Entra Connect (AD sync)
Overview
Section titled “Overview”Entra Connect Sync synchronizes selected identities from Active Directory (core.lef) to Microsoft Entra ID. This enables Microsoft 365 sign-in and supports SSO/MFA patterns for internal systems.
Operational notes
Section titled “Operational notes”Scope and filters
Section titled “Scope and filters”- Source of truth: AD (
core.lef) - Target: Microsoft Entra ID
- Sync mode: selected OUs only
- OU scope:
UsersOU - Group filter: only members of
EntraSyncUsersare synced
UPN suffixes (sign-in domains)
Section titled “UPN suffixes (sign-in domains)”Microsoft 365 sign-ins require the user’s UPN suffix to match a verified domain.
| UPN suffix | Status |
|---|---|
core.lef | Not verified |
lef.tec.br | Verified |
lef.digital | Verified |
Enabled features (high level)
Section titled “Enabled features (high level)”- Password Hash Sync
- No writeback features enabled (unless required by a specific project)
Operational tasks
Section titled “Operational tasks”Run a delta sync:
Start-ADSyncSyncCycle -PolicyType DeltaAdd a user to sync:
- Add the user to the
EntraSyncUsersgroup. - Ensure the user’s UPN suffix uses a verified domain (
lef.tec.brorlef.digital).
Troubleshooting
Section titled “Troubleshooting”| Symptom | Check |
|---|---|
| User isn’t syncing | Is the user in EntraSyncUsers? Is the user in the scoped OU? |
| Cloud login fails | UPN suffix is not verified or doesn’t match expected domain. |
| Password mismatch | Wait for next sync cycle or run a delta sync. |
| SSO not working | Device may not be hybrid-joined; validate device state and sign-in flow. |
| Need to pause sync | Use the Entra Connect wizard (staging mode). |
Where it runs
Section titled “Where it runs”- Tool path:
C:\\Program Files\\Microsoft Entra Connect Sync\\ - Runs on:
dc.core.lef(dc, Active Directory domain controller).