Wish to sync your on-prem Lively Listing with Microsoft Entra ID? Then, you may have two synchronization instruments to select from: Microsoft Entra Join Sync and Cloud Sync.
Each instruments can sync your customers and passwords to the cloud, however there are some large variations between the 2 in terms of how they’re managed and what their capabilities are.
On this article, we’ll take a look at the distinction between the 2 instruments, and extra importantly, clarify when to decide on one over the opposite.
What’s Microsoft Entra Join
Earlier than we’re going to take a look at the variations between the 2 options, let’s first check out what they’ve in frequent.
Microsoft Entra Join, previously Azure AD Join, is the long-standing id synchronization device from Microsoft. It’s extremely customizable, supporting complicated eventualities akin to multi-forest AD environments, superior attribute filtering, and integration with federation companies.
Entra Join is put in on a website member server and runs the total sync engine regionally. This implies it’s able to dealing with giant environments however can use numerous assets, relying in your setting measurement. To retailer the synchronization knowledge, it would want an SQL database. This is usually a LocalDB or a full SQL Server, relying on scale
What’s Microsoft Entra Cloud Sync
Microsoft Entra Cloud Sync is the newer, cloud-based sync answer for hybrid environments. Not like Entra Join, which requires a full on-premises utility, Cloud Sync makes use of light-weight provisioning brokers put in on-premises to deal with synchronization duties. The agent communicates with Microsoft’s cloud provisioning service, which handles the sync logic.
Whereas it lacks a few of Entra Join’s superior options, akin to system synchronization, it gives quicker sync cycles, excessive availability choices, and it reduces on-prem overhead, making it interesting for organizations prioritizing simplicity and scalability.
What Do They Have in Frequent
Each instruments cowl the fundamentals of id synchronization. Right here’s what they each provide:
- Single and A number of AD forests
- Sync customers, teams, and contacts
- Password hash synchronization
- Filtering by OU or group
- Attribute filtering (Cloud Sync is a bit restricted)
- Password writeback
- Seamless Single Signal-On
- Alternate Hybrid Writeback
Variations Between Entra Join and Cloud Sync
Whereas each instruments appear to supply comparable options, their structure, capabilities, and administration fashions differ. Let’s check out these variations:
Native Engine vs Cloud Agent
One of many large variations between the 2 instruments is the place they run and the way they’re managed. Entra Join makes use of an area sync engine. This implies that you will want to put in it on a website server, and it makes use of an area SQL database to retailer the configuration and synchronization knowledge.
Cloud Sync, then again, makes use of a light-weight agent that merely forwards the listing adjustments to Microsoft’s cloud-based provisioning service. As a result of the administration and configuration are achieved within the cloud, you’ll be able to deploy a number of brokers for prime availability.
These variations have an effect on a couple of key areas:
- Entra Join can deal with bigger environments. (Cloud Sync is restricted to 150,000 objects per AD Area)
- Entra Join is stateful, that means it requires patching, backups, and full monitoring.
- Cloud Sync is stateless
- Cloud Sync permits you to set up a number of brokers for prime availability
Configuration and Administration
As already talked about, Cloud Sync is managed by means of Microsoft Entra, whereas Join Sync is managed regionally. However there may be extra to that. Entra Join Sync provides you a bit extra management in terms of filtering and creating customized guidelines.
With Cloud Sync, you’ll be able to solely filter on OU or Group degree. It’s, for instance,e not attainable to filter on objects’ attribute values.
One other essential distinction is the superior customization for attribute flows. With Entra Join, you’ll be able to totally customise the attribute flows. This permits you, for instance,e to map the extensionAttribute5 to a unique Entra ID discipline. Or you’ll be able to even mix two attributes into one synced worth.
Cloud Sync, then again, solely helps primary attribute mapping. You’ll be able to solely map fields one-to-one and have some gentle filtering choices.
Gadget Synchronization
An essential distinction between the Entra Join and Cloud Sync is the Gadget Sync capabilities. With system synchronization, pc objects from the Lively Listing are synced to Entra ID. This lets you use cloud-based conditional entry insurance policies, use SSO to Microsoft 365 and different cloud apps, and consider and management the gadgets in each environments.
In addition to system sync, the place gadgets from the AD are synced to Entra ID, we even have Gadget Writeback. This permits gadgets which can be registered in Microsoft Entra ID to be written again to your on-prem Lively Listing.
Now, each options are solely supported in Microsoft Entra Join. Gadget sync is supported with out further license necessities, however for system writeback, you have to not less than Entra ID P1.
Group Writeback
For a very long time, Group Writeback was solely supported in Microsoft Entra Join. However as of June 30, 2024, this characteristic is now not supported. If you have already got it up and working, then it in all probability will nonetheless work, however that will change at any time.
As a substitute, if you want to use Group Writeback (which is at the moment restricted to safety teams), you have to to make use of Cloud Sync.
Full Overview
Under a whole overview of all of the variations between the 2 instruments:
| Characteristic | Entra Join | Entra Cloud Sync |
|---|---|---|
| Structure | Full on-prem sync engine | Light-weight cloud agent |
| Configuration Administration | Native GUI on sync server | Totally cloud-based |
| Connect with a number of disconnected AD forests | ❌ | ✅ |
| A number of energetic brokers for prime availability | ❌ | ✅ |
| Help for system objects | ✅ | ❌ |
| Help for Move-Via Authentication | ✅ | ❌ |
| Filtering Choices | Area, OU, group, attribute | OU and group solely |
| Filter on objects’ attribute values | ✅ | ❌ |
| Attribute Transformation (Superior) | ✅ | ⚠️ Restricted (primary mappings) |
| Enable superior customization for attribute flows | ✅ | ❌ |
| Help for system writeback | ✅ | ❌ |
| Help for group writeback | ❌ | ✅ |
| Help for merging person attributes from a number of domains | ✅ | ❌ |
| Microsoft Entra Area Providers help | ✅ | ❌ |
| Limitless variety of objects per AD area | ✅ | ❌ |
| Giant teams with as much as 250,000 members | ✅ | ❌ |
Which Device Must you Use?
Choosing the proper device will be troublesome, however there are a couple of simple choice makers that you need to take into account when selecting between Entra Join and Cloud Sync.
You must select Entra Join when:
- You want hybrid be part of for Home windows 10/11 gadgets (Gadget Sync)
- Superior Authentication Necessities
Should you require Move-Via Authentication or federation with AD FS to maintain authentication on-premises, Entra Join is the one choice. Cloud Sync helps solely PHS. - Customized Attribute Mappings
- Giant environments
Select Cloud Sync when:
- You solely have to sync person identities and passwords
- Want group writeback
- Disconnected AD Forests
Usually the case with mergers or acquisitions. Cloud Sync’s means to sync from disconnected environments is a key benefit. - Excessive Availability Wants
- Cloud-First Methods
Gadget Sync is usually a breaking level to picking for Cloud Sync for organizations with area joined gadgets. Usually in a hybrid-environment, we wanted hybrid joined gadgets to permit customers to entry on-prem assets and nonetheless use single sign-on to Microsoft 365.
Today, we will accomplish the identical with Entra Joined Gadgets. We are able to use Intune for system administration and Kerberos Cloud Belief for safe entry to on-prem assets.
It should take some work emigrate from hybrid to Entra joined gadgets, but it surely’s approach ahead to a contemporary setup.
Wrapping Up
Selecting between Entra Join and Cloud Sync isn’t nearly what’s newer or simpler. It comes all the way down to your infrastructure, id technique, and hybrid necessities.
Should you want Hybrid Entra Joined Gadgets and should not able to migrate them, then Entra Join remains to be the go-to. However should you’re simplifying, scaling out, or going cloud-first, Cloud Sync is the best way to go.
Microsoft is clearly investing in Cloud Sync, and over time, it’s prone to turn out to be the default choice for many organizations.
When you have any questions, simply drop a remark beneath.
