Configuring-CloudSync

How to configure Cloud Sync in Active Directory

Source1: Settings on the server side - here

Source2: Settings on Microsoft Entra ID portal - here

Before proceeding with installation. To ensure that your users are sync with the correct domain to M365 portal. If your exsting AD domain name is different from your Microsoft 365 domain, you may need to perform the following steps to add the M365 UPN as a trust domain. Step: Login to DC > Server Manager > Tools > AD Domains and trusts Right-click on the AD Domains and Trusts on the left pane > Select Properties > Add the exact M365 domain here and OK

image

Step 1: Download and install “Provisioning Agent” here

Step 2: Configure the Provisioning agent on AD. image

  1. Select Extension: Select HR-driven provisioning and Next image

2.Connect Microsoft Entra ID Authenticate to your Entra with admin creds

3.Configure Service Account: Create a group managed service account(gMSA) to manage your synchronization from Active directory.

image

  1. Connect Active Directory: Verify the configured domain is correct and click Next. image

  2. Confirm to complete installation image

Exit after the installation

Step 2 Login to Entra ID portal > Identity > Show more > Hybrid management > Microsoft Entra connect > Cloud Sync. On the Configurations tab, select New configuration > AD to Microsoft Entra ID sync Verify your domain name is listed under active agents > Check box to enable password hash sync and create. On the next page is where you configure, test and deploy your sync setup using the steps below.

  1. Add scoping filters (optional) : I’ll be syncing a users in a test OU I have created in the AD. Locate the OU and right-click to open its properties > Attribute Editors > Copy the Distinguished name of OU. Select “Selected organizational units” and paste the distinguished name, then save it.

    image image

  2. Map attributes: Configure the if necessary.

  3. Test (recommended) Select a user from your on-premises environment to provision. Back to the DC, find a test user and copy their distinguished name and paste the space to provision. image

Note : You may run into an MFA error similar to below. image Fix: This usually happens if there is conditional access policy that enforced MFA on all users, if that is the case you’ll need to exclude this syncronization account from that policy. The account is On-Premises Directory Synchronization Service Account. Try to provision the user again.

  1. Set properties (optional): Modify as needed, provide notification email.

5.Enable your configuration (required): Enabling will sync users and groups that are in scope. Note: The Object scope filters may still reflect as All users even after OU was selected in the scope. This may be a bug from Microsoft and you can ignore be rest assured the sync is only going to affect the selected OU. image