πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-300 Domain 1
Domain 1 β€” Module 7 of 8 88%
7 of 27 overall

SC-300 Study Guide

Domain 1: Implement and Manage User Identities

  • Your Entra Tenant: Branding, Settings & Domains
  • Entra Roles & Administrative Units
  • Managing Users & Groups
  • Device Registration & Licensing
  • External Identities: Guest Access & B2B
  • Cross-Tenant Access & Synchronisation
  • Hybrid Identity: Connect Sync vs Cloud Sync
  • Hybrid Authentication: PHS, PTA & Seamless SSO

Domain 2: Implement Authentication and Access Management

  • Authentication Methods: Plan & Implement
  • Passwordless & Windows Hello for Business
  • MFA, SSPR & Password Protection
  • Conditional Access: Plan & Build Policies
  • Conditional Access: Advanced Controls & Troubleshooting
  • Entra ID Protection: Risk-Based Security
  • Global Secure Access: Zero Trust Networking

Domain 3: Plan and Implement Workload Identities

  • Workload Identities: Managed Identities & Service Principals
  • Enterprise Apps: SSO, App Proxy & Integration
  • Enterprise Apps: Users, Consent & Collections
  • App Registrations: Build & Secure
  • Defender for Cloud Apps: Discover & Control
  • Defender for Cloud Apps: Policies & OAuth Governance

Domain 4: Plan and Automate Identity Governance

  • Entitlement Management: Catalogs & Access Packages Free
  • Access Requests, Terms of Use & External Lifecycle Free
  • Access Reviews: Plan, Create & Monitor Free
  • PIM: Protect Your Privileged Roles Free
  • PIM: Azure Resources, Groups & Audit Free
  • Identity Monitoring: Logs, KQL & Secure Score Free

SC-300 Study Guide

Domain 1: Implement and Manage User Identities

  • Your Entra Tenant: Branding, Settings & Domains
  • Entra Roles & Administrative Units
  • Managing Users & Groups
  • Device Registration & Licensing
  • External Identities: Guest Access & B2B
  • Cross-Tenant Access & Synchronisation
  • Hybrid Identity: Connect Sync vs Cloud Sync
  • Hybrid Authentication: PHS, PTA & Seamless SSO

Domain 2: Implement Authentication and Access Management

  • Authentication Methods: Plan & Implement
  • Passwordless & Windows Hello for Business
  • MFA, SSPR & Password Protection
  • Conditional Access: Plan & Build Policies
  • Conditional Access: Advanced Controls & Troubleshooting
  • Entra ID Protection: Risk-Based Security
  • Global Secure Access: Zero Trust Networking

Domain 3: Plan and Implement Workload Identities

  • Workload Identities: Managed Identities & Service Principals
  • Enterprise Apps: SSO, App Proxy & Integration
  • Enterprise Apps: Users, Consent & Collections
  • App Registrations: Build & Secure
  • Defender for Cloud Apps: Discover & Control
  • Defender for Cloud Apps: Policies & OAuth Governance

Domain 4: Plan and Automate Identity Governance

  • Entitlement Management: Catalogs & Access Packages Free
  • Access Requests, Terms of Use & External Lifecycle Free
  • Access Reviews: Plan, Create & Monitor Free
  • PIM: Protect Your Privileged Roles Free
  • PIM: Azure Resources, Groups & Audit Free
  • Identity Monitoring: Logs, KQL & Secure Score Free
Domain 1: Implement and Manage User Identities Premium ⏱ ~14 min read

Hybrid Identity: Connect Sync vs Cloud Sync

Bridge your on-premises Active Directory with Entra ID β€” choose between Entra Connect Sync and Cloud Sync, and monitor the pipeline with Connect Health.

Why hybrid identity?

β˜• Simple explanation

Hybrid identity is like having both a physical filing cabinet and a digital copy in the cloud.

Most organisations didn’t start in the cloud. They have an on-premises Active Directory with years of user accounts, group policies, and computer objects. Moving everything to the cloud overnight isn’t realistic.

Hybrid identity bridges the gap β€” it synchronises your on-prem AD users and groups to Entra ID, so people can use the same identity for on-prem file servers AND cloud apps like Microsoft 365. One username, one password, everywhere.

Hybrid identity extends on-premises Active Directory Domain Services (AD DS) to Microsoft Entra ID through directory synchronisation. This creates a unified identity that works across on-premises infrastructure, Microsoft 365, Azure resources, and third-party SaaS applications.

Microsoft provides two sync engines: Entra Connect Sync (the established tool) and Entra Cloud Sync (the newer, lighter alternative). Both synchronise users, groups, and contacts from AD to Entra ID, but differ in architecture, features, and deployment model.

The big comparison: Connect Sync vs Cloud Sync

FeatureEntra Connect SyncEntra Cloud Sync
ArchitectureHeavy agent on a Windows ServerLightweight agent β€” logic runs in the cloud
Server requirementDedicated Windows Server (recommended)Lightweight agent on any domain-joined machine
Multi-forest supportYes (complex configuration)Yes (simpler β€” one agent per forest)
Password hash sync
Pass-through auth
ADFS federation
Device writeback
Group writebackYes (supported)
Exchange hybridLimited
Custom attribute syncExtensiveGrowing (via expressions)
High availabilityStaging server (manual failover)Multiple agents (automatic failover)
ManagementOn-premises wizardCloud-based (Entra portal)
Best forComplex hybrid environmentsSimpler environments or multi-forest

When to choose Connect Sync

  • You need pass-through authentication or ADFS federation
  • You need device writeback (write Entra devices back to on-prem AD)
  • You have a complex Exchange hybrid deployment
  • You need advanced attribute filtering and transformation rules

When to choose Cloud Sync

  • You want simpler management (cloud-based, no on-prem server to maintain)
  • You have multiple disconnected AD forests (easier multi-forest support)
  • You want automatic failover (multiple lightweight agents)
  • You’re a new deployment without legacy Connect Sync requirements
  • Microsoft is investing heavily here β€” Cloud Sync is the future direction

Quick decision flowchart

Need PTA or AD FS? β†’ Connect Sync (only option) Need device writeback? β†’ Connect Sync (only option) Multiple forests + password hash sync only? β†’ Cloud Sync (simpler) New deployment, no legacy requirements? β†’ Cloud Sync (recommended) Already on Connect Sync, no blockers? β†’ Consider migrating to Cloud Sync

ℹ️ Scenario: Priya migrates from Connect Sync to Cloud Sync

Meridian Health has been running Entra Connect Sync for three years on a dedicated Windows Server. After the CityClinic acquisition, they now have two AD forests.

Priya evaluates the options:

  • Current state: Connect Sync handles the Meridian forest. Adding CityClinic requires complex multi-forest configuration on the same server.
  • Cloud Sync option: Install a lightweight agent in each forest. Management moves to the cloud. Automatic failover if an agent goes down.

Since Meridian doesn’t use pass-through authentication (they use password hash sync) and doesn’t need device writeback, Cloud Sync is the better fit for the multi-forest scenario.

Entra Connect Sync β€” how it works

  1. Install the Entra Connect Sync application on a Windows Server (joined to your AD domain)
  2. Configure which OUs and attributes to synchronise
  3. Choose an authentication method (password hash sync, pass-through auth, or federation)
  4. Initial sync β€” full synchronisation of all in-scope objects
  5. Delta sync β€” runs every 30 minutes, syncing only changes

Key components:

  • Sync engine β€” the core that reads from AD and writes to Entra ID
  • Connector space β€” staging area for objects being synced
  • Metaverse β€” unified view merging all connected directories
  • Rules engine β€” transforms attributes during sync (e.g., construct UPN from AD fields)

Entra Cloud Sync β€” how it works

  1. Install the Entra Cloud Sync provisioning agent on a domain-joined machine
  2. Configure everything in the Entra admin center (cloud-based)
  3. Scoping filters define which users/groups to sync
  4. Attribute mapping (with expression support) controls data transformation
  5. Provisioning runs continuously β€” creates, updates, and deprovisions objects

Key difference: The sync logic runs in the cloud, not on-premises. The agent is just a connector β€” it has no local database or rules engine.

Entra Connect Health β€” monitor the pipeline

Entra Connect Health monitors your hybrid identity infrastructure and provides alerts when something goes wrong.

What It MonitorsAlerts For
Entra Connect SyncSync failures, export errors, password sync issues
AD FS serversService availability, performance, certificate expiration
AD Domain ServicesReplication health, NTLM/Kerberos auth issues

Where to find it: Entra admin center β†’ Connect Health

πŸ’‘ Exam tip: Connect Health requires P1

Entra Connect Health requires a Microsoft Entra ID P1 licence. It installs a health agent on each monitored server (Connect Sync server, ADFS servers, domain controllers).

Key monitoring features:

  • Sync error report β€” objects that failed to sync (duplicate attributes, missing required fields)
  • Password sync troubleshooting β€” specific heartbeat for password hash sync
  • Alert notifications β€” email when critical issues are detected
  • Usage analytics β€” ADFS sign-in patterns, top requesting applications

🎬 Video walkthrough

🎬 Video coming soon

Hybrid Identity β€” SC-300 Module 7

Hybrid Identity β€” SC-300 Module 7

~12 min

Flashcards

Question

What is the key architectural difference between Entra Connect Sync and Cloud Sync?

Click or press Enter to reveal answer

Answer

Connect Sync runs a heavy sync engine on-premises (server-based, local rules engine and database). Cloud Sync uses a lightweight agent on-premises β€” the sync logic runs in the cloud, managed via the Entra admin center.

Click to flip back
Question

Which features does Entra Connect Sync support that Cloud Sync does NOT?

Click or press Enter to reveal answer

Answer

Pass-through authentication, ADFS federation, device writeback, group writeback, and complex Exchange hybrid scenarios. Cloud Sync is simpler but doesn't support these advanced features.

Click to flip back
Question

What does Entra Connect Health monitor?

Click or press Enter to reveal answer

Answer

The hybrid identity pipeline: Entra Connect Sync (sync errors, password sync), ADFS servers (availability, certificates, performance), and AD Domain Services (replication, auth health). Requires P1 licence.

Click to flip back
Question

How does Cloud Sync achieve high availability?

Click or press Enter to reveal answer

Answer

Install multiple lightweight agents on different machines. If one agent fails, the others take over automatically. This is simpler than Connect Sync, which requires a staging server with manual failover.

Click to flip back

Knowledge Check

Knowledge Check

A company has two disconnected AD forests after an acquisition. They need to sync users from both forests to a single Entra tenant. They use password hash sync and don't need pass-through authentication or device writeback. Which sync solution is most appropriate?
Knowledge Check

After deploying Entra Connect Sync, Priya notices some user objects aren't appearing in Entra ID. Where should she check first?
Knowledge Check

Anika recommends Cloud Sync for a client. The client asks why they can't use Cloud Sync for pass-through authentication. What is Anika's response?

Next up: Hybrid Authentication: PHS, PTA & Seamless SSO β€” choose the right authentication method for your hybrid environment and plan AD FS migration.

← Previous

Cross-Tenant Access & Synchronisation

Next β†’

Hybrid Authentication: PHS, PTA & Seamless SSO

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.