Monitor and Troubleshoot Identity Sync
Use Microsoft Entra Connect Health to monitor synchronization, diagnose sync errors, and troubleshoot common issues with both Connect Sync and Cloud Sync.
When sync breaks at 2 AM
Directory sync runs silently in the background — until it doesn’t. Then the helpdesk phones start ringing.
Monitoring sync is like monitoring a water pipe. When it’s working, you don’t think about it. But you need sensors to detect blockages (sync errors), leaks (attribute conflicts), and pressure drops (performance issues) before they become emergencies. Microsoft Entra Connect Health is your sensor dashboard.
Monitoring with Microsoft Entra Connect Health
What Connect Health monitors
| Metric | What It Shows | Alert Threshold |
|---|---|---|
| Sync status | Last successful sync, current cycle status | Alert if no sync for 2+ hours |
| Export errors | Objects that failed to sync to Entra | Any export error |
| Sync latency | Time between AD change and Entra update | Typically under 30 minutes |
| Server health | CPU, memory, disk, network on sync server | Resource exhaustion |
| Password sync status | Password hash sync success/failure | Any PHS failure |
| AD connectivity | Connection to on-prem AD controllers | Connection loss |
Setting up Connect Health
- Install the health agent on the Connect Sync server
- Register with your Entra tenant — requires Global Admin or Hybrid Identity Admin
- Configure email alerts — Entra > Connect Health > Alert settings
- Dashboard available at Entra admin center > Connect Health
Deep dive: Connect Health for AD FS and AD DS
Connect Health isn’t just for sync servers. It also monitors:
- AD FS servers — sign-in failures, token request latency, server availability, extranet lockouts
- AD Domain Services — replication health, LDAP queries, DNS errors, domain controller availability
For MS-102, the focus is on sync monitoring, but know that Connect Health is a broader platform. The health agent must be installed on EACH server being monitored (each DC, each AD FS server, etc.).
Monitoring Cloud Sync
Cloud Sync monitoring is simpler — it’s built into the Entra admin center:
| Where | What You See |
|---|---|
| Entra > Cloud Sync > Agent status | Agent health, version, last activity |
| Entra > Cloud Sync > Configuration > Logs | Provisioning logs — every object change |
| Entra > Cloud Sync > Configuration > Status | Overall sync status, errors, warnings |
| Entra > Audit logs | Sync-related events |
Cloud Sync agents auto-update and report status to Entra continuously. If an agent goes offline, other agents (if deployed) automatically take over.
Common sync errors and fixes
| Feature | Cause | Fix |
|---|---|---|
| Duplicate attribute (proxyAddress) | Two AD objects share the same email address | Identify the duplicate in AD, remove or change one. Use IdFix to find duplicates. |
| Invalid characters | Special characters in attributes that Entra doesn't accept | Fix the attribute value in AD. Common culprits: trailing spaces, control characters. |
| UPN conflict | Synced UPN matches an existing cloud-only user | Delete or rename the cloud-only user, or change the on-prem UPN. |
| Sync server offline | Connect Sync server is down or unreachable | Check server health, restart sync service, verify network connectivity. |
| Password hash sync failure | PHS agent can't reach Entra endpoints | Check firewall rules, verify outbound HTTPS access, restart PHS. |
| Orphaned objects | AD object deleted but Entra object remains | Check deletion threshold settings. Objects go to Entra recycle bin for 30 days. |
Dev’s 2 AM troubleshooting scenario
Dev gets an alert: a client’s Cloud Sync agent hasn’t synced for 4 hours. His troubleshooting process:
- Check agent status in Entra > Cloud Sync — agent shows “Inactive”
- Check the on-prem server — the server is running but the Cloud Sync agent service has stopped
- Review Windows Event Log — certificate renewal failed, agent can’t authenticate
- Fix: Restart the agent service, re-register if needed
- Verify: Check provisioning logs for successful sync after restart
Exam tip: Connect Sync vs Cloud Sync troubleshooting differences
The exam may present a troubleshooting scenario and ask which tool is in use based on the symptoms:
- “Admin can’t find the staging server” → Connect Sync (Cloud Sync doesn’t have staging servers)
- “Agent auto-updated and broke” → Cloud Sync (Connect Sync requires manual updates)
- “Custom sync rule producing unexpected results” → Connect Sync (Cloud Sync doesn’t have custom sync rules)
- “Multiple agents deployed for high availability” → Cloud Sync (Connect Sync uses staging servers, not multiple agents)
Knowing the architecture helps you identify the tool and the appropriate troubleshooting steps.
Accidental deletion protection
Both sync tools include protection against mass deletions:
- Connect Sync: Deletion threshold (default: 500 objects per cycle). If more objects would be deleted, sync pauses and alerts the admin.
- Cloud Sync: Similar protection with configurable thresholds.
If Marcus accidentally removes an OU from the sync scope, the deletion threshold prevents all users in that OU from being deleted in Entra. He gets an alert, reviews the change, and either confirms the deletion or fixes the scope.
Key concepts to remember
Knowledge check
Priya receives an alert that Connect Sync hasn't completed a cycle in 3 hours. Connect Health shows the sync server is healthy but the export to Entra ID is failing with 'duplicate attribute' errors for 50 objects. What should Priya investigate first?
Dev deployed two Cloud Sync agents for a client's environment. Agent 1 goes offline due to a server reboot. What happens to synchronization?
🎬 Video coming soon
Next up: Authentication Methods and Self-Service Password Reset — from passwordless to SSPR, how users prove who they are.