Microsoft Entra Connect: Hybrid Identity for Small Businesses in Berlin
Many small businesses in Berlin operate in a hybrid environment: an on-premises Windows Server running Active Directory Domain Services alongside Microsoft 365 cloud services. Employees were created in Active Directory first — their Windows login, file server access, and email all originate from on-prem AD. Moving fully to cloud-only identity is not always practical or desirable. Microsoft Entra Connect (formerly Azure AD Connect) is the synchronization engine that bridges on-premises Active Directory and Microsoft Entra ID, enabling a single identity to work seamlessly across both environments.
Without Entra Connect, your on-premises Active Directory and Entra ID are completely separate identity stores. Users have separate cloud accounts for Microsoft 365 that have no relationship to their domain accounts. Password changes in one store don’t propagate to the other. Group membership managed in AD isn’t reflected in Entra ID. Entra Connect eliminates this fragmentation by continuously synchronizing users, groups, and password hashes between the two directories.
What Entra Connect Synchronizes
Entra Connect synchronizes a configurable set of objects and attributes from on-premises AD to Entra ID:
- Users: All or filtered users from on-prem AD are synchronized as cloud user objects in Entra ID. The on-prem account is the authoritative source — changes made in AD (name changes, department updates, account disables) sync to Entra ID within 30 minutes by default.
- Groups: Security groups and distribution groups sync to Entra ID, enabling group-based access policies in cloud services to be managed in on-prem AD tooling.
- Password hashes (PHS): With Password Hash Synchronization enabled, hashed representations of user passwords are synchronized to Entra ID, allowing cloud authentication without contacting on-premises infrastructure for every login.
- Devices: When configured, hybrid-joined device objects are synchronized to Entra ID, enabling conditional access policies that target domain-joined devices.
Authentication Methods
Password Hash Synchronization (PHS) — Recommended
PHS is the simplest and most resilient authentication method. A hash of the user’s password hash (not the password itself) is synchronized to Entra ID. When a user authenticates to a cloud service, Entra ID validates the credential locally without contacting on-premises infrastructure. Authentication succeeds even if the on-premises environment is offline, VPN is unavailable, or the on-premises servers are under maintenance.
PHS enables Entra ID Protection’s leaked credential detection — Microsoft continuously compares synchronized password hashes against credential dumps from breached sites. If a user’s password appears in a breach database, their Entra ID risk level is elevated and Conditional Access can enforce remediation. This detection is only possible with PHS — it does not work with PTA or ADFS.
For most Berlin SMBs, PHS is the correct choice. The concern that synchronizing password hashes to the cloud is a security risk is addressed by the technical implementation: what is synchronized is a salted hash of an NTLM hash — not recoverable to plaintext, not usable for pass-the-hash attacks against on-premises services, and stored encrypted in Entra ID.
Pass-Through Authentication (PTA)
With PTA, password validation occurs on-premises in real time. When a user authenticates to a cloud service, the authentication request is forwarded to lightweight PTA agents running on-premises servers, which validate the password against Active Directory and return the result. No password hashes are synchronized to the cloud.
The operational trade-off: authentication requires on-premises infrastructure to be available. If your on-premises servers are down or unreachable, cloud authentication fails. PTA is appropriate when organizational policy prohibits any form of password material in the cloud, but this policy should be weighed against the availability and operational overhead implications.
Active Directory Federation Services (ADFS)
ADFS is a claims-based authentication infrastructure that issues SAML/WS-Federation tokens for cloud services. It was the original enterprise SSO solution and is still used in large environments with complex claims transformation requirements or legacy applications that require SAML federation. For small businesses, ADFS is operationally expensive: it requires dedicated server infrastructure (minimum two ADFS servers and two WAP servers for HA), certificate management, and continuous maintenance. Microsoft’s guidance since 2020 has been to migrate away from ADFS to PHS or PTA for new deployments.
Entra Connect vs Entra Cloud Sync
Microsoft offers two synchronization agents: the original Entra Connect (a full application installed on a Windows Server) and the newer Entra Cloud Sync (a lightweight agent with cloud-managed configuration). The choice depends on your environment:
- Use Entra Connect if you have multiple on-premises AD forests, require Exchange hybrid writeback, need device synchronization for hybrid join, or have complex sync rule customizations.
- Use Entra Cloud Sync if you have a single AD forest, want minimal on-prem footprint, and do not require Exchange hybrid or complex writeback scenarios. Cloud Sync is Microsoft’s strategic direction and is recommended for new deployments that meet its feature scope.
For Berlin businesses already running Entra Connect in production, migration to Cloud Sync is possible but not urgent. For new hybrid identity deployments, evaluate Cloud Sync first.
Installation Prerequisites
Entra Connect installs on a dedicated Windows Server (not a domain controller). Requirements:
- OS: Windows Server 2016, 2019, or 2022. Windows Server 2012 R2 reached end of support in October 2023.
- Hardware: For environments under 10,000 objects: 4 GB RAM, 70 GB disk. For 10,000–100,000 objects: 8 GB RAM minimum.
- SQL: Entra Connect installs LocalDB (SQL Server Express) for small environments. For over 100,000 objects, a full SQL Server instance is required.
- Network: Outbound HTTPS to *.msappproxy.net, *.servicebus.windows.net, login.microsoftonline.com. No inbound firewall rules required — Entra Connect initiates outbound connections only.
- Accounts: An Enterprise Admin account in on-premises AD (for initial setup), an Entra ID Global Administrator account (for initial setup), and a dedicated service account for ongoing synchronization (created automatically during setup).
Deployment Steps
The Express Settings installation path handles the vast majority of SMB deployments. Download the Entra Connect installer from the Microsoft Download Center and run on the dedicated server:
- Express Settings (recommended for single-forest, single-domain environments with PHS): accepts all defaults, configures PHS automatically, and begins initial synchronization immediately after completing the wizard.
- Custom Settings: Required for PTA, multiple forests, filtered sync (syncing only specific OUs or groups), attribute filtering, or Exchange hybrid writeback.
The initial synchronization duration depends on object count. For 1,000 users and groups, expect 10–30 minutes. For 50,000 objects, expect several hours. After initial sync, delta synchronization runs every 30 minutes by default, processing only changes since the last cycle.
Monitoring with Entra Connect Health
Entra Connect Health is a cloud-based monitoring service that tracks synchronization status, latency, and errors. It requires an Entra ID P1 license per monitored user and installs as an agent alongside Entra Connect. The Health dashboard in the Entra admin center shows:
- Last successful sync timestamp and duration
- Sync errors (objects that failed to sync due to attribute conflicts or policy violations)
- Password hash synchronization lag
- Agent health status and version
- Alert history with email notifications for sync failures
For production environments, Entra Connect Health alerts are the operational signal for synchronization problems. A sync error that goes unnoticed results in new users not appearing in cloud services, password changes not propagating, and disabled accounts remaining active in Entra ID. Configure alert emails to the IT administrator responsible for identity operations.
Common Sync Errors and Resolutions
The most frequent synchronization issues in SMB environments:
- Duplicate attributes (AttributeValueMustBeUnique): Two on-premises users share the same UPN or proxy address. Resolve by correcting the duplicate attribute in Active Directory before re-running sync.
- Invalid UPN suffix: Users with UPN suffixes not registered as verified domains in Entra ID. Add the domain as a custom domain in Entra ID or change the UPN suffix on affected accounts to a verified domain.
- Object size limit: Objects with an unusually large number of attributes (rare). Reduce attribute count on the affected object.
- Soft-match conflicts: A cloud-only account already exists with the same UPN as a user being synced. Resolve using the Entra Connect soft-match or hard-match process to merge the accounts.
Hybrid Identity for Berlin SMBs: When It Makes Sense
Entra Connect is not the right answer for every Berlin small business. For businesses starting fresh with cloud-only infrastructure — no on-premises file servers, no Windows Server domain — a cloud-only Entra ID identity model is simpler, more resilient, and lower maintenance. Entra Connect adds operational complexity that is only justified when on-premises infrastructure genuinely requires it.
The valid reasons to run Entra Connect in an SMB environment: existing Active Directory that cannot be decommissioned in the near term (file shares, legacy applications, printers), hybrid-joined device requirements for Group Policy alongside Intune, or Exchange Server hybrid configuration for a phased migration to Exchange Online. For businesses with a clear path to cloud-only over 12–24 months, the operational investment in Entra Connect may not be worth it — plan for cloud-native identity from the start and migrate directly.
For Berlin businesses that are genuinely hybrid and will remain so, Entra Connect with Password Hash Synchronization is a proven, reliable foundation. The key operational discipline: keep the Entra Connect server patched and the agent updated (Microsoft releases updates regularly, some security-critical), monitor sync health alerts actively, and document the synchronization scope and configuration so that the next IT administrator can understand what is in place.
Related Articles
- Conditional Access: Entra Connect-synced hybrid identities are subject to all Conditional Access policies — apply MFA, device compliance, and sign-in risk requirements to on-premises AD accounts that authenticate to cloud services through Entra ID
- Microsoft Entra ID Governance: Extend identity governance to hybrid-synced users — access reviews and entitlement management apply to cloud representations of on-premises AD accounts, enabling consistent governance across hybrid identity estates
- Microsoft Defender for Endpoint: Entra Connect enables hybrid device join, which allows on-premises domain-joined machines to enrol in MDE and comply with Intune compliance policies alongside cloud-native device management
Related Articles
- Microsoft Entra External Identities: Hybrid-synchronized users from Entra Connect can serve as sponsors and access reviewers for B2B guest accounts — ensuring on-premises workforce members participate in external collaboration governance
- Microsoft Purview Audit: Entra Connect synchronization events are captured in the Unified Audit Log — track directory sync operations, attribute changes, and hybrid identity configuration modifications alongside user and admin activity