Monitor and Troubleshoot Identity Sync
Use Microsoft Entra Connect Health to monitor synchronization, diagnose sync errors, and troubleshoot common issues with both Connect Sync and Cloud Sync.
When sync breaks at 2 AM
Directory sync runs silently in the background β until it doesnβt. Then the helpdesk phones start ringing.
Monitoring sync is like monitoring a water pipe. When itβs working, you donβt think about it. But you need sensors to detect blockages (sync errors), leaks (attribute conflicts), and pressure drops (performance issues) before they become emergencies. Microsoft Entra Connect Health is your sensor dashboard.
Monitoring with Microsoft Entra Connect Health
What Connect Health monitors
| Metric | What It Shows | Alert Threshold |
|---|---|---|
| Sync status | Last successful sync, current cycle status | Alert if no sync for 2+ hours |
| Export errors | Objects that failed to sync to Entra | Any export error |
| Sync latency | Time between AD change and Entra update | Typically under 30 minutes |
| Server health | CPU, memory, disk, network on sync server | Resource exhaustion |
| Password sync status | Password hash sync success/failure | Any PHS failure |
| AD connectivity | Connection to on-prem AD controllers | Connection loss |
Setting up Connect Health
- Install the health agent on the Connect Sync server
- Register with your Entra tenant β requires Global Admin or Hybrid Identity Admin
- Configure email alerts β Entra > Connect Health > Alert settings
- Dashboard available at Entra admin center > Connect Health
Deep dive: Connect Health for AD FS and AD DS
Connect Health isnβt just for sync servers. It also monitors:
- AD FS servers β sign-in failures, token request latency, server availability, extranet lockouts
- AD Domain Services β replication health, LDAP queries, DNS errors, domain controller availability
For MS-102, the focus is on sync monitoring, but know that Connect Health is a broader platform. The health agent must be installed on EACH server being monitored (each DC, each AD FS server, etc.).
Monitoring Cloud Sync
Cloud Sync monitoring is simpler β itβs built into the Entra admin center:
| Where | What You See |
|---|---|
| Entra > Cloud Sync > Agent status | Agent health, version, last activity |
| Entra > Cloud Sync > Configuration > Logs | Provisioning logs β every object change |
| Entra > Cloud Sync > Configuration > Status | Overall sync status, errors, warnings |
| Entra > Audit logs | Sync-related events |
Cloud Sync agents auto-update and report status to Entra continuously. If an agent goes offline, other agents (if deployed) automatically take over.
Common sync errors and fixes
| Feature | Cause | Fix |
|---|---|---|
| Duplicate attribute (proxyAddress) | Two AD objects share the same email address | Identify the duplicate in AD, remove or change one. Use IdFix to find duplicates. |
| Invalid characters | Special characters in attributes that Entra doesn't accept | Fix the attribute value in AD. Common culprits: trailing spaces, control characters. |
| UPN conflict | Synced UPN matches an existing cloud-only user | Delete or rename the cloud-only user, or change the on-prem UPN. |
| Sync server offline | Connect Sync server is down or unreachable | Check server health, restart sync service, verify network connectivity. |
| Password hash sync failure | PHS agent can't reach Entra endpoints | Check firewall rules, verify outbound HTTPS access, restart PHS. |
| Orphaned objects | AD object deleted but Entra object remains | Check deletion threshold settings. Objects go to Entra recycle bin for 30 days. |
Devβs 2 AM troubleshooting scenario
Dev gets an alert: a clientβs Cloud Sync agent hasnβt synced for 4 hours. His troubleshooting process:
- Check agent status in Entra > Cloud Sync β agent shows βInactiveβ
- Check the on-prem server β the server is running but the Cloud Sync agent service has stopped
- Review Windows Event Log β certificate renewal failed, agent canβt authenticate
- Fix: Restart the agent service, re-register if needed
- Verify: Check provisioning logs for successful sync after restart
Exam tip: Connect Sync vs Cloud Sync troubleshooting differences
The exam may present a troubleshooting scenario and ask which tool is in use based on the symptoms:
- βAdmin canβt find the staging serverβ β Connect Sync (Cloud Sync doesnβt have staging servers)
- βAgent auto-updated and brokeβ β Cloud Sync (Connect Sync requires manual updates)
- βCustom sync rule producing unexpected resultsβ β Connect Sync (Cloud Sync doesnβt have custom sync rules)
- βMultiple agents deployed for high availabilityβ β Cloud Sync (Connect Sync uses staging servers, not multiple agents)
Knowing the architecture helps you identify the tool and the appropriate troubleshooting steps.
Accidental deletion protection
Both sync tools include protection against mass deletions:
- Connect Sync: Deletion threshold (default: 500 objects per cycle). If more objects would be deleted, sync pauses and alerts the admin.
- Cloud Sync: Similar protection with configurable thresholds.
If Marcus accidentally removes an OU from the sync scope, the deletion threshold prevents all users in that OU from being deleted in Entra. He gets an alert, reviews the change, and either confirms the deletion or fixes the scope.
Key concepts to remember
Knowledge check
Priya receives an alert that Connect Sync hasn't completed a cycle in 3 hours. Connect Health shows the sync server is healthy but the export to Entra ID is failing with 'duplicate attribute' errors for 50 objects. What should Priya investigate first?
Dev deployed two Cloud Sync agents for a client's environment. Agent 1 goes offline due to a server reboot. What happens to synchronization?
Next up: Authentication Methods and Self-Service Password Reset β from passwordless to SSPR, how users prove who they are.