Systems Admin

Entra Connect In-Place Upgrade: 4 Phases, ~30 Minutes, Sync Resumes Automatically

9 min read Part of pathway: Hybrid Identity

Microsoft releases new Entra Connect builds frequently — security patches, performance fixes, occasional new features. Keeping current is the easy part of operating Entra Connect IF you do an in-place upgrade: same server, same OS, just newer EC version on top. Total time: ~30 minutes including verification. Sync is paused for the upgrade window (5-15 min depending on installation size); users see no other impact. This post walks the in-place upgrade end-to-end across four phases.

In-place vs migrate — which one?

Scenario Use
Same server, same OS, newer EC version In-place upgrade (this post)
Old server retiring; need to move EC to a new VM Migrate to new server (next post)
OS upgrade required (e.g. moving from Server 2016 to 2022) Migrate (Server in-place OS upgrades aren’t supported)
Going from V1.x to V2.x AND on Server 2012 R2 Migrate (V2.x doesn’t support Server 2012 R2)

If your environment fits the “in-place” row, this post is for you. Otherwise see the migrate post.

Prerequisites

  • Server 2016 or newer for V2.x. The V2.x sync engine uses SQL Server 2019 LocalDB which doesn’t install on Server 2012 R2.
  • TLS 1.2 enabled at the .NET layer (per Part 3).
  • .NET Framework 4.7.2 or higher. 4.8 recommended.
  • Free disk space for the upgrade (~2 GB temporary space during the install).
  • Maintenance window if your org cares about sync downtime. The pause is brief (~20 min total including the post-upgrade Delta) but does happen.

If your version is so old that it’s on the “deprecated” list, Microsoft may require a two-hop upgrade (e.g. through 1.6 to 2.x). The wizard tells you if so.

Phase 1 — verify current state

Find the version you’re currently running. Three ways covered in Part 8; pick whichever you prefer.

Option A — GUI

Synchronization Service Manager open on the EC server with the operations history visible, the starting point for checking the current Entra Connect version
Phase 1 starts with finding the current version. Open Synchronization Service Manager. Help > About surfaces the version. Record it — you’ll compare against the new version after the upgrade.

Open Synchronization Service Manager. Help > About.

Help > About dialog showing the current Entra Connect version (e.g. 2.1.20.0), the value to record before starting the upgrade” /><figcaption>Help > About dialog. Note the version number (e.g. <code>2.1.20.0</code>). This is your baseline. Per <a href=Part 8, four other ways to read this exist; pick whichever you prefer.

Record the version number. This is your baseline.

Option B — PowerShell

Import-Module ADSync
(Get-ADSyncGlobalSettings).Parameters |
    Where-Object { $_.Name -eq "Microsoft.Synchronize.ServerConfigurationVersion" } |
    Select-Object -ExpandProperty Value

Same answer in scriptable form.

Phase 2 — backup the configuration

This step is non-negotiable. The exported JSON is your insurance policy — if the upgrade goes catastrophically wrong, importing this file rebuilds the EC configuration on a fresh server.

Microsoft Entra Connect wizard launched from the desktop with the Configure button highlighted, the entry point for backing up the current configuration
Phase 2 starts in the EC wizard. Launch from the desktop, click Configure.

Launch the EC wizard from the desktop. Click Configure.

EC wizard Tasks page showing all configuration options with View or export current configuration selected
On the Tasks page, pick View or export current configuration. This is the configuration backup path; do this BEFORE the upgrade so you have a recovery point.

Pick View or export current configuration. Next.

View or export current configuration page with the Export Settings button highlighted, the action that exports a JSON of all current settings and rules
Click Export Settings. The wizard writes a JSON file containing all current settings, sync rules, OU filters, and connector configurations.

Click Export Settings.

Save dialog open at the configuration export step with the user choosing a destination path for the exported JSON
Pick a destination. Use a path that’s OFF the EC server (network share, OneDrive, even a USB drive) so the backup survives if the server itself fails. Filename convention: EntraConnect-config-YYYYMMDD-pre-upgrade.json.

Pick a destination. Best practice: save somewhere OFF the EC server. A network share, OneDrive folder, or even a USB drive works — the point is that if the EC server itself fails, the backup survives. Filename convention: include the date and a “pre-upgrade” tag, e.g. EntraConnect-config-2026-05-10-pre-upgrade.json.

File Explorer view showing the freshly exported config JSON file at the chosen location, ready to be copied off-server
After save, the JSON sits on disk. This is your insurance policy — if the upgrade fails badly enough to need a server rebuild, importing this file restores all customisations.

JSON file on disk.

EC wizard close confirmation after the export completes successfully, the wizard returns to its Tasks list
Wizard returns to Tasks list. Close.

Wizard returns to the Tasks list. Close it.

Closed wizard with the export complete and the next phase ready to begin
Wizard closed. Phase 2 done.

Phase 2 done.

Phase 3 — run the upgrade

Step 3.1 — download the latest installer

Microsoft Download Center page showing the latest Entra Connect installer ready for download to the EC server
Phase 3 — download the latest installer from Microsoft. Per Part 2 of this series, the official source is the Entra admin centre’s Hybrid management blade.

From the EC server (or a workstation that can reach it), download the latest AzureADConnect.msi from the Entra admin centre per Part 2. Stage it on the EC server.

Downloaded AzureADConnect.msi installer in the staging folder on the EC server, ready to be run
AzureADConnect.msi staged on the EC server.

The .msi in the staging folder.

Step 3.2 — run the upgrade

Right-click context menu on AzureADConnect.msi with Run as administrator highlighted to launch the installer
Right-click > Run as administrator. Without elevation the install fails partway through registering services.

Right-click the .msi > Run as administrator. Without elevation the upgrade fails partway through registering Windows services.

Installer detection page showing An older version of Microsoft Entra Connect is installed and will be upgraded message, confirming the wizard recognized the existing install and will perform an in-place upgrade
The installer DETECTS the existing install and offers to upgrade rather than fresh-install. This is the in-place upgrade path. If you see a new-install screen instead, something is wrong — the existing install isn’t being recognised. Don’t proceed; investigate.

The installer detects the existing installation and announces it’ll upgrade rather than fresh-install. If you see a new-install screen instead, the installer didn’t recognise the existing version — do NOT proceed; investigate the existing install state. The most common cause is a partial uninstall from a previous failed attempt; clean up first.

Authentication prompt requesting Global Administrator (or Hybrid Identity Administrator) credentials, the cloud-side authorization for the upgrade
Authentication prompt. Sign in with a Global Administrator account (or Hybrid Identity Administrator + Domain Name Administrator if Global Admin isn’t available). Same as during the original install per Part 7.

Authentication prompt. Sign in with a Global Administrator account. Same as the original install. Complete MFA if prompted.

Ready to Upgrade summary page with Start the synchronization process when configuration completes ticked and the Upgrade button highlighted
Ready to Upgrade. Tick Start the synchronization process when configuration completes — you almost always want sync to resume immediately after the upgrade. Click Upgrade.

Ready to Upgrade summary. Tick Start the synchronization process when configuration completes. Click Upgrade.

Step 3.3 — wait

Upgrade in progress with the progress bar advancing as components are updated, typically taking 5-15 minutes
Upgrade in progress. The wizard updates the sync engine binaries, schema, configuration database, and registers any new services. Sync is paused during this period; users can’t change passwords successfully (the change won’t propagate until sync resumes).

The wizard:

  • Pauses sync.
  • Updates binaries.
  • Migrates the SQL configuration database to the new schema.
  • Registers updated Windows services.
  • Verifies cloud-side compatibility.

5-15 minutes typically. For very large installations, longer.

Configuration Complete page showing the upgrade succeeded with Exit button highlighted
Configuration Complete. The upgrade finished successfully. Click Exit. Sync auto-restarts because of the checkbox in the previous step.

Configuration Complete. Sync auto-restarts. Click Exit.

Phase 4 — verify post-upgrade

Don’t declare victory until three checks pass.

Check 1 — GUI version

Help > About dialog after the upgrade showing the new (higher) version number, the post-upgrade verification” /><figcaption>Phase 4 verification — Help > About in Sync Service Manager again. Version number is now HIGHER than the baseline you recorded in Phase 1. The upgrade landed.</figcaption></figure> <p>Sync Service Manager > Help > About. Version number should be HIGHER than your Phase 1 baseline. If it’s the same, the upgrade didn’t take effect — investigate.</p> <h3>Check 2 — PowerShell crosscheck</h3> <figure class=Elevated PowerShell session running the Get-ADSyncGlobalSettings ServerConfigurationVersion query and returning the new version string, cross-checking the GUI confirmation
PowerShell crosscheck. Run the Get-ADSyncGlobalSettings ServerConfigurationVersion query (same one from Part 8) and confirm the running configuration version matches the new build. The GUI and PowerShell readings should agree; if they don’t, something is in an unexpected state.

Run the Get-ADSyncGlobalSettings query from Phase 1 again. The result should match the GUI’s Help > About number. If they disagree, the runtime configuration didn’t fully reload — restart the ADSync service or reboot the server.

Check 3 — sync resumed

Synchronization Service Manager Operations tab showing successful Delta Import and Delta Export entries appearing automatically after the upgrade, confirming sync resumed normally
Operations tab in Sync Service Manager 5-10 min after the upgrade completes. You should see a Delta Import and Delta Export running automatically with Status: Success. That’s sync back to normal — the upgrade is fully done.

Wait 5-10 minutes after the upgrade completed. Open Sync Service Manager > Operations tab. You should see at least one successful Delta Import and Delta Export run since the upgrade. If not, check the Operations tab for errors; the most common post-upgrade issue is a sync-rule incompatibility that needs manual resolution.

Things that bite people

Skipped the configuration backup

The single most regretted decision. Upgrade goes wrong; you have no backup; rebuilding the EC server from scratch means re-doing every customisation by hand. The backup takes 30 seconds; do it.

Server 2012 R2 + V2.x attempt

The installer fails with a SQL LocalDB error. V2.x doesn’t install on Server 2012 R2. Either upgrade to V1.6.x final (last V1 release) or migrate to a new Server 2016+ host. Don’t fight it.

Insufficient .NET version

Installer fails with a .NET Framework error. Install .NET 4.7.2 or higher (4.8 recommended). Reboot. Retry.

TLS 1.2 not enforced for .NET

Per Part 3, .NET TLS 1.2 has to be explicitly enabled via registry. Without it, the installer’s cloud calls fail. Apply the registry keys + reboot before retrying.

Existing install partially broken

Previous failed install left the system in a half-state. Installer doesn’t recognise it as a clean upgrade target. Either repair via Programs and Features (clicking on the existing entry shows a Repair option), or fully uninstall + import config + fresh install (effectively a migrate-to-same-server).

Sync rules incompatible with new version

You modified default sync rules. The upgrade brings new versions of those rules; your customisations conflict. Post-upgrade, Sync Service Manager shows errors. Open the Sync Rules Editor, find the conflicting rules, decide which version to keep (usually the customised one), and apply.

MFA prompt during upgrade hangs

Same as during fresh install — the MFA pop-up needs https://secure.aadcdn.microsoftonline-p.com in Trusted Sites. If it hangs, kill the wizard, add the URL to Trusted Sites, retry. Caveat: aborting the wizard while it’s in the middle of upgrading the schema can leave the database in a half-migrated state — if that happens, you may need the configuration backup to recover.

Forgetting to re-enable Health Agent

If you originally installed using Hybrid Identity Admin (per Part 1 alternative), the Health Agent was disabled. The upgrade preserves that disabled state. If you want the cloud-side health visibility working, enable the Health Agent post-upgrade with the Microsoft-documented PowerShell command.

What’s next

In-place upgrade is the routine maintenance path. For the more complex case — moving Entra Connect to a NEW server (different hardware, different OS) — the next post covers the migration procedure: install on the new server, import the exported config, decommission the old. Series in the Hybrid Identity pathway.

Tags: #Entra Connect #Hybrid Identity #Microsoft Entra ID #PowerShell #Upgrade

Leave a Reply