health Monitoring	Includes Microsoft Entra Connect Health, which monitors synchronization, authentication, and AD FS performance.

Together, these features provide a complete hybrid identity foundation.

3. Why Organizations Use Microsoft Entra Connect

Hybrid identity offers flexibility, but Entra Connect makes it manageable. Here’s why most organizations deploy it:

Single Sign-On (SSO) Experience: Users can log in with the same credentials for both cloud and on-premises resources.
Simplified Administration: Centralized identity management reduces duplication and human error.
Secure Access: Passwords aren’t stored in plain text, and conditional access policies can be applied across environments.
Automatic Updates: Changes in AD (new hires, terminations, group changes) are automatically reflected in the cloud.
Easy Deployment: Entra Connect’s setup wizard simplifies configuration, even for complex environments.

4. Choosing an Authentication Method

Selecting the right authentication method is the most crucial design decision in any hybrid identity deployment. It determines how users sign in, where passwords are validated, and what infrastructure is needed.

There are three main authentication models:

Cloud Authentication
Password validation happens in the Microsoft Entra ID cloud service.
Includes:
Password Hash Synchronization (PHS)
Pass-Through Authentication (PTA)
Federated Authentication
Password validation happens on-premises, via Active Directory Federation Services (AD FS) or another federated provider (like PingFederate).

4.1 Cloud Authentication Options

a. Password Hash Synchronization (PHS)

Concept: When users change their passwords on-premises, a hash of that hash (never the actual password) is synced to Entra ID. Microsoft Entra ID then uses this value to authenticate users directly in the cloud.

Key points:

Simple setup: Enabled by default in Entra Connect Express settings.
No extra infrastructure required.
Sync happens every 2 minutes.
Ideal for organizations without complex security or compliance restrictions.

Example scenario: Contoso Ltd uses Microsoft 365 for email and Teams. Their IT admin installs Entra Connect with express settings and uses PHS. Users log in with their AD passwords — the same credentials work for both their PCs and cloud apps.

Advantages:

Lowest complexity and cost.
Highly available — managed by Microsoft globally.
Can act as a backup for other methods like PTA or Federation.

Limitations:

Account disablement or password change in AD might not immediately apply until the next sync cycle.
Not suitable if regulatory policy forbids any form of password hash storage in the cloud.

b. Pass-Through Authentication (PTA)

Concept: Passwords are validated directly against on-premises AD through lightweight agents installed on servers.

How it works:

The Entra ID sign-in request is securely forwarded to an on-prem agent.
The agent validates credentials against AD DS and returns a “yes/no” response.
Passwords never leave the network.

Infrastructure requirement:

At least 3 authentication agents are recommended for high availability.
These agents must have outbound internet access to communicate securely with Entra ID.

Example scenario: Fabrikam Inc. has strict security policies. They don’t want password hashes stored in the cloud. They deploy PTA with three authentication agents. Users still enjoy SSO, but authentication always occurs on-prem.

Advantages:

Enforces AD policies in real-time (e.g., account lockout, password expiry).
No password hashes in the cloud.
Seamless SSO compatible.

Limitations:

Requires on-premises infrastructure.
If all agents or network connections fail, users can’t sign in unless PHS is configured as a backup.

4.2 Federated Authentication

Federated Authentication uses a trusted on-premises identity provider (such as AD FS) to handle user authentication.

How it works:

When a user signs into a Microsoft service (like Outlook Online), Entra ID redirects them to AD FS.
AD FS validates the credentials and issues a security token back to Entra ID.
The user is then authenticated to the cloud app.

Use cases:

Required for advanced or legacy authentication scenarios, such as:
Smart card authentication.
Certificate-based or third-party MFA.
Non-UPN formats like DOMAIN\username.

Example scenario: A financial firm already has an AD FS environment for partner access. To extend this to Microsoft 365, they configure Entra Connect for federation.

Advantages:

Centralized authentication and granular control.
Supports advanced or regulated sign-in policies.

Limitations:

Complex setup and ongoing maintenance.
Requires multiple servers (AD FS + Web Application Proxy).
If on-premises federation goes down, users lose access until it’s restored.

5. Architecture and Topology

Depending on your environment, you can design Entra Connect in different topologies:

Topology	Description
Single forest, single tenant	The most common setup. One AD forest synchronized to one Microsoft Entra tenant. Supported in Express mode.
Multiple forests, single tenant	Used after mergers or in enterprises with separate forests. Requires custom installation.
Account-resource forest	A common model where one forest holds user accounts and another holds Exchange or shared resources.
Staging server	A secondary Entra Connect server configured in staging mode for disaster recovery.
Multiple tenants	Each Microsoft Entra tenant requires a separate Entra Connect instance (1:1 relationship).

6. Design Considerations

When planning Entra Connect deployment, evaluate the following:

Factor	Design Decision
Source Anchor (Immutable ID)	Choose an attribute that uniquely identifies a user (e.g., objectGUID). It must remain constant throughout the user’s lifetime.
UserPrincipalName (UPN)	Ensure it uses a routable domain (e.g., contoso.com) verified in Entra ID.
Synchronization Frequency	Default is every 30 minutes for directory attributes, every 2 minutes for passwords.
Filtering	Use OU-based or attribute-based filtering to limit which objects sync.
High Availability	Use a staging server or Cloud Sync agents for redundancy.

7. Microsoft Entra Cloud Sync

Microsoft Entra Cloud Sync is a newer, lightweight alternative to Entra Connect. It uses cloud-managed configuration and on-prem provisioning agents instead of the full Entra Connect software.

Benefits:

Easier setup and maintenance.
Ideal for multi-forest or disconnected environments (e.g., post-acquisition).
Supports large groups (up to 50,000 members).
Configuration managed directly from the cloud portal.

Real-world example: After acquiring another company, Contoso Group wants to sync users from the acquired company’s isolated AD forest. Instead of deploying a full Entra Connect server, they install the Cloud Sync agent — lightweight, faster, and managed in the portal.

8. Recommendations and Best Practices

Always enable Password Hash Synchronization even if using PTA or Federation — it serves as a failover method during outages.
Plan your source anchor carefully. Changing it later can cause mismatched or duplicate accounts.
Verify all custom UPN domains in Entra ID before starting synchronization.
Deploy multiple sync or authentication agents for redundancy.
Monitor health continuously using Microsoft Entra Connect Health.
Document your configuration — including filtering rules, authentication methods, and server details — for disaster recovery.

9. Exam Tip

Microsoft loves to test:

Which authentication method is simplest → Password Hash Sync.
Which enforces real-time AD policies → Pass-Through Authentication.
Which supports smartcards or third-party MFA → Federation (AD FS).
What tool provides monitoring → Microsoft Entra Connect Health.

10. Summary

Microsoft Entra Connect is the backbone of hybrid identity. It synchronizes your on-premises AD with the cloud, provides multiple authentication methods, and allows organizations to choose the right balance between security, simplicity, and control.

Use PHS for simplicity.
Use PTA for real-time validation.
Use Federation for complex enterprise needs.
Always enable Connect Health for monitoring and troubleshooting.

SC‑300 Study Portal Dark

Unit 2: Plan, Design, and Implement Microsoft Entra Connect