–> Auch auf deutsch verfügbar!
This article was translated from German with the help of Claude.
In the April 2026 Entra update, Microsoft announced the transition from Entra Connect Sync (formerly Azure AD Connect) to Entra Cloud Sync. Both tools synchronize users, groups, and contacts from on-premises Active Directory to Entra ID. According to Microsoft, Cloud Sync is the strategic direction for hybrid identity synchronization and the recommended path for most organizations. This article breaks down what was announced and what it means for everyday admin work.
What Microsoft Announced #
The key points of the announcement:
- Microsoft is beginning the transition from Entra Connect Sync to Entra Cloud Sync. As reasons, Microsoft cites lower on-premises complexity, higher security and reliability, and simpler management.
- The change happens in phases, depending on the features an organization uses.
- Starting in July 2026, Microsoft will inform affected organizations about their individual transition window. Notifications go through the M365 Message Center, Entra Connect Health, and targeted emails.
- The first to go are tenants whose current Connect Sync use cases are already fully covered by Cloud Sync. Later waves follow as soon as Cloud Sync supports the functions they require.
Microsoft frames it so that later groups are only notified once the corresponding support is available in Cloud Sync. A hard, global shutdown date for Connect Sync was not named in this context. According to the official migration FAQ, you don’t have to migrate as long as the functions you need are not yet supported in Cloud Sync. Until then, you can keep running Connect Sync and migrate once those functions become available.
Keep Two Separate Dates Clearly Apart #
In Microsoft’s communication, two different processes run side by side. They do not belong together and have different consequences.
Mandatory Connect Sync upgrade (hard deadline). Connect Sync versions older than 2.5.79.0 will stop syncing on September 30, 2026. The reason is a backend security change. Anyone below this version who does not update will have their synchronization stop. The installer is only available through the Entra Admin Center (the “Microsoft Entra Connect” blade), no longer through the Microsoft Download Center. The corresponding Message Center entries are MC1262584 and MC1263280. Microsoft staggers enforcement per tenant, so the dates that apply to you are in your Message Center notifications. This step affects you even if you stay on Connect Sync, because it is maintenance, not a migration step.
Migration to Cloud Sync (phased, notified from July). This is the actual move to the new tool with individual windows and notifications. As of today, there is no hard shutdown date here.
So the practical order is: first the mandatory upgrade by September 30, 2026, then, if your tenant and environment are ready for it, the migration to Cloud Sync.
In parallel, starting June 1, 2026, hard-match hardening also takes effect, where Entra blocks certain hard-match takeovers on role-bearing cloud objects. That is a separate topic, but worth keeping in mind, since several sync changes coincide in the same period.
How Cloud Sync Is Built #
Cloud Sync moves the configuration into the cloud. Instead of a dedicated Connect server, you install a lightweight provisioning agent on a domain-joined server. The sync engine runs at Microsoft, and the entire configuration lives in the Entra Admin Center. According to Microsoft, this results in the following characteristics:
- Cloud-managed configuration. Configuration, status checks, and troubleshooting are done through the Entra Admin Center, without direct server access or VPN. Configuration changes are automatically distributed to the agents.
- Multiple active agents. Cloud Sync supports multiple active provisioning agents with automatic failover. If one agent fails, the others take over. Connect Sync, by contrast, is a single point of failure.
- Automatic agent updates. The agents receive updates and security patches automatically from Microsoft.
- Native support for disconnected forests. Disconnected forests, typical with mergers and acquisitions, are supported without forest consolidation.
- Platform for new features. Microsoft develops new synchronization and provisioning functions primarily on Cloud Sync. Examples include group provisioning to Active Directory and extended source-of-authority management.
On the agent requirements: Windows Server 2016, 2019, or 2022, at least 4 GB RAM, .NET 4.7.1 or higher, no Server Core. The agent must be able to reach the domain controllers via LDAP (TCP 389) and Global Catalog (TCP 3268).
Cloud-First: Entra ID as the Leading Directory #
Cloud Sync is not limited to the classic direction from Active Directory to Entra ID. It is also the foundation for a cloud-first model in which Entra ID becomes the source of authority (SOA). In practice, this means an existing object synchronized from AD is switched to cloud-managed. After that, it is no longer overwritten from AD but behaves as if it had originally been created in the cloud.
There are two related building blocks for this:
- Source-of-authority switch. For users and contacts, Microsoft provides a documented way to switch the SOA to Entra ID, allowing individual synchronized AD objects to be converted into cloud-managed identities. For these objects, the dependency on AD synchronization is removed. The SOA switch for synchronized groups is in public preview at the time of the announcement. Because the feature state differs per object type, it’s worth checking the docs before you start to see whether your specific scenario is already generally available (GA) or still in preview.
- Group provision to AD DS. Cloud Sync can provision cloud-managed security groups back to Active Directory (in the Cloud Sync setup, this is the “Microsoft Entra ID to AD sync” configuration). This lets you manage AD- and Kerberos-based applications from the cloud via Entra ID Governance. This direction is available exclusively in Cloud Sync; Connect Sync cannot do it.
Two points are important here. First, this is not dual-write: once an object’s SOA is in the cloud, direct changes to the on-premises object are overwritten again on the next provisioning cycle. The cloud is the leading source. Second, this is about groups and shifting authority for existing users, not about creating new users in AD from the cloud. Cloud-to-AD user provisioning is currently supported by neither Connect Sync nor Cloud Sync.
Requirements for the SOA scenarios include, among other things, a current provisioning agent, the AD schema attribute msDS-ExternalDirectoryObjectId (included from Windows Server 2016 onward), and the appropriate Microsoft Graph permission to change the SOA.
Feature Scope: What Cloud Sync Can and Cannot Do #
Cloud Sync does not yet have the full feature set of Connect Sync. That is precisely the reason for the phased migration. The following overview is based on the official comparison table in the Decision Guide.
Full parity exists for: synchronization of users, groups, and contacts, single and multiple connected forests, Password Hash Synchronization, password writeback (SSPR), directory extensions (1 to 15), basic attribute customization via the Expression Builder, OU-based filtering, and Seamless Single Sign-On.
Not available (or only limited) in Cloud Sync:
| Feature | Status in Cloud Sync |
|---|---|
| Device synchronization (Hybrid Entra Join) | not supported |
| Device writeback | discontinued in favor of Cloud Kerberos Trust |
| Scale per domain | max. 150,000 objects (Connect Sync unlimited) |
| Group size | max. 50,000 members (Connect Sync up to 250,000) |
| Pass-Through Authentication config | managed separately from sync |
| AD FS integration | separate tools required |
| Advanced sync rules | Expression Builder only |
| Attribute-based filtering | limited |
| Cross-forest references | not supported |
| Attribute merge across multiple domains | not supported |
| Reconciliation (out-of-band correction) | not supported |
| User provisioning to AD | not supported in either |
On authentication, Microsoft notes: PHS, PTA, and Seamless SSO continue to work after a migration. The PTA and AD FS configuration is simply managed separately from the sync in Cloud Sync.
Migration Readiness: Who Can, Who Waits #
In the Decision Guide, Microsoft divides organizations into three groups.
Ready to migrate immediately if all criteria are met: fewer than 150,000 objects per domain, groups with fewer than 50,000 members, no Hybrid Entra Join (or willingness to switch to Cloud Kerberos Trust), authentication via PHS or separately managed AD FS/PTA, OU-based filtering instead of complex attribute rules, single forest or connected forests.
Plan migration for the near future if you currently need Hybrid Join device synchronization, complex attribute filtering, or user provisioning to AD. These points may be supported in the future, so keep an eye on feature announcements.
Evaluate migration for later if your environment is beyond the scale limits, maintains extensive custom sync rules, has cross-forest dependencies, or strictly depends on reconciliation. For large environments, Microsoft recommends segmenting the migration by domain or OU.
What You Should Check Now #
- Determine your Connect Sync version. Use the Synchronization Service Manager console to check whether the version is at least 2.5.79.0. If it’s below that, update. The deadline is September 30, 2026, and the installer is in the Entra Admin Center.
- Check feature dependencies against the feature overview. Even a single unsupported feature means staying on Connect Sync for now.
- Watch the Message Center. The individual transition windows will be announced there starting in July 2026.
- Plan a step-by-step migration and testing. Running both tools in parallel for the same objects is not supported. Instead, you migrate OU by OU, so each OU is managed by only one tool at a time. During the migration, Connect Sync is put into staging mode, and a rollback is possible. Back up your Connect configuration via import/export beforehand. For piloting, a test forest and on-demand provisioning are suitable, with which you can check configuration changes on a single user.
Conclusion #
Microsoft has officially started the move from Entra Connect Sync to Cloud Sync. The migration runs in phases, begins with the tenants whose requirements Cloud Sync already covers, and will be notified individually starting in July 2026. There is currently no hard shutdown date for Connect Sync.
Two points are decisive in practice. First, the mandatory upgrade to version 2.5.79.0 by September 30, 2026 must be separated from the migration. It affects all Connect Sync installations. Second, Cloud Sync is not yet at feature parity with Connect Sync. Environments with Hybrid Join, device writeback, complex sync rules, or cross-forest dependencies stay on Connect Sync for now. For everyone else, the switch is already possible today.
Sources #
- Microsoft Learn: Migrate from Microsoft Entra Connect to Cloud Sync (Decision Guide)
- Microsoft Learn: Migrate from Microsoft Entra Connect Sync to Cloud Sync FAQ
- Microsoft Learn: Migrating from Microsoft Entra Connect to Microsoft Entra Cloud Sync
- Microsoft Learn: Microsoft Entra releases and announcements (What’s new)
- What’s New in Microsoft Entra: May 2026 (Tech Community)
- Microsoft Learn: What is Microsoft Entra Cloud Sync? (Source of Authority management)
- Microsoft Learn: Configure user Source of Authority (SOA)
- Microsoft Learn: Provision groups to AD DS using Microsoft Entra Cloud Sync