Entra ID Sync

Last updated: November 15, 2023
Audience: IT Staff / Technical

Entra ID Integration

Microsoft provides a cloud-based identity platform called Entra ID . Like Active Directory Domain Services (AD-DS), it provides several protocols and interfaces to interact with identity data, obtain logon tokens, and mechanisms to enforce access controls. Unlike AD-DS, it does not use the same technologies or protocols–rather using more modern technologies.

Because most enterprises have a rich set of practices developed to provision and manage their AD-DS, Microsoft provides tools to integrate and connect your on-premises AD-DS with your cloud-based Entra ID . This allows an enterprise to easily adopt Entra ID without creating new tools and practices for it.

There have been several tools over the years focused on synchronizing this data. We currently are leveraging the one called Entra ID Connect.

So the UW leverages the Microsoft sync tool to provide provisioning of users, groups, and contacts in Entra ID. This is not the only integration or practice that results in changes to Entra ID , but it is the predominant one.

What is Synchronized?

The Entra ID sync tools generally include all users, groups, and contact objects. This means that by default every user, group, and contact in your AD-DS is sent to your Entra ID.

We have configured out Entra ID sync to not send every group. This is because at this time, Entra ID does not include controls to protect the privacy of group membership. So the many groups which have membership privacy controls are not present in our Entra ID .

More details mapping what exactly what the Entra ID sync tools sync are available. Note that a few attributes are sync’d back to AD-DS (see table 2 in link above).

How Often?

Once every 30 minutes, the Entra ID synchronization is triggered, unless it is still processing the last run. Runs generally take less than 10 minutes, but if we need to replace the tool, it can take 2-3 days to get into synchronicity. On busy days, it is not uncommon for this process to take several hours to complete.

Other Important Details

Microsoft enforces UPN and mail address uniqueness. So if there is already a user with joe@uw.edu as either its UPN or mail value, then you can’t have that and your user account won’t get synchronized. This is rare and generally only happens in situations where there was a UW NetID name change or identity merger.

If a NETID AD object that has been sync’d to Entra ID is deleted or falls out of the criteria to be synchronized, then the corresponding Entra ID object is also deleted–put in a state called “soft delete”. Soft delete means that the object can still be recovered for 30 days by an Entra ID administrator (or if the AD-DS object re-appears), but is otherwise unusable.