Edit

Share via

Tutorial: Integrate a single forest with a single Microsoft Entra tenant

  • Article
  • 04/09/2025

This tutorial walks you through creating a hybrid identity environment using Microsoft Entra Cloud Sync.

Diagram that shows the Microsoft Entra Cloud Sync flow.

You can use the environment you create in this tutorial for testing or for getting more familiar with cloud sync.

Prerequisites

In the Microsoft Entra admin center

  • Microsoft recommends that organizations have two cloud-only emergency access accounts permanently assigned the Global Administrator role. These accounts are highly privileged and aren't assigned to specific individuals. The accounts are limited to emergency or "break glass" scenarios where normal accounts can't be used or all other administrators are accidentally locked out. These accounts should be created following the emergency access account recommendations.
  • Add one or more custom domain names to your Microsoft Entra tenant. Your users can sign in with one of these domain names.

In your on-premises environment

  1. Identify a domain-joined host server running Windows Server 2016 or greater with minimum of 4-GB RAM and .NET 4.7.1+ runtime

  2. If there's a firewall between your servers and Microsoft Entra ID, configure the following items:

    • Ensure that agents can make outbound requests to Microsoft Entra ID over the following ports:

      Port number How it's used
      80 Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate
      443 Handles all outbound communication with the service
      8080 (optional) Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the portal.

      If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.

    • If your firewall or proxy allows you to specify safe suffixes, then add connections to *.msappproxy.net and *.servicebus.windows.net. If not, allow access to the Azure datacenter IP ranges, which are updated weekly.

    • Your agents need access to login.windows.net and login.microsoftonline.com for initial registration. Open your firewall for those URLs as well.

    • For certificate validation, unblock the following URLs: mscrl.microsoft.com:80, crl.microsoft.com:80, ocsp.msocsp.com:80, and www.microsoft.com:80. Since these URLs are used for certificate validation with other Microsoft products, you may already have these URLs unblocked.

Install the Microsoft Entra provisioning agent

If you're using the Basic AD and Azure environment tutorial, it would be DC1. To install the agent, follow these steps:

  1. In the Azure portal, select Microsoft Entra ID.

  2. On the left pane, select Microsoft Entra Connect, and then select Cloud Sync.

    Screenshot that shows the Get started screen.

  3. On the left pane, select Agents.

  4. Select Download on-premises agent, and then select Accept terms & download.

    Screenshot that shows downloading the agent.

  5. After you download the Microsoft Entra Connect Provisioning Agent Package, run the AADConnectProvisioningAgentSetup.exe installation file from your downloads folder.

    Note

    When you perform an installation for the US Government Cloud, use AADConnectProvisioningAgentSetup.exe ENVIRONMENTNAME=AzureUSGovernment. For more information, see Install an agent in the US Government Cloud.

  6. On the screen that opens, select the I agree to the license terms and conditions checkbox, and then select Install.

    Screenshot that shows the Microsoft Entra Provisioning Agent Package screen.

  7. After the installation finishes, the configuration wizard opens. Select Next to start the configuration.

    Screenshot that shows the welcome screen.

  8. On the Select Extension screen, select HR-driven provisioning (Workday and SuccessFactors) / Azure AD Connect Cloud Sync, and then select Next.

    Screenshot that shows the Select Extension screen.

    Note

    If you install the provisioning agent for use with Microsoft Entra on-premises application provisioning, select On-premises application provisioning (Microsoft Entra ID to application).

  9. Sign in with an account with at least the Hybrid Identity administrator role. If you have Internet Explorer enhanced security enabled, it blocks the sign-in. If so, close the installation, disable Internet Explorer enhanced security, and restart the Microsoft Entra Connect Provisioning Agent Package installation.

    Screenshot that shows the Connect Microsoft Entra ID screen.

  10. On the Configure Service Account screen, select a group Managed Service Account (gMSA). This account is used to run the agent service. If a managed service account is already configured in your domain by another agent and you're installing a second agent, select Create gMSA. The system detects the existing account and adds the required permissions for the new agent to use the gMSA account. When you're prompted, choose one of two options:

    • Create gMSA: Let the agent create the provAgentgMSA$ managed service account for you. The group managed service account (for example, CONTOSO\provAgentgMSA$) is created in the same Active Directory domain where the host server joined. To use this option, enter the Active Directory domain administrator credentials (recommended).
    • Use custom gMSA: Provide the name of the managed service account that you manually created for this task.

  11. To continue, select Next.

    Screenshot that shows the Configure Service Account screen.

  12. On the Connect Active Directory screen, if your domain name appears under Configured domains, skip to the next step. Otherwise, enter your Active Directory domain name, and select Add directory.

  13. Sign in with your Active Directory domain administrator account. The domain administrator account shouldn't have an expired password. If the password is expired or changes during the agent installation, reconfigure the agent with the new credentials. This operation adds your on-premises directory. Select OK, and then select Next to continue.

    Screenshot that shows how to enter the domain admin credentials.

  14. The following screenshot shows an example of the domain configured for contoso.com. Select Next to continue.

    Screenshot that shows the Connect Active Directory screen.

  15. On the Configuration complete screen, select Confirm. This operation registers and restarts the agent.

  16. After the operation finishes, you see a notification that your agent configuration was successfully verified. Select Exit.

    Screenshot that shows the finish screen.

  17. If you still get the initial screen, select Close.

Verify agent installation

Agent verification occurs in the Azure portal and on the local server that runs the agent.

Verify the agent in the Azure portal

To verify that Microsoft Entra ID registers the agent, follow these steps:

  1. Sign in to the Azure portal.

  2. Select Microsoft Entra ID.

  3. Select Microsoft Entra Connect, and then select Cloud Sync.

    Screenshot that shows the Get started screen.

  4. On the Cloud Sync page, you see the agents that you installed. Verify that the agent appears and that the status is healthy.

Verify the agent on the local server

To verify that the agent is running, follow these steps:

  1. Sign in to the server with an administrator account.

  2. Go to Services. You can also use Start/Run/Services.msc to get to it.

  3. Under Services, make sure that Microsoft Entra Connect Agent Updater and Microsoft Entra Connect Provisioning Agent are present and that the status is Running.

    Screenshot that shows the Windows services.

Verify the provisioning agent version

To verify the version of the agent that's running, follow these steps:

  1. Go to C:\Program Files\Microsoft Azure AD Connect Provisioning Agent.
  2. Right-click AADConnectProvisioningAgent.exe and select Properties.
  3. Select the Details tab. The version number appears next to the product version.

Configure Microsoft Entra Cloud Sync

Use the following steps to configure and start the provisioning:

  1. Sign in to the Microsoft Entra admin center as at least a hybrid identity administrator.

  2. Browse to Identity > Hybrid management > Microsoft Entra Connect > Cloud Sync.

    Screenshot that shows the Microsoft Entra Connect Cloud Sync home page.

  1. Select New Configuration
  2. On the configuration screen, enter a Notification email, move the selector to Enable and select Save.
  3. The configuration status should now be Healthy.

For more information on configuring Microsoft Entra Cloud Sync, see Provision Active Directory to Microsoft Entra ID.

Verify users are created and synchronization is occurring

You'll now verify that the users that you had in your on-premises directory that are in scope of synchronization have been synchronized and now exist in your Microsoft Entra tenant. The sync operation may take a few hours to complete. To verify users are synchronized, follow these steps:

  1. Sign in to the Microsoft Entra admin center as at least a Hybrid Identity Administrator.
  2. Browse to Identity > Users.
  3. Verify that you see the new users in our tenant

Test signing in with one of your users

  1. Browse to https://myapps.microsoft.com

  2. Sign in with a user account that was created in your tenant. You'll need to sign in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign in on-premises.

Screenshot that shows the my apps portal with a signed in users.

You've now successfully configured a hybrid identity environment using Microsoft Entra Cloud Sync.

Next steps

Additional resources

Events

JDConf 2025

Apr 9, 3 PM - Apr 10, 12 PM

Code the Future with AI and connect with Java peers and experts at JDConf 2025.

Register Now