Prerequisites for Microsoft Entra Connect

This article describes the prerequisites and the hardware requirements for Microsoft Entra Connect.

Before you install Microsoft Entra Connect

Before you install Microsoft Entra Connect, there are a few things that you need.

Microsoft Entra ID

  • You need a Microsoft Entra tenant. You get one with an Azure free trial. You can use one of the following portals to manage Microsoft Entra Connect:
  • Add and verify the domain you plan to use in Microsoft Entra ID. For example, if you plan to use contoso.com for your users, make sure this domain has been verified and you're not using only the contoso.onmicrosoft.com default domain.
  • A Microsoft Entra tenant allows, by default, 50,000 objects. When you verify your domain, the limit increases to 300,000 objects. If you need even more objects in Microsoft Entra ID, open a support case to have the limit increased even further. If you need more than 500,000 objects, you need a license, such as Microsoft 365, Microsoft Entra ID P1 or P2, or Enterprise Mobility + Security.

Prepare your on-premises data

On-premises Active Directory

  • The Active Directory schema version and forest functional level must be Windows Server 2003 or later. The domain controllers can run any version as long as the schema version and forest-level requirements are met. You might require a paid support program if you require support for domain controllers running Windows Server 2016 or older.
  • The domain controller used by Microsoft Entra ID must be writable. Using a read-only domain controller (RODC) isn't supported, and Microsoft Entra Connect doesn't follow any write redirects.
  • Using on-premises forests or domains by using "dotted" (name contains a period ".") NetBIOS names isn't supported.
  • We recommend that you enable the Active Directory recycle bin.

PowerShell execution policy

Microsoft Entra Connect runs signed PowerShell scripts as part of the installation. Ensure that the PowerShell execution policy will allow running of scripts.

The recommended execution policy during installation is "RemoteSigned".

For more information on setting the PowerShell execution policy, see Set-ExecutionPolicy.

Microsoft Entra Connect server

The Microsoft Entra Connect server contains critical identity data. It's important that administrative access to this server is properly secured. Follow the guidelines in Securing privileged access.

The Microsoft Entra Connect server must be treated as a Tier 0 component as documented in the Active Directory administrative tier model. We recommend hardening the Microsoft Entra Connect server as a Control Plane asset by following the guidance provided in Secure Privileged Access

To read more about securing your Active Directory environment, see Best practices for securing Active Directory.

Installation prerequisites

  • Microsoft Entra Connect must be installed on a domain-joined Windows Server 2016 or later. We recommend using domain-joined Windows Server 2022. You can deploy Microsoft Entra Connect on Windows Server 2016 but since Windows Server 2016 is in extended support, you may require a paid support program if you require support for this configuration.
  • The minimum .NET Framework version required is 4.6.2, and newer versions of .NET are also supported. .NET version 4.8 and greater offers the best accessibility compliance.
  • Microsoft Entra Connect can't be installed on Small Business Server or Windows Server Essentials before 2019 (Windows Server Essentials 2019 is supported). The server must be using Windows Server standard or better.
  • The Microsoft Entra Connect server must have a full GUI installed. Installing Microsoft Entra Connect on Windows Server Core isn't supported.
  • The Microsoft Entra Connect server must not have PowerShell Transcription Group Policy enabled if you use the Microsoft Entra Connect wizard to manage Active Directory Federation Services (AD FS) configuration. You can enable PowerShell transcription if you use the Microsoft Entra Connect wizard to manage sync configuration.
  • Ensure that MSOnline PowerShell (MSOL) is not blocked at the tenant level.
  • If AD FS is being deployed:
  • It is not supported to break and analyze traffic between Microsoft Entra Connect and Microsoft Entra ID. Doing so may disrupt the service.
  • If your Hybrid Identity Administrators have MFA enabled, the URL https://secure.aadcdn.microsoftonline-p.com must be in the trusted sites list. You're prompted to add this site to the trusted sites list when you're prompted for an MFA challenge and it hasn't been added before. You can use Internet Explorer to add it to your trusted sites.
  • If you plan to use Microsoft Entra Connect Health for syncing, you need to use a global administrator account to install Microsoft Entra Connect Sync. If you use a hybrid administrator account, the agent will be installed but in a disabled state. For more information, see Microsoft Entra Connect Health agent installation.

Harden your Microsoft Entra Connect server

We recommend that you harden your Microsoft Entra Connect server to decrease the security attack surface for this critical component of your IT environment. Following these recommendations will help to mitigate some security risks to your organization.

  • We recommend hardening the Microsoft Entra Connect server as a Control Plane (formerly Tier 0) asset by following the guidance provided in Secure Privileged Access and Active Directory administrative tier model.
  • Restrict administrative access to the Microsoft Entra Connect server to only domain administrators or other tightly controlled security groups.
  • Create a dedicated account for all personnel with privileged access. Administrators shouldn't be browsing the web, checking their email, and doing day-to-day productivity tasks with highly privileged accounts.
  • Follow the guidance provided in Securing privileged access.
  • Deny use of NTLM authentication with the Microsoft Entra Connect server. Here are some ways to do this: Restricting NTLM on the Microsoft Entra Connect Server and Restricting NTLM on a domain
  • Ensure every machine has a unique local administrator password. For more information, see Local Administrator Password Solution (Windows LAPS) can configure unique random passwords on each workstation and server store them in Active Directory protected by an ACL. Only eligible authorized users can read or request the reset of these local administrator account passwords. Additional guidance for operating an environment with Windows LAPS and privileged access workstations (PAWs) can be found in Operational standards based on clean source principle.
  • Implement dedicated privileged access workstations for all personnel with privileged access to your organization's information systems.
  • Follow these additional guidelines to reduce the attack surface of your Active Directory environment.
  • Follow the Monitor changes to federation configuration to set up alerts to monitor changes to the trust established between your Idp and Microsoft Entra ID.
  • Enable Multifactor Authentication (MFA) for all users that have privileged access in Microsoft Entra ID or in AD. One security issue with using Microsoft Entra Connect is that if an attacker can get control over the Microsoft Entra Connect server they can manipulate users in Microsoft Entra ID. To prevent an attacker from using these capabilities to take over Microsoft Entra accounts, MFA offers protections so that even if an attacker manages to, such as reset a user's password using Microsoft Entra Connect they still can't bypass the second factor.
  • Disable Soft Matching on your tenant. Soft Matching is a great feature to help transferring source of authority for existing cloud managed objects to Microsoft Entra Connect, but it comes with certain security risks. If you don't require it, you should disable Soft Matching.
  • Disable Hard Match Takeover. Hard match takeover allows Microsoft Entra Connect to take control of a cloud managed object and changing the source of authority for the object to Active Directory. Once the source of authority of an object is taken over by Microsoft Entra Connect, changes made to the Active Directory object that is linked to the Microsoft Entra object will overwrite the original Microsoft Entra data - including the password hash, if Password Hash Sync is enabled. An attacker could use this capability to take over control of cloud managed objects. To mitigate this risk, disable hard match takeover.

SQL Server used by Microsoft Entra Connect

  • Microsoft Entra Connect requires a SQL Server database to store identity data. By default, a SQL Server 2019 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express has a 10-GB size limit that enables you to manage approximately 100,000 objects. If you need to manage a higher volume of directory objects, point the installation wizard to a different installation of SQL Server. The type of SQL Server installation can impact the performance of Microsoft Entra Connect.
  • If you use a different installation of SQL Server, these requirements apply:
    • Microsoft Entra Connect support all mainstream supported SQL Server versions up to SQL Server 2022 running on Windows. Please refer to the SQL Server lifecycle article to verify the support status of your SQL Server version. SQL Server 2012 is no longer supported. Azure SQL Database isn't supported as a database. This includes both Azure SQL Database and Azure SQL Managed Instance.
    • You must use a case-insensitive SQL collation. These collations are identified with a _CI_ in their name. Using a case-sensitive collation identified by _CS_ in their name isn't supported.
    • You can have only one sync engine per SQL instance. Sharing a SQL instance with MIM Sync, DirSync, or Azure AD Sync isn't supported.
    • Maintain ODBC Driver for SQL Server version 17 and OLE DB Driver for SQL Server version 18 that are bundled with Microsoft Entra Connect. Upgrading ODBC/OLE DB drivers’s major or minor version aren't supported. Microsoft Entra Connect product group team will include new ODBC/OLE DB drivers as these become available and have a requirement to be updated.

Note

If you're installing SQL on the same server as Microsoft Entra Connect, we recommend to configure SQL to limit the maximum memory that it can use from the system. Follow SQL best practices for memory configuration.

Accounts

  • You must have a Microsoft Entra Global Administrator account or Hybrid Identity Administrator account for the Microsoft Entra tenant you want to integrate with. This account must be a school or organization account and can't be a Microsoft account.
  • If you use express settings or upgrade from DirSync, you must have an Enterprise Administrator account for your on-premises Active Directory.
  • If you use the custom settings installation path, you have more options. For more information, see Custom installation settings.

Connectivity

  • The Microsoft Entra Connect server needs DNS resolution for both intranet and internet. The DNS server must be able to resolve names both to your on-premises Active Directory and the Microsoft Entra endpoints.
  • Microsoft Entra Connect requires network connectivity to all configured domains
  • Microsoft Entra Connect requires network connectivity to the root domain of all configured forest
  • If you have firewalls on your intranet and you need to open ports between the Microsoft Entra Connect servers and your domain controllers, see Microsoft Entra Connect ports for more information.
  • If your proxy or firewall limit which URLs can be accessed, the URLs documented in Office 365 URLs and IP address ranges must be opened. Also see Safelist the Microsoft Entra admin center URLs on your firewall or proxy server.
  • Microsoft Entra Connect (version 1.1.614.0 and after) by default uses TLS 1.2 for encrypting communication between the sync engine and Microsoft Entra ID. If TLS 1.2 isn't available on the underlying operating system, Microsoft Entra Connect incrementally falls back to older protocols (TLS 1.1 and TLS 1.0). From Microsoft Entra Connect version 2.0 onwards. TLS 1.0 and 1.1 are no longer supported and installation will fail if TLS 1.2 isn't enabled.
  • Prior to version 1.1.614.0, Microsoft Entra Connect by default uses TLS 1.0 for encrypting communication between the sync engine and Microsoft Entra ID. To change to TLS 1.2, follow the steps in Enable TLS 1.2 for Microsoft Entra Connect.

Important

Version 2.3.20.0 is a security update. With this update, Microsoft Entra Connect requires TLS 1.2. Ensure that you have TLS 1.2 enabled before updating to this version.

All versions of Windows Server support TLS 1.2. If TLS 1.2 isn't enabled on your server you will need to enable this before you can deploy Microsoft Entra Connect V2.0.

For a PowerShell script to check whether TLS 1.2 is enabled, see PowerShell script to check TLS

For more information about TLS 1.2, see Microsoft Security Advisory 2960358. For more information on enabling TLS 1.2, see how to enable TLS 1.2

  • If you're using an outbound proxy for connecting to the internet, the following setting in the C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config file must be added for the installation wizard and Microsoft Entra Connect Sync to be able to connect to the internet and Microsoft Entra ID. This text must be entered at the bottom of the file. In this code, <PROXYADDRESS> represents the actual proxy IP address or host name.

        <system.net>
            <defaultProxy>
                <proxy
                usesystemdefault="true"
                proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"
                bypassonlocal="true"
                />
            </defaultProxy>
        </system.net>
    
  • If your proxy server requires authentication, the service account must be located in the domain. Use the customized settings installation path to specify a custom service account. You also need a different change to machine.config. With this change in machine.config, the installation wizard and sync engine respond to authentication requests from the proxy server. In all installation wizard pages, excluding the Configure page, the signed-in user's credentials are used. On the Configure page at the end of the installation wizard, the context is switched to the service account that you created. The machine.config section should look like this:

        <system.net>
            <defaultProxy enabled="true" useDefaultCredentials="true">
                <proxy
                usesystemdefault="true"
                proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"
                bypassonlocal="true"
                />
            </defaultProxy>
        </system.net>
    
  • If the proxy configuration is being done in an existing setup, the Microsoft Entra ID Sync service needs to be restarted once for the Microsoft Entra Connect to read the proxy configuration and update the behavior.

  • When Microsoft Entra Connect sends a web request to Microsoft Entra ID as part of directory synchronization, Microsoft Entra ID can take up to 5 minutes to respond. It's common for proxy servers to have connection idle timeout configuration. Ensure the configuration is set to at least 6 minutes or more.

For more information, see MSDN about the default proxy element. For more information when you have problems with connectivity, see Troubleshoot connectivity problems.

Other

Optional: Use a test user account to verify synchronization.

Component prerequisites

PowerShell and .NET Framework

Microsoft Entra Connect depends on Microsoft PowerShell 5.0 and .NET Framework 4.5.1. You need this version or a later version installed on your server.

Enable TLS 1.2 for Microsoft Entra Connect

Important

Version 2.3.20.0 is a security update. With this update, Microsoft Entra Connect requires TLS 1.2. Ensure that you have TLS 1.2 enabled before updating to this version.

All versions of Windows Server support TLS 1.2. If TLS 1.2 isn't enabled on your server you will need to enable this before you can deploy Microsoft Entra Connect V2.0.

For a PowerShell script to check whether TLS 1.2 is enabled, see PowerShell script to check TLS

For more information about TLS 1.2, see Microsoft Security Advisory 2960358. For more information on enabling TLS 1.2, see how to enable TLS 1.2

Prior to version 1.1.614.0, Microsoft Entra Connect by default uses TLS 1.0 for encrypting the communication between the sync engine server and Microsoft Entra ID. You can configure .NET applications to use TLS 1.2 by default on the server. For more information about TLS 1.2, see Microsoft Security Advisory 2960358.

  1. Make sure you have the .NET 4.5.1 hotfix installed for your operating system. For more information, see Microsoft Security Advisory 2960358. You might have this hotfix or a later release installed on your server already.

  2. For all operating systems, set this registry key and restart the server.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    "SchUseStrongCrypto"=dword:00000001
    
  3. If you also want to enable TLS 1.2 between the sync engine server and a remote SQL Server, make sure you have the required versions installed for TLS 1.2 support for Microsoft SQL Server.

For more information, see how to enable TLS 1.2

DCOM prerequisites on the synchronization server

During the installation of the synchronization service, Microsoft Entra Connect checks for the presence of the following registry key:

  • HKEY_LOCAL_MACHINE: Software\Microsoft\Ole

Under this registry key, Microsoft Entra Connect will check to see if the following values are present and uncorrupted:

Prerequisites for federation installation and configuration

Windows Remote Management

When you use Microsoft Entra Connect to deploy AD FS or the Web Application Proxy (WAP), check these requirements:

  • If the target server is domain joined, ensure that Windows Remote Managed is enabled.
    • In an elevated PowerShell command window, use the command Enable-PSRemoting –force.
  • If the target server is a non-domain-joined WAP machine, there are a couple of additional requirements:
    • On the target machine (WAP machine):
      • Ensure the Windows Remote Management/WS-Management (WinRM) service is running via the Services snap-in.
      • In an elevated PowerShell command window, use the command Enable-PSRemoting –force.
    • On the machine on which the wizard is running (if the target machine is non-domain joined or is an untrusted domain):
      • In an elevated PowerShell command window, use the command Set-Item.WSMan:\localhost\Client\TrustedHosts –Value "<DMZServerFQDN>" -Force –Concatenate.
      • In the server manager:
        • Add a DMZ WAP host to a machine pool. In the server manager, select Manage > Add Servers, and then use the DNS tab.
        • On the Server Manager All Servers tab, right-click the WAP server, and select Manage As. Enter local (not domain) credentials for the WAP machine.
        • To validate remote PowerShell connectivity, on the Server Manager All Servers tab, right-click the WAP server and select Windows PowerShell. A remote PowerShell session should open to ensure remote PowerShell sessions can be established.

TLS/SSL certificate requirements

  • We recommend that you use the same TLS/SSL certificate across all nodes of your AD FS farm and all Web Application Proxy servers.
  • The certificate must be an X509 certificate.
  • You can use a self-signed certificate on federation servers in a test lab environment. For a production environment, we recommend that you obtain the certificate from a public certificate authority.
    • If you're using a certificate that isn't publicly trusted, ensure that the certificate installed on each Web Application Proxy server is trusted on both the local server and on all federation servers.
  • The identity of the certificate must match the federation service name (for example, sts.contoso.com).
    • The identity is either a subject alternative name (SAN) extension of type dNSName or, if there are no SAN entries, the subject name is specified as a common name.
    • Multiple SAN entries can be present in the certificate provided one of them matches the federation service name.
    • If you're planning to use Workplace Join, an additional SAN is required with the value enterpriseregistration. followed by the user principal name (UPN) suffix of your organization, for example, enterpriseregistration.contoso.com.
  • Certificates based on CryptoAPI next-generation (CNG) keys and key storage providers (KSPs) aren't supported. As a result, you must use a certificate based on a cryptographic service provider (CSP) and not a KSP.
  • Wild-card certificates are supported.

Name resolution for federation servers

  • Set up DNS records for the AD FS name (for example, sts.contoso.com) for both the intranet (your internal DNS server) and the extranet (public DNS through your domain registrar). For the intranet DNS record, ensure that you use A records and not CNAME records. Using A records is required for Windows authentication to work correctly from your domain-joined machine.
  • If you're deploying more than one AD FS server or Web Application Proxy server, ensure that you've configured your load balancer and that the DNS records for the AD FS name (for example, sts.contoso.com) point to the load balancer.
  • For Windows integrated authentication to work for browser applications using Internet Explorer in your intranet, ensure that the AD FS name (for example, sts.contoso.com) is added to the intranet zone in Internet Explorer. This requirement can be controlled via Group Policy and deployed to all your domain-joined computers.

Microsoft Entra Connect supporting components

Microsoft Entra Connect installs the following components on the server where Microsoft Entra Connect is installed. This list is for a basic Express installation. If you choose to use a different SQL Server on the Install synchronization services page, SQL Express LocalDB isn't installed locally.

  • Microsoft Entra Connect Health
  • Microsoft SQL Server 2022 Command Line Utilities
  • Microsoft SQL Server 2022 Express LocalDB
  • Microsoft SQL Server 2022 Native Client
  • Microsoft Visual C++ 14 Redistribution Package

Hardware requirements for Microsoft Entra Connect

The following table shows the minimum requirements for the Microsoft Entra Connect Sync computer.

Number of objects in Active Directory CPU Memory Hard drive size
Fewer than 10,000 1.6 GHz 6 GB 70 GB
10,000–50,000 1.6 GHz 6 GB 70 GB
50,000–100,000 1.6 GHz 16 GB 100 GB
For 100,000 or more objects, the full version of SQL Server is required. For performance reasons, installing locally is preferred. The following values are valid only for Microsoft Entra Connect installation. If SQL Server will be installed on the same server, further memory, drive, and CPU is required.
100,000–300,000 1.6 GHz 32 GB 300 GB
300,000–600,000 1.6 GHz 32 GB 450 GB
More than 600,000 1.6 GHz 32 GB 500 GB

The minimum requirements for computers running AD FS or Web Application Proxy servers are:

  • CPU: Dual core 1.6 GHz or higher
  • Memory: 2 GB or higher
  • Azure VM: A2 configuration or higher

Next steps

Learn more about Integrating your on-premises identities with Microsoft Entra ID.