Microsoft Entra Connect
Microsoft Entra Connect (formerly Azure AD Connect) is an on-premises Microsoft application designed to synchronize on-premises directory services, such as Active Directory, with Microsoft Entra ID (formerly Azure Active Directory) to enable hybrid identity management across cloud and on-premises environments.[1] Its primary purpose is to provide organizations with a unified identity for users, allowing seamless access to both local and cloud resources while enhancing productivity, security, and compliance in hybrid setups.[1] Key features of Microsoft Entra Connect include password hash synchronization, which replicates on-premises Active Directory password hashes to Microsoft Entra ID for consistent authentication; pass-through authentication, enabling users to sign in to cloud services using the same passwords without requiring federated infrastructure; and integration with federation services like Active Directory Federation Services (AD FS) for advanced scenarios.[1] It also supports comprehensive synchronization of user, group, and device data between directories, along with Microsoft Entra Connect Health for real-time monitoring and troubleshooting of sync operations and agent health.[1] Microsoft Entra Connect evolved from earlier synchronization tools like DirSync and Azure AD Sync, serving as their successor to address growing hybrid identity needs.[1] Version 1 of the tool was retired on August 31, 2022, with Microsoft recommending upgrades to version 2, which incorporates updated components and ongoing enhancements while maintaining core functionality.[2] Looking forward, Microsoft is promoting Microsoft Entra Cloud Sync as a lightweight, cloud-based alternative to replace traditional on-premises sync agents for simpler hybrid deployments.[1]Overview
History and Rebranding
Microsoft Entra Connect originated from earlier tools designed to synchronize on-premises Active Directory with cloud-based identity services. Its predecessor, DirSync, was introduced in 2011 primarily to enable federation between on-premises Active Directory and Office 365, facilitating directory synchronization for single sign-on scenarios.[3] In September 2014, Microsoft released Azure AD Sync as an enhanced tool, expanding beyond federation to support broader hybrid identity synchronization, including password hash synchronization across multiple Active Directory forests.[4] This marked a shift toward comprehensive hybrid identity management, emphasizing seamless integration between on-premises environments and Azure Active Directory (Azure AD).[3] Azure AD Sync evolved into Azure AD Connect with the release of version 1.0 in June 2015, introducing a unified wizard for configuration and support for advanced features like seamless single sign-on.[5] Key milestones followed: version 1.1.371.0 in December 2016 introduced Pass-through Authentication, allowing direct validation of user credentials against on-premises domain controllers without storing hashes in the cloud.[4] In 2020, Microsoft launched the cloud provisioning agent (now part of Microsoft Entra Cloud Sync) in general availability, enabling lightweight, agent-based synchronization for scenarios with multiple forests or restricted connectivity.[6] In July 2023, as part of a broader rebranding of Microsoft's identity portfolio, Azure AD was renamed Microsoft Entra ID, and Azure AD Connect became Microsoft Entra Connect to align with the Microsoft Entra suite focused on secure access and hybrid identity.[7] This rebranding did not alter core functionality but unified terminology across products.[8] Recent developments in 2025 include hardening enhancements effective April 7, requiring upgrades to version 2.4.18.0 or later to address security improvements in authentication and synchronization processes, preventing potential disruptions.[9] In September 2025, Microsoft released a dedicated first-party resource application in general availability, simplifying Active Directory to Microsoft Entra ID synchronization for both Microsoft Entra Connect Sync and Cloud Sync deployments.[10] In October 2025, Microsoft announced general availability for converting the Source of Authority of synced on-premises Active Directory groups to cloud groups using Connect Sync or Cloud Sync, along with a public preview for cloud-managed remote mailboxes to support gradual reduction of on-premises dependencies.[10]Core Purpose and Functionality
Microsoft Entra Connect serves as an on-premises synchronization tool designed to integrate on-premises Active Directory (AD) with Microsoft Entra ID, enabling organizations to manage hybrid identities across both environments. Its primary function is the bidirectional synchronization of directory objects, including users, groups, and devices, between an on-premises AD and a cloud-based Microsoft Entra ID tenant. This synchronization ensures that identity data remains consistent, allowing users to access resources seamlessly using the same credentials, while also supporting the import of password hashes to facilitate secure authentication without requiring users to maintain separate passwords.[1] In the context of hybrid identity management, Microsoft Entra Connect facilitates key capabilities such as single sign-on (SSO), password hash synchronization, pass-through authentication, and integration with federation services like Active Directory Federation Services (AD FS). It also supports device writeback, which allows cloud-registered devices to be synchronized back to on-premises AD for centralized management. These features enable organizations to extend on-premises identity infrastructure to the cloud, supporting scenarios where users access both local applications and cloud services like Microsoft 365 without compromising security or user experience.[1] The tool supports various deployment topologies, including single forest/single tenant configurations for straightforward environments, multiple forests consolidated into a single Microsoft Entra ID tenant for complex organizations, and staged rollouts to test synchronization in production without disrupting existing setups. Prerequisites for implementation include an operational on-premises AD environment, a provisioned Microsoft Entra ID tenant, and a SQL Server instance—either the bundled SQL Server 2019 Express LocalDB for smaller deployments or a full SQL Server for larger-scale operations—to store synchronization metadata.[11][12] At a high level, the architecture of Microsoft Entra Connect revolves around its synchronization engine, which comprises connectors for interfacing with AD and Microsoft Entra ID, a provisioning component to handle object creation and updates, and a metaverse that serves as a centralized repository for normalized identity data from disparate sources. This engine processes changes delta-style, exporting updates to both directories to maintain synchronization without full rescans, thereby optimizing performance in hybrid setups. Evolving from earlier tools like DirSync, Microsoft Entra Connect provides a more robust framework for modern hybrid identity needs.[13][1]Installation and Setup
Express Configuration
The Express Configuration option in Microsoft Entra Connect provides a streamlined, wizard-based installation process designed for straightforward hybrid identity setups in single-forest Active Directory Domain Services (AD DS) environments. This automated approach uses predefined synchronization rules to enable common features such as user and group synchronization, typically with password hash synchronization (PHS) as the default authentication method. It is particularly suited for organizations seeking a quick deployment without extensive customization, assuming a standard topology where Microsoft Entra Connect is installed on a dedicated member server.[14] To begin the setup, administrators download the Microsoft Entra Connect installer (AzureADConnect.msi) from the official Microsoft portal and run it on a supported Windows Server with local administrator privileges. The wizard launches upon execution, prompting agreement to the license terms, followed by selection of the "Use express settings" option. Next, users sign in with a Hybrid Identity Administrator account for Microsoft Entra ID, providing global administrator credentials to authorize the connection. Enterprise Administrator credentials for the AD DS forest are then entered to grant necessary permissions for reading and writing directory objects. The wizard verifies the provided domains and proceeds to installation, which includes enabling PHS by default and optionally configuring Exchange hybrid deployment if selected. Administrators can choose to delay the initial synchronization cycle to allow for post-install adjustments, such as basic filtering, before completing the process by signing out and back in to access management tools.[14] By default, Express Configuration synchronizes all users, groups, and contacts from a single AD forest without requiring manual organizational unit (OU) selection, applying basic filtering to exclude built-in and system groups for optimal performance. It relies on the included SQL Server Express LocalDB for the synchronization database, eliminating the need for a separate SQL instance in simple deployments. This setup ensures seamless integration for standard scenarios, such as syncing user identities and group memberships to Microsoft Entra ID, while supporting features like device writeback if prerequisites are met.[14] However, Express Configuration is limited to single-forest environments and does not support complex topologies, such as multiple forests or intricate filtering rules, making it unsuitable for advanced hybrid setups. It assumes the use of SQL Express, which may not scale for high-volume synchronization needs, and lacks options for custom authentication methods beyond PHS during initial installation.[14] Following installation, verification involves launching the Synchronization Service Manager tool, accessible after signing out and back in, to review the initial synchronization status, export operations, and connector configurations. This step confirms that the full import and sync cycles have completed successfully, with logs indicating any errors in object synchronization from AD DS to Microsoft Entra ID.[14]Custom Configuration
Custom configuration of Microsoft Entra Connect is utilized in complex hybrid identity deployments, such as multi-forest environments, scenarios requiring filtered synchronization, or those involving custom attribute mappings, where the automated express settings cannot accommodate specific organizational needs.[15] This approach allows administrators to tailor the synchronization engine to precise requirements, ensuring only relevant objects and attributes are processed while supporting advanced topologies like account-resource forest separations.[11] In multi-forest setups, for instance, all forests must be accessible from a single domain-joined Microsoft Entra Connect Sync server, with user consolidation achieved through matching attributes such as the primary SMTP address or ObjectSID to represent each user uniquely in Microsoft Entra ID.[11][15] Prior to initiating a custom installation, administrators must perform prerequisite checks, including verifying that the Active Directory schema version is Windows Server 2003 or later, enabling the Active Directory Recycle Bin (recommended), and ensuring domain controllers are writable.[12] The server hosting Microsoft Entra Connect must run Windows Server 2016, 2019, or 2022 (Windows Server 2025 not supported due to compatibility issues) with the full graphical user interface, .NET Framework 4.6.2 or later, and PowerShell execution policy set to RemoteSigned.[12] Hardware specifications scale with the number of synchronized objects, as outlined below:| Objects in AD | CPU | RAM | Hard Drive |
|---|---|---|---|
| <10,000 | 1.6 GHz | 6 GB | 70 GB |
| 10,000–50,000 | 1.6 GHz | 6 GB | 70 GB |
| 50,000–100,000 | 1.6 GHz | 16 GB | 100 GB |
| 100,000–300,000 | 1.6 GHz | 32 GB | 300 GB |
| 300,000–600,000 | 1.6 GHz | 32 GB | 450 GB |
| >600,000 | 1.6 GHz | 32 GB | 500 GB |
cloudFiltered attribute to true based on values like an extension attribute indicating "NoSync."[17] For custom attribute mappings and metaverse join rules, the installation supports defining the sourceAnchor (typically immutableId derived from objectGUID) and alternateId for userPrincipalName matching, with post-installation adjustments possible using the Synchronization Rules Editor to create inbound and outbound rules for connector-to-metaverse joins, such as linking accounts across forests via msExchMasterAccountSID.[15][17] Connector configurations are tailored during directory addition, allowing specification of credentials, filtering options, and topology details like full-mesh trusts for multi-forest scenarios.[11]
Staging server setup facilitates testing without impacting production synchronization; during custom installation, enable staging mode to allow the server to perform imports and delta synchronizations but halt exports to Microsoft Entra ID.[18] This mode is ideal for validating configuration changes, such as filtered sync rules or custom mappings, by running full imports on connectors and using tools like csexport to preview export files before disabling staging mode on the primary server.[18] In disaster recovery, the staging server can mirror the production configuration, including OU filters and attribute exclusions, to enable rapid failover by switching roles and resuming password synchronization from the last checkpoint.[18]
Synchronization and Features
Synchronization Process
The synchronization process in Microsoft Entra Connect Sync facilitates the bidirectional flow of identity data between on-premises Active Directory Domain Services (AD DS) and Microsoft Entra ID, ensuring consistency across hybrid environments. This process operates through a series of stages—import, synchronization, and export—that handle object creation, updates, and deletions. Initially, a full synchronization cycle imports and exports all objects and attributes from connected data sources to establish a baseline. Subsequent cycles use delta synchronization, which processes only changes detected since the last run, occurring every 30 minutes by default to minimize resource usage and network traffic.[19][13] Central to this process are key components that manage data movement and integration. The AD Connector imports data from on-premises AD DS into a staging area called the connector space, using anchors like objectGUID for object identification. The Entra ID Connector similarly handles imports from and exports to the cloud directory. The Metaverse serves as a centralized repository that joins and aggregates identities from multiple connector spaces, creating a unified view without allowing direct modifications—changes propagate through attribute flows instead. Complementing these, the Provisioning Engine automates the creation or deletion of objects in target directories based on synchronization rules, ensuring that provisioning and deprovisioning actions align with business policies.[13][20] The rules engine governs how attributes are transformed and flowed during synchronization, using declarative inbound and outbound rules to define mappings. Inbound rules update the Metaverse from connector spaces, while outbound rules prepare data for export back to the connectors. For instance, the userPrincipalName attribute may be mapped from on-premises sources to the cloud via these rules, with transformations applied to meet Entra ID requirements. These rules prioritize efficiency by evaluating precedence, such as favoring joins over new creations to avoid duplicates.[20][13] Conflict resolution during synchronization employs a structured approach to handle discrepancies between data sources. The system first attempts a join operation, linking a new object to an existing one in the Metaverse using hard matches on anchors or soft matches on attributes like mail or proxyAddresses. If no match is found, it proceeds to create a new object, with join rules taking precedence to maintain data integrity. This mechanism supports soft-match joining on attributes such as mail to connect pre-existing cloud identities with on-premises ones during initial setups.[13][20] Monitoring the synchronization process relies on built-in tools for visibility and troubleshooting. The Synchronization Service Manager provides a graphical interface to view cycle status, inspect connector spaces, and review errors from recent runs. Event Viewer logs detailed events from the Microsoft Entra Connect Sync service, capturing import/export outcomes, rule executions, and any failures for diagnostic purposes. These tools enable administrators to track delta sync intervals and intervene if a full sync is needed after prolonged issues.[13]Authentication Options
Microsoft Entra Connect provides several authentication options to enable hybrid identity scenarios, allowing users to sign in to both on-premises and cloud-based applications using the same credentials. These options integrate on-premises Active Directory (AD) with Microsoft Entra ID, supporting seamless single sign-on (SSO) and policy enforcement. The primary methods include password hash synchronization, pass-through authentication, and federation, each suited to different organizational needs based on infrastructure, security requirements, and complexity.[21] Password Hash Synchronization (PHS) synchronizes hashed passwords from on-premises Active Directory to Microsoft Entra ID, enabling cloud authentication without storing full passwords in the cloud. When a user signs in to a Microsoft Entra ID-integrated application, the service validates the password against the synchronized hash. This method requires no additional on-premises infrastructure beyond the Entra Connect server itself and supports features like Microsoft Entra ID Protection for risk-based conditional access. PHS is irreversible once enabled for a domain, converting it from federated to managed authentication.[22][23] Pass-through Authentication (PTA) deploys lightweight agents on on-premises Windows servers to validate user passwords directly against Active Directory in real time during sign-in attempts. Unlike PHS, PTA does not store password hashes in Microsoft Entra ID, ensuring immediate enforcement of on-premises policies such as account lockouts, sign-in hours, or disabled status. Agents communicate outbound to Microsoft Entra ID over HTTPS, with high availability achieved by installing multiple agents across domain controllers or member servers. PTA integrates with Seamless SSO for Kerberos-based authentication on corporate networks and requires no inbound ports on the firewall.[24][23] Federation with Active Directory Federation Services (AD FS) enables SAML-based single sign-on by establishing a trust relationship between on-premises AD FS and Microsoft Entra ID. Entra Connect simplifies setup by configuring the federation automatically during installation, converting domains to federated and redirecting authentication requests to the AD FS farm. This option supports advanced scenarios, including custom authentication logic, third-party multifactor authentication (MFA), or claims-based access control. An AD FS deployment typically requires at least two federation servers and web application proxies for high availability, along with a valid TLS/SSL certificate. Seamless SSO can be enabled alongside federation for intranet access.[25] Organizations select authentication options based on factors such as deployment simplicity, security posture, and existing infrastructure. PHS is recommended for most scenarios due to its low maintenance and native support for Microsoft Entra security features, avoiding the need for additional servers. PTA suits environments requiring strict on-premises password policy enforcement without federation overhead, offering a balance of security and ease. Federation with AD FS is ideal for complex setups with legacy investments or non-Microsoft MFA needs, though it demands more resources and management. All options require synchronization prerequisites like domain-joined Entra Connect servers to function effectively.[23][21]Upgrades and Maintenance
Version History and Upgrades
Microsoft Entra Connect underwent significant evolution following its rebranding from Azure AD Connect in July 2023, with version releases focusing on improved synchronization reliability, security enhancements, and compatibility with modern authentication standards.[7] The progression of versions from 2.2 onward has emphasized hardening against vulnerabilities, expanding attribute support, and integrating new features like modern authentication in public preview. Key releases are summarized in the following table, highlighting major updates and their release dates. As of November 15, 2025, versions with support ending on or before this date (e.g., all 2.3.x and 2.4.18.0, 2.4.21.0) are retired, requiring immediate upgrades to avoid disruptions. Microsoft enforces a retirement policy providing 12 months of support after a newer version's release (effective March 15, 2023), with synchronization services halting entirely on September 30, 2026, for installations not upgraded to 2.5.79.0 or later.[2]| Version | Release Date | Support End Date | Key Features and Changes |
|---|---|---|---|
| 2.2.1.0 | June 19, 2023 | Retired | Enabled auto-upgrades for custom synchronization rules; introduced Agent Updater service for seamless maintenance; removed WebService Connector Config; improved accessibility; updated employeeType attribute flow.[2] |
| 2.2.8.0 | October 11, 2023 | Retired | Added onPremisesObjectIdentifier attribute; upgraded to .NET Framework 4.7.1; fixed group deprovisioning issues; improved upgrade process.[2] |
| 2.3.2.0 | December 12, 2023 | April 30, 2025 (retired) | Introduced application scaling for accessibility; decommissioned Group Writeback V2; updated SQL drivers and health agent to 4.5.2428.0 for better performance; fixed DSSO bug for Azure China.[2] |
| 2.3.6.0 | February 21, 2024 | April 30, 2025 (retired) | Improved auto-upgrade detection for OS/.NET requirements.[2] |
| 2.3.8.0 | April 1, 2024 | April 30, 2025 (retired) | Updated health agent to 4.5.2466.0 for endpoint discovery.[2] |
| 2.3.20.0 | July 15, 2024 | April 30, 2025 (retired) | Mandated TLS 1.2 enforcement; enhanced Self-Service Password Reset (SSPR) handling; updated SQL drivers (ODBC 17.10.6, OLE DB 18.7.2); improved accessibility.[2] |
| 2.4.18.0 | October 7, 2024 | October 9, 2025 (retired) | Added onPremisesObjectIdentifier synchronization rule; decommissioned schema validation and /enableldap switch; replaced MSOnline PowerShell references with Microsoft Graph API; requires .NET 4.7.2; removed password requirement for Microsoft Entra ID connection; introduced registry key for custom rule precedence; fixed various wizard and sync issues.[2] |
| 2.4.21.0 | October 9, 2024 | November 15, 2025 (retired) | Resolved authentication issues with non-commercial clouds.[2] |
| 2.4.27.0 | November 14, 2024 | January 15, 2026 | Updated SQL drivers to OLE DB 18.7.4; improved PIM role verification; fixed AD FS command failures on non-ADFS servers.[2] |
| 2.4.129.0 | January 15, 2025 | March 27, 2026 | Fixed SSPR configuration removal; improved role validation with PIM; resolved AD FS federation errors.[2] |
| 2.4.131.0 | March 27, 2025 | May 26, 2026 | Removed SchUseStrongCrypto registry check; enabled for auto-upgrade until April 15, 2025.[2] |
| 2.5.3.0 | May 27, 2025 | July 31, 2026 | Introduced modern authentication support (public preview); updated Microsoft Entra Connect Health agent to version 4.5.2520.0; moved downloads to Azure portal; required admin credentials for staging mode/SSPR via PowerShell.[2] |
| 2.5.76.0 | July 31, 2025 | January 9, 2026 | Resolved child OU selection issues in multi-domain scenarios; fixed Azure MFA vs. ADFS MFA prompt; ensured auto-upgrade with missing agent identifiers; fixed DirSync status mismatch error. Auto-upgrade starts August 14, 2025, in phases.[2] |
| 2.5.79.0 | September 1, 2025 | N/A (current) | Improved Application-Based Authentication setup with TPM-backed certificates; automatic certificate removal on failure; resolved FIPS-enabled server setup failures; fixed certificate auto-rotation status reporting; removed inappropriate admin audit events. Auto-upgrade starts September 4, 2025, in phases. Mandatory upgrade to this or later by September 30, 2026, to avoid service disruption.[2] |
Automatic Upgrade Mechanisms
Microsoft Entra Connect includes a built-in automatic upgrade mechanism designed to ensure seamless updates to minor versions without user intervention, provided the installation meets specific eligibility criteria. This feature is enabled by default for versions 1.1.105.0 and later, particularly those using Express settings or upgraded from DirSync, and it regularly checks for available updates via Microsoft Entra Connect Health.[2][26] Eligibility further requires the use of SQL Express LocalDB, fewer than 100,000 objects in the metaverse, the default MSOL_AD service account, TLS 1.2 or higher, and no custom synchronization rules prior to version 2.2.1.0; installations exceeding these parameters, such as those with custom SQL setups or large-scale deployments, are ineligible and necessitate manual upgrades.[26] The upgrade process operates in the background to minimize disruption: it downloads the new version package after validating its digital signature, then installs it during a period of low activity, with upgrades staggered randomly after release to avoid widespread simultaneous impacts.[26] If the installation fails—due to compatibility issues or other errors—the system automatically rolls back to the previous version, logging the event as "UpgradeFailedRollbackSuccess" in the Application event log.[26] This mechanism applies only to minor version updates; major version transitions, such as from 1.x to 2.x, require manual intervention to ensure stability.[26] In 2025, Microsoft implemented phased automatic upgrades for version 2.5.76.0, beginning on August 14 and rolling out in stages to eligible installations, followed by version 2.5.79.0 starting September 4.[2] Additionally, under the Modern Lifecycle Policy, environments running versions 2.3.2.0, 2.3.6.0, 2.3.8.0, or 2.3.20.0 faced a mandatory upgrade deadline of April 30, 2025, to version 2.4.18.0 or later for compatibility with updated security features and the configuration wizard.[2][27] Administrators can control the automatic upgrade feature using the PowerShell cmdletSet-ADSyncAutoUpgrade -AutoUpgradeState Disabled to turn it off, or Enabled to reactivate it, with the current state queryable via Get-ADSyncAutoUpgrade.[26] Upgrade notifications and status details, including event IDs 300-399, are recorded in the Windows Application event log under the "Microsoft Entra Connect Upgrade" source, allowing monitoring without reliance on the Microsoft Entra admin center.[26] Limitations persist for non-standard configurations, such as custom SQL databases or those with disabled health data upload, where automatic upgrades are unavailable and manual processes must be followed per version prerequisites.[26][2]
Advanced Usage and Integration
PowerShell Integration
Microsoft Entra Connect provides PowerShell integration through dedicated modules that enable administrators to manage synchronization services, configure features, and automate tasks without relying on the graphical user interface. The primary module, ADSync, is installed automatically with Microsoft Entra Connect and offers cmdlets for controlling sync cycles and scheduler settings.[28] An additional module, ADSyncTools, can be installed separately via the PowerShell Gallery usingInstall-Module -Name ADSyncTools to access advanced tools for object management and exports.[29]
Common cmdlets in the ADSync module include Get-ADSyncScheduler, which retrieves the current synchronization scheduler configuration, such as cycle status and intervals, allowing administrators to monitor ongoing operations.[28] For initiating synchronization, Start-ADSyncSyncCycle triggers a delta or initial sync cycle, with parameters like -PolicyType Delta to specify the type, useful for testing changes without full exports.[28] Feature toggles, such as enabling or disabling password hash synchronization, can be managed through related cmdlets like those in the sync service configuration, though direct toggles often integrate with broader setup scripts.[22]
Advanced scripting capabilities extend to custom rule exports and bulk operations via the ADSyncTools module. For instance, Export-ADSyncToolsAadDisconnectors exports Microsoft Entra disconnector objects to CSV format, facilitating analysis of unsynchronized items by attributes like UserPrincipalName or SourceAnchor, which supports custom rule development and validation.[29] Bulk attribute updates are handled by cmdlets such as Set-ADSyncToolsMsDsConsistencyGuid, which applies source anchor changes to multiple Active Directory objects in a single operation, ensuring consistency across hybrid environments.[29]
Key use cases for PowerShell integration include automating staging mode tests, where scripts can toggle staging via registry modifications or integrated cmdlets to preview configurations without affecting production syncs.[18] Monitoring sync errors involves querying scheduler status with Get-ADSyncScheduler and reviewing run history through event logs or cycle statistics to detect failures proactively.[28] Integration with Azure Automation allows scheduling these scripts as runbooks, enabling unattended operations like periodic sync triggers or error reporting to Azure Monitor.
As of 2025, enhancements include new cmdlets for pass-through authentication (PTA) agent management, such as Get-PassthroughAuthenticationEnablementStatus to check agent status and Disable-PassthroughAuthentication for configuration adjustments.[30] For cloud sync configurations, the Microsoft.CloudSync.PowerShell module provides cmdlets like Connect-AADCloudSyncAzureAD for authentication, Add-AADCloudSyncGMSA for group managed service account setup, and Add-AADCloudSyncADDomain for domain integration, streamlining hybrid provisioning deployments.[31]
These tools build on the core synchronization process by providing programmatic control, allowing for scalable hybrid identity management.[28]powershell# Example: Trigger a delta sync cycle Import-Module ADSync Start-ADSyncSyncCycle -PolicyType Delta# Example: Trigger a delta sync cycle Import-Module ADSync Start-ADSyncSyncCycle -PolicyType Delta