Forum Discussion
Entra Cloud Sync - Will Creating a New Configuration Sync Immediately With Defaults
Setting up a new Entra Cloud sync agent for a customer who already has an established on-prem AD and Azure AD with a mess of non-synced accounts and passwords between them.
So I need to do a slow roll on this thing and filter syncing by OUs in AD.
I know I have to create a new configuration in the Azure portal but what are the risks of the default config kicking in and doing a sync of all my users before I have a chance to filter it down to just the OUs I want to sync?
Should I disable the on-prem agent before creating a config in the cloud? That "Create" button is giving me anxiety 😐
thanks,
Dan
Hi, Dan.
Assuming they're already using Entra Cloud Sync, then adding a new configuration is no different to adding the first configuration, consisting of five steps (documentation below) where the fifth and final is enabling that particular configuration.
So long as you don't enable the new configuration, it will not automatically synchronise anything to Azure AD.
For Step 1 (add scoping filters) from the documentation, you'd likely want to set the scope for the new configuration to be mutually exclusive with the existing configuration (which per your description seems to be a subset of the Active Directory environment).
After iterating through and finalising step 2, you'd then look to migrate the scope over from the existing configuration to the new configuration (i.e. incrementally de-scope the original configuration while growing the new), though in doing so, be aware of the limits on the size of the configuration (also linked below). Once the new configuration has fully superseded the original, you can remove the original.
Step 3 (test) Test will allow you perform ad hoc testing against groups (what you'd generally work with) or even individual objects (for extremely targeted scenarios).
Some side notes for the casual reader:
- All configurations are seen by the existing agents meaning it's not necessary to install new agents;
- Agents cannot be aligned to a subset of the configurations (this is not to be confused with scoping concepts such as multiple forests synchronising to a single tenant).
Documentation
- Microsoft Entra Cloud Sync new agent configuration - Microsoft Entra ID | Microsoft Learn
- Prerequisites for Microsoft Entra Cloud Sync in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn
Cheers,
Lain
2 Replies
Hi, Dan.
Assuming they're already using Entra Cloud Sync, then adding a new configuration is no different to adding the first configuration, consisting of five steps (documentation below) where the fifth and final is enabling that particular configuration.
So long as you don't enable the new configuration, it will not automatically synchronise anything to Azure AD.
For Step 1 (add scoping filters) from the documentation, you'd likely want to set the scope for the new configuration to be mutually exclusive with the existing configuration (which per your description seems to be a subset of the Active Directory environment).
After iterating through and finalising step 2, you'd then look to migrate the scope over from the existing configuration to the new configuration (i.e. incrementally de-scope the original configuration while growing the new), though in doing so, be aware of the limits on the size of the configuration (also linked below). Once the new configuration has fully superseded the original, you can remove the original.
Step 3 (test) Test will allow you perform ad hoc testing against groups (what you'd generally work with) or even individual objects (for extremely targeted scenarios).
Some side notes for the casual reader:
- All configurations are seen by the existing agents meaning it's not necessary to install new agents;
- Agents cannot be aligned to a subset of the configurations (this is not to be confused with scoping concepts such as multiple forests synchronising to a single tenant).
Documentation
- Microsoft Entra Cloud Sync new agent configuration - Microsoft Entra ID | Microsoft Learn
- Prerequisites for Microsoft Entra Cloud Sync in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn
Cheers,
Lain
- thank you. Yes, as you mentioned, it did not actually enable the sync config until after I had reviewed and explicitly set it to enabled. Until then, it was in a review and disabled state.
