Entra Connect v2 vs. Entra Cloud Sync

Microsoft Entra Connect V2 enables the integration of on-premises Windows Server Active Directory (AD) with Microsoft Entra ID (formerly Azure AD) to provide users with a single sign-on with the same username and password both locally and in the cloud. Originally known as Azure AD Connect, the tool has not only been renamed but also expanded with new features.

In addition to the classic Entra Connect Sync, there is also the more modern solution Microsoft Entra Cloud Sync, which offers simpler management and higher availability but comes with certain limitations. These will also be addressed in this post.

Entra Connect V2: Prerequisites and Considerations

Entra Connect V2 requires at least Windows Server 2016 and a current .NET version. Depending on the number of objects to be synchronized, a SQL Server may also be required. While synchronization primarily flows from on-premises AD to Entra ID, selected attributes, such as changed passwords, can also be written back to the local AD. Different requirements, such as the need for Hybrid Join, Pass-through Authentication, or Attribute Filtering, determine whether the classic or the cloud variant should be used. It is important to consider all system requirements and permissions, as well as potential pitfalls, to ensure smooth synchronization before implementation.

Microsoft has not yet updated all designations. In addition to the term “Entra,” Azure AD is still used, even in the installation of Entra Connect Sync. In several places, Azure Active Directory Connect is still mentioned, even though the new features of Entra Connect Sync are in use in the background.

The Key New Features in Entra Connect V2

Performance Improvements and Security Updates in Entra Connect V2

Microsoft Entra Connect V2 brings new features compared to the older V1 version that improve both the performance and security of the platform. One of the most significant changes is the update to the SQL Server component. While version V1 used SQL Server 2012 LocalDB, V2 integrates the SQL Server 2019 LocalDB feature. This leads to increased stability and performance, as well as addressing several security vulnerabilities. Since extended support for SQL Server 2012 ended in July 2022, this update is essential to ensure continued secure and supported operation.

Another security feature of Entra Connect V2 is the exclusive support for the TLS 1.2 protocol. Earlier versions that still used TLS 1.0 and 1.1 are considered insecure and are no longer supported. This ensures that communication protocols meet current security standards. Additionally, all binary files that were previously signed with the insecure SHA-1 algorithm have been switched to the more secure SHA-2 algorithm to ensure the integrity of the software.

Advanced Features and Compatibility in Entra Connect V2

Another important advance in Entra Connect V2 is the shift from the outdated ADAL authentication library to the more modern MSAL library, which is included in Entra Connect V2. ADAL has not been supported since December 2022, making an upgrade to the new version mandatory to avoid potential authentication issues. The Microsoft Authentication Library (MSAL) offers significant advantages over the older Azure Active Directory Authentication Library (ADAL), particularly when integrated with Entra Connect V2. MSAL supports not only user authentication in Microsoft Entra ID but also in other identity providers via OpenID Connect and OAuth 2.0 protocols. A key advantage of MSAL is its support for modern authentication features such as Conditional Access and Multi-Factor Authentication (MFA), which are not natively integrated in ADAL. Furthermore, MSAL enables seamless integration with Microsoft Graph, making it easier and more comprehensive to manage identities and resources in the cloud.

Additionally, the C++ runtime library has been updated to the Visual C++ Redistributable 14 version to ensure compatibility with SQL Server 2019. Another important aspect is the changed support for underlying operating systems. Entra Connect V2 requires at least Windows Server 2016, as the included SQL Server 2019 components are no longer compatible with older Windows Server versions. For users still using older operating systems, this means that an upgrade to a newer Windows Server version is required, ideally Windows Server 2022. This is especially necessary due to the end of support for Windows Server 2016.

Entra Connect v2 vs. Entra Cloud Sync

Overview of Current Versions

Microsoft Entra Connect V2 and Microsoft Entra Cloud Sync differ in several aspects that are crucial when selecting the appropriate solution. Before continuing, it might be necessary to give a brief overview of the current tools and names:

⇒Azure AD Connect and Entra Connect are older versions of Entra Connect V2.
⇒Azure AD Connect Cloud Sync” corresponds to Microsoft Entra Cloud Sync

More information about the difference can be read here: Azure AD Connect and Azure AD Connect Cloud Sync

Currently, there are:

• Entra Connect V2: Synchronizes on-premises directories with Entra ID
• Entra Connect Sync: Automates identity matching.
• Entra Cloud Sync: Cloud-based, optimized for synchronization without on-premises infrastructure.

Main Architectural Differences

Entra Connect V2 offers more extensive capabilities when it comes to connecting to Active Directory forests. Entra Connect supports both single and multiple on-premises AD forests, even if they are separate. This flexibility makes the solution particularly suitable for complex, distributed IT environments. Cloud Sync can also connect multiple AD forests but not separated ones.

A key difference between the two solutions lies in the installation architecture. Entra Cloud Sync uses an agent-based model that allows for easy installation and configuration. Multiple active agents provide high availability, ensuring that synchronization continues uninterrupted even if one agent fails. Entra Connect V2, on the other hand, follows a more traditional installation model that requires more extensive configuration and customization but also offers more control over synchronization.

Advanced Features

In terms of supported object types and features, both solutions provide basic support for user, group and contact objects as well as synchronization of Exchange Online attributes and extended attributes (1-15). However, Entra Connect V2 additionally supports the synchronization of device objects and user-defined AD attributes, which is relevant for environments with specific, device-based requirements.

Another difference lies in the customization and filtering options. Both solutions allow basic customization of attribute flows and filtering by domains, organizational units or groups. However, Entra Connect offers more advanced options, including filtering by attribute values of an object and advanced customization of the attribute flow, which allows detailed control over the synchronization. Cloud Sync does without these advanced customization options, which simplifies operation but offers less flexibility.

There is also a differentiation when it comes to authentication and write-back support. Entra Connect supports both password hash synchronization and pass-through authentication, while Cloud Sync only offers password hash synchronization. In addition, Connect supports writing passwords, devices and groups back to the local AD environment, while Cloud Sync has limitations here with regard to writing back devices and instead refers to the future use of the Cloud Kerberos trust.

Scalability

Another important difference lies in the scaling and the number of objects supported. Entra Connect V2 allows an unlimited number of objects per AD domain and supports large groups with up to 250,000 members. In contrast, Cloud Sync is limited to 150,000 objects per AD domain and groups with up to 50,000 members, which can be a significant disadvantage in larger environments.

In summary, Microsoft Entra Connect offers a more comprehensive solution for complex, large environments that require advanced customization, scalability and deep integration. Microsoft Entra Cloud Sync, on the other hand, is aimed at simpler implementations where quick setup, high availability and reduced complexity are key. The choice between the two solutions should therefore depend heavily on the specific requirements and complexity of the IT infrastructure in question.

Disadvantages of using Entra Connect V2

A major disadvantage of Entra Connect compared to Entra Cloud Sync is the increased complexity of installation and configuration. While Cloud Sync uses an agent-based model that enables simple and fast implementation, Entra Connect V2 requires a more comprehensive infrastructure and significantly more administrative effort.

In addition, Entra Connect’s high availability is less flexible as it does not provide native support for multiple active agents, which is standard with Cloud Sync. These factors lead to a higher demand for technical resources and a longer implementation time with Entra Connect, which can be perceived as a disadvantage in less agile or smaller IT environments.