Directory Synchronization
Entra Connect Sync
Pre-requisites
A note on Entra Single Sign-On
To achieve single sign-on, meaning users who sign in at the Windows logon screen (Ctrl+Alt+Del) should *not* be prompted again when accessing Entra ID–authenticated applications. The delivery method depends on the scenario.
| Scenario | How Entra SSO can be delivered |
|---|---|
| Hybrid Entra Joined Windows 10/11 | Windows obtains a Primary Refresh Token (PRT) at workstation sign-in. |
| Domain-joined but not hybrid-joined W10/W11 | The device never registers with Entra ID, so no PRT. Seamless SSO can help here. Add https://autologon.microsoft.us to Intranet Zone and outgoing allow list. Also enable intranet zone policy: Allow updates to status bar via script through Group Policy. Client versions 16.0.8730.xxxx or later. |
| Legacy Windows 7/8.1 or Server 2008R2-2012R2 | OS doesn’t support PRT. Seamless SSO can help. Add https://autologon.microsoft.us to Intranet Zone and outgoing allow list. Also enable intranet zone policy: Allow updates to status bar via script through Group Policy. Client versions 16.0.8730.xxxx or later. |
| Mac/Linux or non-WAM browsers | |
| Chrome 114 (mid-2024) | Native call-out to WAM [HKLM\SOFTWARE\Policies\Google\Chrome] "CloudAPAuthEnabled"=dword:00000001 |
| Older Chrome Browsers (pre-mid-2024) | Microsoft Single Sign On extension |
A note on licensing
Users may require multiple accounts to support lab and writing environments. Microsoft’s “one license per human” policy may help:
GCC High Considerations
- Use Microsoft Entra Connect version 1.1.644.0 or later (2.6.1.0 is latest published 2026.02.02).
- If your firewall or proxy allows DNS unblocking, unblock *.msappproxy.us URLs over port 443.
- If not, allow access to the Azure datacenter IP ranges, which are updated weekly.
Confirm UPN alignment with email addresses
Having routable UPNs for users that match their email addresses avoids headaches down the line.
Staged Rollout To Managed Auth (confirm no federation)
When a tenant uses federated authentication Staged Rollout allows migration to managed identities incrementally rather than requiring a big bang cutover.
Entra Hybrid Join
Entra Connect is required if configuring Entra Hybrid Join.
Password Hash Sync
We must configure Entra Connect to support Entra Hybrid Join.
Password Writeback
We must configure Password Writeback to support Self-Service Password Reset.
Self-Service Password Reset
Self-service password reset reduces helpdesk costs and enables secure password recovery.
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.