🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MS-102 Domain 2
Domain 2 — Module 2 of 7 29%
10 of 28 overall

MS-102 Study Guide

Domain 1: Deploy and Manage a Microsoft 365 Tenant

  • Establish and Configure Your M365 Tenant
  • Monitor Tenant Health and Network Readiness
  • Adoption Tracking and Microsoft 365 Backup
  • Manage Users, Contacts and External Identities
  • Groups, Shared Mailboxes and Licensing at Scale
  • Automate with PowerShell: Bulk User Operations
  • Roles, Role Groups and Workload Permissions
  • Delegate with Administrative Units and PIM

Domain 2: Implement and Manage Microsoft Entra Identity and Access

  • Prepare for Identity Synchronization
  • Implement Connect Sync and Cloud Sync
  • Monitor and Troubleshoot Identity Sync
  • Authentication Methods and Self-Service Password Reset
  • Password Protection and Authentication Troubleshooting
  • Entra Identity Protection and Risk Policies
  • Conditional Access and MFA Enforcement

Domain 3: Manage Security and Threats by Using Microsoft Defender XDR

  • Defender XDR: Security Posture and Threat Intelligence
  • Investigate Incidents with Advanced Hunting
  • Defender for Office 365: Threat Policies
  • Email Threats, Attack Simulation and Restricted Entities
  • Defender for Endpoint: Onboard and Protect
  • Vulnerability Management
  • Defender for Cloud Apps: Connect and Govern
  • Cloud App Discovery and Activity Monitoring

Domain 4: Manage Compliance by Using Microsoft Purview

  • Sensitive Information Types and Data Classification
  • Retention Labels and Data Lifecycle
  • Sensitivity Labels and Monitoring
  • DLP Policies Across M365 Workloads
  • Endpoint DLP and Alert Response

MS-102 Study Guide

Domain 1: Deploy and Manage a Microsoft 365 Tenant

  • Establish and Configure Your M365 Tenant
  • Monitor Tenant Health and Network Readiness
  • Adoption Tracking and Microsoft 365 Backup
  • Manage Users, Contacts and External Identities
  • Groups, Shared Mailboxes and Licensing at Scale
  • Automate with PowerShell: Bulk User Operations
  • Roles, Role Groups and Workload Permissions
  • Delegate with Administrative Units and PIM

Domain 2: Implement and Manage Microsoft Entra Identity and Access

  • Prepare for Identity Synchronization
  • Implement Connect Sync and Cloud Sync
  • Monitor and Troubleshoot Identity Sync
  • Authentication Methods and Self-Service Password Reset
  • Password Protection and Authentication Troubleshooting
  • Entra Identity Protection and Risk Policies
  • Conditional Access and MFA Enforcement

Domain 3: Manage Security and Threats by Using Microsoft Defender XDR

  • Defender XDR: Security Posture and Threat Intelligence
  • Investigate Incidents with Advanced Hunting
  • Defender for Office 365: Threat Policies
  • Email Threats, Attack Simulation and Restricted Entities
  • Defender for Endpoint: Onboard and Protect
  • Vulnerability Management
  • Defender for Cloud Apps: Connect and Govern
  • Cloud App Discovery and Activity Monitoring

Domain 4: Manage Compliance by Using Microsoft Purview

  • Sensitive Information Types and Data Classification
  • Retention Labels and Data Lifecycle
  • Sensitivity Labels and Monitoring
  • DLP Policies Across M365 Workloads
  • Endpoint DLP and Alert Response
Domain 2: Implement and Manage Microsoft Entra Identity and Access Premium ⏱ ~16 min read

Implement Connect Sync and Cloud Sync

Choose between Microsoft Entra Connect Sync and Cloud Sync, understand their architectures, and implement the right synchronization engine for your environment.

Two sync engines, one goal

☕ Simple explanation

Microsoft gives you two ways to sync your on-premises Active Directory to the cloud — like choosing between a full-service moving company and a shipping container service.

Connect Sync is the full-service option: powerful, flexible, handles complex scenarios, but you need to manage the truck (a dedicated server). Cloud Sync is the lightweight option: simpler, managed by Microsoft, perfect for straightforward environments, but can’t handle every edge case.

The exam expects you to know which tool fits which scenario — and increasingly, Cloud Sync is the recommended default.

Microsoft offers two directory synchronization tools:

  • Microsoft Entra Connect Sync — a full-featured sync engine installed on a dedicated Windows Server on-premises. Supports complex topologies (multi-forest, custom sync rules, device writeback, group writeback, Exchange hybrid).
  • Microsoft Entra Cloud Sync — a lightweight agent installed on-premises that offloads sync processing to the cloud. Simpler to deploy, auto-updated by Microsoft, supports multi-forest scenarios natively, but lacks some advanced features.

Both tools synchronise users, groups, and contacts from AD DS to Microsoft Entra ID. The choice depends on your topology, feature requirements, and operational preferences.

Architecture comparison

Connect Sync vs Cloud Sync Architecture
FeatureConnect SyncCloud Sync
Sync engine locationOn-premises serverMicrosoft cloud (agent on-prem)
Server requirementsDedicated Windows Server (SQL optional)Lightweight agent on any domain-joined server
UpdatesManual — you manage upgradesAutomatic — Microsoft manages agent updates
High availabilityStaging server (manual failover)Multiple agents (automatic failover)
Multi-forestSupported (complex config for multi-domain forests)Native multi-forest support with one config
Sync cycleEvery 30 minutes (configurable)Every 2 minutes (scheduler); user/group provisioning ~10-20 minutes
Custom sync rulesYes — full sync rule editorLimited — attribute mapping only
Password hash sync
Pass-through authNot configured through Cloud Sync (managed separately)
Federation (AD FS)
Device writeback
Exchange hybridFull supportFull support
Group writeback
Group provisioning to AD
Object limit per domainUnlimited150,000
Large group members250,00050,000

When to use which

ScenarioRecommended ToolWhy
Single forest, straightforward syncCloud SyncSimpler deployment, auto-updates, faster sync cycles
Multi-forest merger or acquisitionCloud SyncNative multi-forest support without complex configuration
Large enterprise with custom sync rulesConnect SyncFull sync rule editor for complex attribute transformations
Exchange hybrid deploymentConnect SyncFull Exchange hybrid support — though Cloud Sync now has parity, Connect Sync remains battle-tested
Pass-through authentication requiredConnect SyncPTA agents are managed separately from Cloud Sync
AD FS federationConnect SyncCloud Sync doesn’t support federation
Device writeback neededConnect SyncCloud Sync doesn’t support device writeback
New deployment, no special requirementsCloud SyncMicrosoft’s recommended default for new deployments

Marcus’s decision for Oakwood Financial

Oakwood Financial has:

  • Single AD forest, single domain
  • 800 users, no Exchange hybrid (migrating fully to Exchange Online)
  • No custom sync rules needed
  • Wants minimal on-prem infrastructure

Decision: Cloud Sync — it’s simpler, auto-updates, and Oakwood doesn’t need Connect Sync’s advanced features.

Priya’s decision for GlobalReach

GlobalReach has:

  • Multi-forest environment (acquisitions)
  • Exchange hybrid (keeping some mailboxes on-prem for 12 more months)
  • Custom sync rules for attribute mapping between forests
  • Device writeback for Conditional Access

Decision: Connect Sync — the custom sync rules and device writeback requirements mandate it. While Cloud Sync now supports Exchange hybrid, GlobalReach’s multi-forest attribute mapping needs the full sync rule editor.

💡 Exam tip: The migration path

Microsoft is investing more in Cloud Sync and recommends it for new deployments. The exam may ask about migrating from Connect Sync to Cloud Sync. Key points:

  • You can run both tools simultaneously during migration (side-by-side)
  • Critical: During side-by-side operation, Connect Sync and Cloud Sync must manage non-overlapping sets of objects (different OUs). If both tools manage the same user, conflicts and data corruption can occur
  • Cloud Sync can handle a subset of OUs while Connect Sync handles the rest
  • Full migration requires that Cloud Sync supports all your current features
  • There’s no automatic migration tool — it’s a planned transition

If the exam asks “What’s the recommended sync tool for a NEW deployment with no special requirements?” → Cloud Sync.

Authentication methods with sync

Directory sync handles identity, but you also need to choose how passwords are validated:

MethodHow It WorksBest For
Password hash sync (PHS)Password hashes are synced to Entra. Cloud authenticates directly.Default and recommended. Works with both sync tools.
Pass-through authentication (PTA)Authentication request forwarded to on-prem AD in real-timeOrgs that require on-prem password validation (security policy)
Federation (AD FS)Authentication redirected to on-prem AD FS serversComplex SSO requirements, smart card auth, third-party MFA
ℹ️ Deep dive: Password hash sync is NOT storing your password in the cloud

A common misconception (and exam topic): PHS does NOT sync actual passwords. It syncs a hash of a hash — the on-prem AD password hash is further hashed using SHA-256 before being sent to Entra via an encrypted channel.

Microsoft cannot reverse-engineer the password from the stored hash. PHS also enables:

  • Leaked credentials detection — Microsoft checks synced hashes against known breach databases
  • Cloud authentication resilience — if on-prem AD is offline, users can still sign in to cloud services
  • Seamless SSO — combined with PHS, domain-joined devices get automatic cloud sign-in

The exam may ask: “Which authentication method allows users to sign in to M365 even if on-prem AD is offline?” → Password hash sync.

Key concepts to remember

Question

Name three features that Connect Sync supports but Cloud Sync does not.

Click or press Enter to reveal answer

Answer

1. Pass-through authentication configuration (PTA agents managed separately from Cloud Sync). 2. Device writeback. 3. Custom sync rules (full sync rule editor). Also: AD FS federation integration. Note that Cloud Sync now supports Exchange hybrid and group writeback — these are no longer Connect Sync exclusives.

Click to flip back
Question

What is the sync cycle frequency for Connect Sync vs Cloud Sync?

Click or press Enter to reveal answer

Answer

Connect Sync: every 30 minutes (configurable). Cloud Sync: scheduler runs every 2 minutes, but user/group provisioning takes approximately 10-20 minutes end-to-end. Cloud Sync also has a 150,000-object-per-domain limit, while Connect Sync has no object limit.

Click to flip back
Question

What does password hash sync actually sync to the cloud?

Click or press Enter to reveal answer

Answer

A hash of a hash — NOT the actual password. The on-premises AD password hash (NTLM hash) is further hashed with SHA-256 before being transmitted via an encrypted channel. Microsoft cannot reverse this to obtain the password.

Click to flip back
Question

Which sync tool does Microsoft recommend for NEW deployments with no special requirements?

Click or press Enter to reveal answer

Answer

Microsoft Entra Cloud Sync — it's simpler to deploy, auto-updates, supports multi-forest natively, has faster sync cycles, and requires minimal on-premises infrastructure.

Click to flip back

Knowledge check

Knowledge Check

Dev is evaluating sync options for a client with a single AD forest, 500 users, no Exchange on-premises, and a requirement for minimal infrastructure management. Which sync tool should Dev recommend?
Knowledge Check

Priya's GlobalReach environment uses Connect Sync with Exchange hybrid writeback. The company is completing its Exchange Online migration next quarter. What should Priya plan for after migration?

🎬 Video coming soon

Next up: Monitor and Troubleshoot Identity Sync — because sync will break, and you need to know how to fix it.

← Previous

Prepare for Identity Synchronization

Next →

Monitor and Troubleshoot Identity Sync

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.