Microsoft Entra Connect is the bridge between your on-prem Active Directory and your Entra ID (formerly Azure AD) tenant. It runs on a Windows server in your environment and handles synchronisation: changes in AD propagate to the cloud; password changes can roundtrip; group memberships, attributes, and custom mappings all flow through it. Setting it up is straightforward IF you’ve already validated every prerequisite. Skip a check and the installer fails partway through with errors that are usually misleading. This post is the gate-check — nine categories of requirements, every one of which can derail the install if missed. Validate all nine BEFORE you click Install on the Entra Connect MSI.
Mandatory upgrade deadline (read this first)
Microsoft has set a hard cutoff: Entra Connect version 2.5.79.0 or higher is required by September 30, 2026. Older versions get blocked for security reasons; if your install runs on something older after that date, synchronisation stops working entirely. The new minimum version requires .NET Framework 4.7.2 and TLS 1.2 enabled on the server.
If you have an existing Entra Connect install on an older version, plan the upgrade now. If you’re doing a fresh install, this isn’t something you can defer — pick a version that meets the cutoff from the start. The deadline applies to ALL Entra Connect deployments globally; there’s no per-tenant exemption.
Cloud side — what Entra ID needs to look like
Before installing anything on-prem, validate the cloud side:
- A tenant exists. Every Microsoft 365 / Azure subscription comes with one Entra ID tenant by default. If you’re starting from scratch, sign up for an Azure free trial and you’ll get one provisioned automatically.
- A verified domain. Add your real company domain (e.g.
infotechninja.com) and verify it via the DNS TXT record Microsoft asks for. If you skip this, your synced users land with the default@contoso.onmicrosoft.comsuffix — functional but ugly, and a pain to migrate away from later. - Sync limits known. Free / unverified tenants cap at 50,000 synced objects (users + groups + contacts + computers). Verified domains raise that to 300,000. Above 500,000 needs Microsoft 365 or Entra ID P1 licensing. If you’re a large enterprise, confirm licensing covers your AD object count BEFORE the install reveals you’re over.
Admin role for the install itself
The installer needs cloud credentials with high privilege:
- Best: Global Administrator. The full install path; the Entra Connect Health Agent installs and enables automatically.
- Acceptable: Hybrid Identity Administrator + Domain Name Administrator (BOTH roles, on the same account). Install completes but the Health Agent installs disabled — you need to enable it separately.
Critical: assign these roles DIRECTLY to the user account. Do not assign the role to a group and then add the user to the group — the installer doesn’t recognise transitive role membership and will fail role validation.
On-prem AD side — what your forest needs to look like
- Forest functional level: Windows Server 2003 or later. Modern environments are well above this; check via
Get-ADForest | Select ForestModeif unsure. - Writable Domain Controller reachable. Entra Connect needs to write back to AD (for password writeback, group writeback, etc.). Read-Only Domain Controllers (RODCs) are NOT supported as the connection target.
- NetBIOS domain name with no dots. Your internal domain’s NetBIOS short name (
CORP, notCORP.LOCAL) must not contain a period. If your existing NetBIOS name has a dot, you have a bigger problem than Entra Connect — that should be fixed regardless. - Active Directory Recycle Bin enabled. Strongly recommended. With Recycle Bin on, accidentally-deleted users can be restored cleanly; without it, restore involves authoritative restore from backup. Enable via
Enable-ADOptionalFeature. - IdFix tool run, errors fixed. Microsoft’s free IdFix tool scans your AD for sync-blocking errors: invalid characters in proxyAddresses, duplicate UPNs, malformed email addresses. Run it, fix what it finds, run it again until clean. Sync errors after install are 10x harder to debug than fixing the data first.
Soft-match and hard-match takeover
Two cloud-side settings worth disabling unless you specifically need them:
- Soft matching: links a synced AD user to an existing cloud user if their email addresses match. Convenient for migrations; risky in steady-state because an attacker who creates a fake AD user matching an admin’s email can take over the cloud account. Disable when migration is done.
- Hard match takeover: allows the on-prem to forcibly claim ownership of an existing cloud user. Useful in specific recovery scenarios; very dangerous in everyday operation because it overwrites cloud state with on-prem state. Disable unless you have a specific use case.
Security — treat the Entra Connect server as Tier 0
This server holds credentials that can change passwords for any user in your domain. In Microsoft’s tiered admin model, that puts it at Tier 0 — the same security level as a Domain Controller. Treat it accordingly:
- Restricted access. Only Domain Admins or a specific Tier 0 admin group should ever log in. No regular IT staff, no service desk, no developers. This is non-negotiable.
- Separate admin accounts. The accounts that have access to this server should NEVER be used for anything else — not email, not browsing, not RDP to other servers. Use a dedicated PAW (Privileged Access Workstation) and a dedicated admin account for Entra Connect operations.
- NTLM disabled. NTLM is the old, weak Windows authentication protocol. Block it on this server to force Kerberos. Configure via Group Policy: Security Options > Network Security: Restrict NTLM > Audit and Block.
- LAPS deployed. Windows LAPS (Local Administrator Password Solution) automatically rotates the local admin password to something random and complex. Critical for preventing pass-the-hash style attacks where an attacker captures one local admin hash and uses it across the fleet.
- MFA on every admin account. If an attacker takes over the Entra Connect server, they can reset cloud passwords. MFA on the affected user accounts means the attacker can’t actually log in even with the new password — they’d need the user’s phone too. MFA is the primary defence against credential reset attacks.
Server OS — what to install Entra Connect on
Picking the wrong Windows version causes install failures or worse, post-install sync issues. Approved versions:
| Windows version | Status |
|---|---|
| Server 2022 | Recommended. Best choice for new installs. |
| Server 2019 | Supported. Fine. |
| Server 2016 | Use with caution. Extended support — you may need paid support if something breaks. |
| Server 2025 | NOT supported. Known sync-breaking bugs; future support planned but not yet. |
| Server Core | NOT supported. Entra Connect requires the full Desktop Experience GUI. |
| Small Business Server | NOT supported. End of life. |
.NET Framework + PowerShell execution policy
- .NET Framework 4.6.2 minimum. 4.8 or newer recommended. Check via
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full'— the Release value tells you the version. - PowerShell execution policy = RemoteSigned. The installer runs PowerShell scripts to do its job. Default Restricted blocks it. Set with
Set-ExecutionPolicy RemoteSigned.
SQL database — built-in or full SQL Server
Entra Connect needs a database to track sync state. Two paths:
Option A — built-in SQL Server LocalDB
The installer bundles SQL Server 2019 Express LocalDB. Use this when:
- You have fewer than 100,000 objects.
- You’re OK with the 10 GB hard cap on database size.
- You don’t need to back up the database independently.
If the database hits 10 GB, sync STOPS. Plan ahead if you’re close to the threshold.
Option B — bring your own SQL Server
Required when you have more than 100,000 objects. Rules:
- Supported versions: SQL Server 2019 or 2022. SQL 2012 and 2016 are no longer supported.
- NOT cloud-hosted. Azure SQL Database and Azure SQL Managed Instance are not supported. It must be a standard SQL Server install on Windows.
- Collation must be case-insensitive. Look for
_CI_in the collation name (e.g.SQL_Latin1_General_CP1_CI_AS). Case-sensitive (_CS_) collations are rejected. - Dedicated instance. Don’t share the SQL instance with other sync tools (MIM, DirSync). Entra Connect needs exclusive access.
- Don’t touch the drivers. The installer drops specific ODBC and OLE DB drivers. Don’t manually upgrade them; let Entra Connect manage the versions.
- No Named Pipes. The Named Pipes SQL transport protocol is not supported. Use TCP/IP.
- Memory limit if co-located. If SQL is on the same server as Entra Connect, configure SQL’s max memory limit so it doesn’t starve the Entra Connect service. Rule of thumb: leave 4 GB for the OS + Entra Connect.
Network and firewall
Internal: Entra Connect server to Domain Controllers
Open these ports between the Entra Connect server and your DCs:
| Service | Port | Protocol |
|---|---|---|
| DNS | 53 | TCP & UDP |
| Kerberos | 88 | TCP & UDP |
| RPC Endpoint Mapper | 135 | TCP |
| LDAP | 389 | TCP & UDP |
| SMB / CIFS | 445 | TCP |
| LDAPS (LDAP over SSL) | 636 | TCP |
| Global Catalog | 3268 | TCP |
| Global Catalog over SSL | 3269 | TCP |
| Dynamic RPC | 49152–65535 | TCP |
External: Entra Connect server to Microsoft cloud
- Outbound HTTPS (TCP 443) to
*.microsoftonline.com,*.windows.net,*.msftauth.net,*.aadcdn.microsoftonline-p.com. - Outbound TCP 443 to the Entra Connect Health endpoints (specific URLs documented by Microsoft, change occasionally).
Critical: NO SSL inspection in the path
If your firewall does SSL/TLS inspection (breaks open encrypted traffic to scan it, then re-encrypts), you MUST exclude Entra Connect’s outbound traffic. Inspection breaks the certificate pinning the Entra services use; sync fails with cryptic TLS errors. Configure your firewall to bypass inspection for the Entra endpoints.
MFA pop-up during install
If the admin account you’re installing with has MFA enabled (which it should), the install needs https://secure.aadcdn.microsoftonline-p.com in the Trusted Sites list of Internet Settings on the server. Otherwise the MFA prompt fails to render and the install hangs.
Hardware sizing
Sizing depends on object count. Count Users + Groups + Contacts + Computers in your AD.
| Object count | CPU | RAM | Disk |
|---|---|---|---|
| Under 10,000 | 1.6 GHz | 4 GB | 70 GB |
| 10,000 – 50,000 | 1.6 GHz | 4 GB | 70 GB |
| 50,000 – 100,000 | 1.6 GHz | 16 GB | 100 GB |
| 100,000+ (Enterprise) | 1.6 GHz | 32 GB+ | 300 GB |
Specs assume SQL is on the same machine as Entra Connect. If you split SQL onto its own server, the Entra Connect server can be smaller, but the SQL server needs its own full sizing.
Above 100,000 objects, the built-in LocalDB hits its 10 GB cap quickly — you must use a full SQL Server install. The hardware specs in the table reflect that.
Things that catch people during pre-install
Role assigned to a group, not directly to the user
You add the install account to a security group, then add the security group to a Global Administrator role assignment. Looks correct in the admin centre. Install fails because the installer checks for direct role assignments only and doesn’t walk group membership. Fix: assign the role directly to the user account.
Server Core install
You used Server Core for everything else in the environment because it’s smaller and lower attack surface. Entra Connect won’t install on it — it needs Desktop Experience for the GUI bits. Provision a Desktop Experience VM specifically for this role.
Server 2025
You upgraded the planned server to Server 2025 because that’s the latest. Entra Connect doesn’t support 2025 yet (sync-breaking bugs). Roll back to 2022 or 2019 until Microsoft adds support.
NetBIOS name has a dot
You inherited an old domain whose NetBIOS short name is CORP.LOCAL instead of CORP. This isn’t just an Entra Connect problem — it breaks several other things too. Plan a domain rename if you can; if you can’t, the install will fail at the AD validation stage.
SSL inspection in the firewall
Sync works for the first few hours, then fails. Errors are TLS-related. Diagnosis: your perimeter firewall does SSL inspection on outbound HTTPS, which breaks the certificate trust between Entra Connect and Microsoft. Whitelist the Entra endpoints to bypass inspection.
SQL collation case-sensitive
You’re bringing your own SQL and the SQL admin set up the database with case-sensitive collation (_CS_). Install rejects it. Fix: either change the collation (destructive; requires DB recreation) or use a different SQL instance with case-insensitive collation.
Disabled Health Agent because Hybrid Identity Admin wasn’t enough
You installed with Hybrid Identity Admin instead of Global Admin. Health Agent installs disabled. Now you can’t see sync health in the admin centre. Fix: either grant Global Admin temporarily and re-run a specific Health Agent registration command, or live without the Health Agent (not recommended for production).
10 GB LocalDB hit in production
Sync stops one morning with no obvious cause. Investigation reveals the LocalDB is at 10 GB. Migration to full SQL Server is non-trivial — export, install full SQL, reconfigure Entra Connect to point at it, re-import. Plan ahead: if your object count is approaching 80,000, install full SQL from the start.
Recently-created user not syncing despite no errors
Diagnosis: NTLM is blocked on the Entra Connect server (good) but you’re using an account that can only authenticate via NTLM (bad). Switch to a Kerberos-capable account or relax the NTLM block during the sync window.
Where this fits in the series
This post is the gate-check for installing Entra Connect. Once these prerequisites are validated, the actual install is straightforward (covered in the next posts in the Hybrid Identity pathway): downloading the installer, running through the wizard, configuring the sync schedule, and the post-install verification. For broader context on the on-prem AD side that Entra Connect bridges to, see the Active Directory pathway. For the related on-prem Password Protection feature that complements Entra Connect, see the Entra Password Protection series.