Skip to main content
Security-Focused GuideHybrid IdentityEntra ConnectCloud Sync

How to Connect On-Premises Active Directory to
Microsoft Entra ID Safely with Hybrid Identity

The word "safely" is doing real work in this brief, because the unsafe version of this project is disturbingly easy to build by accident: sync every OU including Domain Admins, run the sync server with more privilege than it needs, skip the backup authentication path, and cut every domain over to cloud auth in one afternoon with no test group. Each of those choices feels like the fast path. Each is also how a compromised on-premises account becomes a compromised tenant.

Current status, verified

All Microsoft Entra Connect Sync installations must be running version 2.5.79.0 or later by September 30, 2026. This is a mandatory minimum-version requirement tied to a Microsoft backend security hardening change — installations on an older version will simply stop syncing on that date. This is not a retirement of directory synchronization as a capability; it's a hard version floor.

Separately, Microsoft now positions Cloud Sync as the preferred option for new hybrid identity deployments where it meets requirements, with the traditional Entra Connect Sync remaining fully supported for more complex scenarios Cloud Sync doesn't yet cover.

Sept 30, 2026
Hard deadline: Entra Connect Sync installations below v2.5.79.0 stop syncing entirely on this date
2-minute cycle
Password Hash Sync runs on its own independent cycle — a password change typically reaches the cloud within minutes
Backup, always
Microsoft's own guidance: enable Password Hash Sync even when using PTA or Federation, specifically as a manual failover path
Tier 0 asset
The sync server/agents can write to your directory and touch password data — treat them with the same rigor as a domain controller

Hybrid identity — connecting an on-premises Active Directory to Microsoft Entra ID so users get one identity and one password across both worlds — is one of the highest-leverage, highest-risk projects in a typical Azure adoption. Done well, it's close to invisible to end users and gives IT a single control plane for identity governance. Done carelessly, it becomes the exact bridge an attacker needs: a compromised on-premises Domain Admin account that was never supposed to sync to the cloud, syncing anyway, now sitting in Entra ID with privileges nobody explicitly granted there. This guide is built around the "safely" in the brief specifically — not just how to get directory sync working, but the decisions that determine whether that sync is a controlled, auditable bridge or an unintentional privilege escalation path. That starts with picking the right sync engine for your actual environment, which — as of a real, current deadline covered in Section 2 — is no longer a decision you can defer indefinitely.

Figure 1 — Two sync engines, genuinely different architectures, not just different names
CLOUD SYNC (lightweight agents) vs ENTRA CONNECT SYNC (full server + local database)CLOUD SYNC (preferred for new)Lightweight agent 1(no local SQL DB)Lightweight agent 2(HA - multiple agents)Configuration stored in the CLOUD,not on the agent itselfScope (currently): users, groups, contactsNo AD FS federation supportNo PTA supportENTRA CONNECT SYNC (full server)Dedicated Windows Server + local SQL DByou patch, back up, and secure yourselfSupports: PTA, AD FS federation,device writeback, group writeback,Exchange hybrid attributesRight choice for: multi-forest, complextrust relationships, custom sync rulesA mature, common pattern: Cloud Sync handles the standard 80% of identity flow;Entra Connect Sync remains in place ONLY for the 20% of legacy/complex scenarios that genuinely require it.
Cloud Sync and Entra Connect Sync aren't two names for the same thing — Cloud Sync uses lightweight, cloud-configured agents with no local database to secure, and currently covers a narrower object scope (users, groups, contacts) without AD FS or PTA support. Entra Connect Sync is a full server-based application with a local SQL database, supporting the complete feature set including federation and custom sync rules — but that server itself is exactly the kind of asset Section 5 covers treating as Tier 0.
01Two Sync Engines: Cloud Sync vs Entra Connect SyncDecision

Before any security consideration, the foundational choice is which engine actually does the synchronization — and this choice constrains almost everything downstream, including which authentication methods and features are available.

AspectCloud SyncEntra Connect Sync
Recommended forNew deployments, where it meets requirementsComplex scenarios Cloud Sync doesn't yet cover
ArchitectureLightweight agents, cloud-managed config, no local databaseDedicated server, local SQL database, self-managed
High availabilityMultiple agents natively, for redundancyRequires a separate staging-mode server, managed manually
Object scope (current)Users, groups, and contactsFull object scope, including devices
AD FS federationNot supportedSupported
Pass-Through AuthenticationNot supportedSupported
Device/group writebackNot currently supportedSupported
Multi-forest with complex trustsBasic multi-forest supportThe more mature, tested option
Microsoft Defender for Identity integrationShallower — fewer deep audit hooksNative, deep integration
Start with Cloud Sync unless a specific requirement rules it out

The practical decision rule current guidance suggests: start with Cloud Sync for a new deployment if you don't need Pass-Through Authentication, AD FS federation, or advanced writeback. If your environment has multiple AD forests with complex trust relationships, existing custom sync rules, or a genuine requirement for PTA, Entra Connect Sync remains the right tool. Don't default to the heavier, self-managed option out of habit or because older tutorials assume it — check the requirement list against Cloud Sync's current capabilities first.

02The September 30, 2026 Deadline: A Mandatory Version FloorCurrent Status

A real, current, actionable fact for anyone already running Entra Connect Sync: all installations must be running version 2.5.79.0 or later by September 30, 2026. This is tied to a Microsoft backend security hardening change — installations left on an older version don't degrade gracefully, they simply stop syncing on that date.

DetailFact
Minimum version2.5.79.0 or later
DeadlineSeptember 30, 2026
CauseA Microsoft backend security hardening change
Effect of missing itSynchronization stops entirely — not a warning, a hard stop
What this is NOTA retirement of directory synchronization as a capability — it's a mandatory minimum-version requirement specifically
Check your current Entra Connect Sync version now, not near the deadline

If you're running Entra Connect Sync today and haven't verified the installed version recently, this is worth checking immediately rather than waiting — an unplanned sync outage discovered on or after September 30, 2026 is a considerably worse position than a scheduled upgrade window well before it. Since this deadline is specifically about the traditional Entra Connect Sync engine, it's also a natural moment to revisit Section 1's decision: is this still the right engine for your environment, or has Cloud Sync's capability grown to cover your actual requirements since you last checked?

03Choosing Your Authentication Method: PHS, PTA, or FederationDecision

Beyond which engine syncs your directory objects, a separate and equally consequential decision is how users actually authenticate to cloud services once synced.

MethodHow it worksWhere passwords are validated
Password Hash Sync (PHS)A securely processed hash of the on-premises password hash is synced to Entra IDIn the cloud
Pass-Through Authentication (PTA)An on-premises agent validates the password against AD in real time, per sign-inOn-premises, per authentication
Federation (AD FS)Sign-in requests are redirected to on-premises AD FS for validationOn-premises, via a federation service

Microsoft's own guidance describes PHS as generally simpler to implement than a federation service, with no additional on-premises infrastructure required to validate sign-ins — the trade-off is that authentication depends on cloud availability rather than on-premises availability, which for most organizations is the more resilient direction to depend on, not less.

Reduce repeat sign-in prompts with hybrid join rather than accepting them as inevitable

A password change while a user is actively signed in doesn't affect their current session — but the next authentication requires the new credentials, and without additional configuration, users may be prompted more often than expected even when nothing changed on their end. Configuring Microsoft Entra join or Microsoft Entra hybrid join (Section 8) automatically signs users in when they're on a corporate, domain-connected device, meaningfully reducing this friction — worth planning alongside the authentication method decision, not as an afterthought.

04Why Password Hash Sync Should (Almost) Always Be EnabledSafety Practice

This is one of the most concrete, actionable "safely" recommendations in hybrid identity design, and it's directly stated in Microsoft's own guidance: if you deploy Pass-Through Authentication or Federation as your primary authentication method, also enable Password Hash Sync — specifically as a backup.

  • The failure scenario this protects against. If your on-premises authentication infrastructure fails — the PTA agents go down, or AD FS becomes unavailable — users can't authenticate to cloud services at all under PTA or Federation alone, because both methods depend on that on-premises infrastructure being reachable.
  • The fix: PHS as a dormant, ready backup. With PHS also enabled (even while PTA or Federation is your primary method), you can manually switch to Password Hash Sync during an on-premises outage, restoring cloud authentication without waiting for on-premises recovery.
  • PHS runs continuously, on its own cycle, independent of the primary method. Once enabled, Password Hash Sync operates on its own two-minute cycle regardless of which method is currently the primary — meaning the backup path is already current and ready, not something that needs to be activated and populated during the actual incident.
This turns a full authentication outage into a manual, minutes-long failover instead

Without PHS enabled as backup, an on-premises PTA agent or AD FS outage means cloud authentication is fully down for the duration of the on-premises recovery — potentially hours, for a hardware or infrastructure failure. With PHS already running in the background, the same incident becomes a deliberate, manual switch to an already-synchronized authentication path, measured in minutes rather than however long on-premises recovery actually takes. This is a low-cost, high-value resilience measure specifically because PHS's ongoing sync cost is minimal and it requires no incident-time setup.

PowerShell — enable password hash sync on an existing Entra Connect Sync installation, even when PTA/Federation is primarySet-ADSyncAADPasswordSyncConfiguration ` -SourceConnector "contoso.com" ` -TargetConnector "contoso - AAD" ` -Enable $true # This does NOT change your primary authentication method - PTA or # AD FS remains primary. This enables PHS as a parallel, continuously # updated backup path you can switch to manually during an outage.
You can't selectively sync individual users' passwords, but you can disable PHS per connector in a multi-forest setup

There's no built-in way to define a specific subset of user passwords you want synchronized within a single connector — it's effectively all-or-nothing per connector. In a multi-forest environment with multiple connectors, you can disable PHS for specific connectors while leaving it enabled for others using the same Set-ADSyncAADPasswordSyncConfiguration cmdlet, if your design genuinely requires that granularity — for instance, deliberately excluding a specific forest's accounts from ever having password hashes leave that forest's boundary.

05Treating the Sync Server or Agents as a Tier 0 AssetSafety Practice

This is the security principle most likely to be overlooked, and it's the one that actually determines whether "safely" is more than a word in the brief. Whatever runs your directory synchronization — the Entra Connect Sync server, or the machine hosting Cloud Sync agents — has meaningful, sensitive capability: it can read broadly from on-premises AD (including data used in password hash processing, if PHS is enabled) and write into your Entra ID tenant.

ProtectionWhy it matters
Treat the host OS with domain-controller-equivalent rigorCompromise of this machine can mean compromise of directory sync integrity and, in PHS scenarios, exposure to password-hash-adjacent processing
Least-privilege service account, not a broad admin roleThe sync service needs specific, scoped directory permissions — not Global Administrator or unrestricted Domain Admin rights
Restrict interactive logon to the sync serverMinimize who can log onto this machine directly, the same discipline applied to domain controllers
Patch and monitor as rigorously as a domain controllerThis is not a general-purpose application server — its blast radius on compromise is directory-wide
Only one active (non-staging) sync server at a timeMultiple simultaneous active sync servers can produce conflicting writes and sync instability — a documented operational requirement, not just a preference
This machine sits at the seam between your two highest-value identity systems — treat it accordingly

The sync server or agent host is, functionally, a trust bridge between on-premises Active Directory and Microsoft Entra ID — two systems most organizations already protect as their most sensitive infrastructure individually. A machine that has meaningful read access into one and write access into the other deserves at least the same protection as either endpoint alone, not less because it's "just a sync tool." Standard AD tiering models place this class of asset at Tier 0, alongside domain controllers and PKI infrastructure — apply that classification here explicitly rather than treating it as a lower-tier application server by default.

Figure 2 — The sync server as a trust bridge, and PHS as the always-ready failover path
TWO TIER-0 SYSTEMS, ONE BRIDGE BETWEEN THEM — the bridge needs Tier-0-equivalent protectionOn-Premises ADDomain ControllersTier 0 - highest protectionSYNC SERVER / AGENTSReads on-prem AD,writes to Entra ID= TIER 0. Treat identically.Microsoft Entra IDCloud directoryTier 0 - highest protectionPHS AS BACKUP - always running, in parallel to PTA/FederationNormal: PTA/Federation validates sign-ins, on-prem infra required every time.On-prem outage: manually switch to PHS - already synced, already current,restores cloud auth in minutes instead of waiting for on-prem recovery.
The sync server or agent host sits between two systems most organizations already protect as Tier 0 infrastructure — treating the bridge as anything less creates the weakest link in an otherwise well-protected chain. Password Hash Sync, kept running continuously even when PTA or Federation is the primary authentication method, provides an already-current failover path that turns an on-premises outage into a manual switch rather than a full cloud-authentication outage.
06Scoping What Syncs: Filtering and Never Syncing Privileged AccountsSafety Practice

Both sync engines let you control which objects and OUs actually get synchronized to Entra ID, using OU-level and domain-level filtering. Getting this scope right is a core "safely" decision — the default of syncing everything is rarely the correct answer.

What to exclude from sync scopeWhy
On-premises privileged/Tier 0 accounts (Domain Admins, Enterprise Admins, Schema Admins)These accounts don't need cloud presence for their on-premises administrative function, and syncing them creates an unnecessary path from on-prem compromise to cloud-visible privileged accounts
Service accounts with no legitimate cloud use caseReduces the sync scope's overall attack surface and keeps the tenant's object count focused on accounts that actually need cloud access
Legacy or disabled accounts not actively cleaned up on-premisesStale accounts synced to the cloud extend an on-premises hygiene problem into the tenant rather than resolving it
Test/lab OUs not intended for production cloud accessKeeps the synchronized directory representing genuine production identity, not incidental sprawl
Privileged on-premises accounts syncing to the cloud is a documented, real attack path — not a theoretical concern

An on-premises Domain Admin account that syncs to Entra ID exists in both worlds simultaneously — and if that on-premises account is ever compromised (a genuinely common outcome given how frequently on-premises AD environments are targeted), the compromise can extend directly into whatever cloud presence and permissions that synced identity carries in Entra ID. The mitigation is straightforward and should be treated as a default, not an advanced hardening step: scope sync filtering to explicitly exclude privileged administrative accounts and OUs from the start, and manage cloud administrative access through separate, cloud-native privileged accounts instead.

PowerShell — apply OU-based filtering during or after Entra Connect Sync setupSet-ADSyncScheduler -SyncCycleEnabled $false Import-Module ADSync # Use the Entra Connect wizard's "Domain and OU Filtering" step, # or reconfigure post-install via the wizard's "Customize synchronization # options" path. Exclude Tier 0/privileged-account OUs explicitly - # do not rely on the default "sync everything" scope. Set-ADSyncScheduler -SyncCycleEnabled $true
Group-based filtering is the more maintainable pattern than static OU lists for larger environments

For environments where privileged status isn't cleanly captured by OU structure alone, group-based filtering — syncing based on membership in specific security groups rather than OU location — is often more maintainable, since it can reflect actual role/privilege status directly rather than relying on OU placement staying consistent over time. Either approach is valid; the important part is that the scoping decision is deliberate and documented, not left at whatever the default wizard configuration produced.

07Staged Rollout: Testing Before You Cut OverSafety Practice

Staged Rollout is a specific, documented feature that lets you test cloud authentication features — Microsoft Entra multifactor authentication, Conditional Access, Identity Protection, and Identity Governance — with a selected subset of users before switching your entire domain to cloud authentication.

  • What it solves. A domain-wide cutover to cloud authentication, done all at once, means any misconfiguration or unexpected interaction with an existing policy affects every user simultaneously. Staged Rollout confines that blast radius to a deliberately chosen test group first.
  • How it works. Specific users or groups are enabled for staged rollout of a given cloud authentication feature, letting you validate sign-in behavior, MFA prompts, and Conditional Access policy interactions against real accounts before the broader domain switch.
  • What it doesn't replace. Staged Rollout is a testing mechanism for the cutover, not a permanent operating mode — the goal is validating the full-domain switch, not running two authentication configurations indefinitely.
Use Staged Rollout specifically to validate Conditional Access interactions before they affect everyone

Conditional Access policies can behave in subtle, unexpected ways when combined with a new authentication method for the first time — a policy that worked correctly against federated sign-ins might interact differently once PHS or a new Cloud Sync configuration is live. Staged Rollout's test group is exactly the mechanism to catch this class of surprise against a small, controlled set of real accounts, rather than discovering the interaction the moment the entire domain switches over.

08Seamless SSO and Hybrid JoinDeep Dive

Two features that materially improve the end-user experience of hybrid identity, and are worth planning alongside the core sync and authentication decisions rather than as later add-ons.

FeatureWhat it does
Seamless Single Sign-On (SSO)Automatically signs users in when they're on a corporate, domain-joined device connected to the corporate network — no password prompt for cloud resources in that context
Microsoft Entra hybrid joinRegisters on-premises domain-joined devices as known, trusted devices in Entra ID, enabling device-based Conditional Access policies and reducing prompts further
Keep Me Signed In (KMSI)An admin-configurable session cookie option, valid up to 180 days, that reduces repeated sign-in prompts outside the corporate network context
Device trust (hybrid join) and Conditional Access are a natural pairing worth designing together

Once devices are hybrid-joined, Conditional Access policies can require a known, compliant device as a sign-in condition — a materially stronger security posture than password-only or even password-plus-MFA alone, since it adds "is this a device we actually trust" to the evaluation. Planning hybrid join alongside the initial hybrid identity rollout, rather than retrofitting it later, means Conditional Access policies can be designed around device trust from the start instead of being redesigned once device state becomes available.

09Step-by-Step: A Safe Hybrid Identity Deployment SequenceHow-To
  1. Choose your sync engine deliberately — default to Cloud Sync unless a specific requirement rules it out

    Check your actual requirements (PTA, AD FS federation, device/group writeback, complex multi-forest trusts) against Section 1's comparison before defaulting to the heavier, self-managed Entra Connect Sync out of habit.

  2. If using Entra Connect Sync, confirm you're on version 2.5.79.0 or later now

    Don't wait for the September 30, 2026 deadline — verify the current version and plan the upgrade well ahead of a hard synchronization stop.

  3. Design your OU/group filtering scope before the first sync, explicitly excluding privileged accounts

    Document which OUs or groups are in scope and which are deliberately excluded — Domain Admins, Enterprise Admins, service accounts with no cloud need, and any Tier 0 administrative accounts.

  4. Provision and harden the sync server or agent host as a Tier 0 asset from day one

    Apply domain-controller-equivalent hardening: restricted interactive logon, least-privilege service account, rigorous patching, and monitoring — before the first object syncs, not retroactively.

  5. Choose your primary authentication method, and enable PHS as a backup regardless

    Whether PHS, PTA, or Federation is primary, enable Password Hash Sync as a parallel, continuously-updated backup authentication path per Section 4 — this is a low-cost, high-value resilience measure worth including by default.

  6. Run the initial synchronization and verify object counts and scope match your design

    Confirm the synced object count and the specific accounts present in Entra ID match your intended scope — this is the moment to catch an over-broad sync before it's been live for months.

  7. Use Staged Rollout to test cloud authentication features against a small group first

    Validate MFA, Conditional Access, Identity Protection, and Identity Governance behavior against real accounts in the test group before the full-domain cutover to cloud authentication.

  8. Configure Seamless SSO and Microsoft Entra hybrid join alongside the rollout

    Plan device trust and reduced-prompt sign-in experience as part of the initial deployment, so Conditional Access policies can be designed around device trust from the outset.

  9. Cut the full domain over to cloud authentication only after the staged rollout group is clean

    Confirm no unexpected issues surfaced in the test group across a reasonable observation period before expanding to the full domain — resist the urge to compress this validation window under deployment-timeline pressure.

  10. Document the failover procedure to PHS explicitly, and rehearse it once

    If PTA or Federation is primary, make sure the manual switch to PHS during an on-premises outage is a documented, tested runbook step — not a capability that exists in theory but has never actually been exercised by the team who'd need to use it during a real incident.

10Anti-PatternsTraps
Anti-patternWhy it feels rightWhy it isn't
Syncing every OU by default, including privileged/Tier 0 accounts"Simplest to just sync everything"Creates a direct path from on-premises credential compromise to a privileged, cloud-visible identity — scope this deliberately from day one
Running the sync server without domain-controller-equivalent hardening"It's just a sync tool, not a DC"It has meaningful read access to on-prem AD and write access to Entra ID — functionally a Tier 0 asset regardless of how it's labeled
Skipping PHS entirely because PTA or Federation is the primary method"We already have a primary authentication method"Leaves cloud authentication fully dependent on on-premises infrastructure availability, with no fast manual failover if that infrastructure goes down
Cutting the entire domain to cloud authentication in one step, no test group"Faster to just do it all at once"Any misconfiguration or unexpected policy interaction affects every user simultaneously — Staged Rollout exists specifically to avoid this
Ignoring the Entra Connect Sync version until close to the September 2026 deadline"We'll handle it when it becomes urgent"An unplanned sync stoppage discovered at the deadline is a considerably worse position than a scheduled upgrade well ahead of it
Defaulting to Entra Connect Sync for a new deployment "because that's the established tool""It's the mature, well-documented option"Cloud Sync is now Microsoft's preferred path for new deployments where it meets requirements — check the actual requirement list before defaulting to the heavier option

Key Takeaways

Cloud Sync is now Microsoft's preferred path for new deployments. Default to it unless PTA, AD FS federation, device/group writeback, or complex multi-forest trusts genuinely require Entra Connect Sync.
Entra Connect Sync installations must reach version 2.5.79.0 by September 30, 2026, or they stop syncing. Check your current version now — this isn't a distant, soft deadline.
Enable Password Hash Sync even when it isn't your primary authentication method. It's a low-cost, always-current backup that turns an on-premises outage into a manual failover instead of a full cloud-auth outage.
Treat the sync server or agent host as a Tier 0 asset. It bridges two systems you likely already protect at that level individually — the bridge deserves the same rigor.
Never sync privileged on-premises accounts by default. Explicit OU or group-based filtering that excludes Domain Admins and Tier 0 accounts is a baseline safety practice, not advanced hardening.
Use Staged Rollout before any full-domain cutover to cloud authentication. Confine the blast radius of misconfiguration to a deliberately chosen test group first.
Plan Seamless SSO and hybrid join alongside the initial rollout. Device trust enables stronger Conditional Access from the start, rather than requiring a redesign later.

Frequently Asked Questions

Should I use Microsoft Entra Cloud Sync or Entra Connect Sync for a new hybrid identity deployment?
Start with Cloud Sync for a new deployment unless your environment has a specific requirement it doesn't currently support. Microsoft now positions Cloud Sync as the preferred option for new deployments where it meets requirements — it uses lightweight, cloud-managed agents rather than a dedicated server with a local database, and natively supports multiple agents for high availability. Reach for the traditional Entra Connect Sync specifically if you need Pass-Through Authentication, AD FS federation, device or group writeback, or you have multiple AD forests with complex trust relationships or existing custom synchronization rules — Cloud Sync's current object scope (users, groups, and contacts) and feature set don't yet cover these scenarios. A common, mature pattern in larger environments is using Cloud Sync for the majority of standard identity flow while keeping Entra Connect Sync in place only for the smaller set of legacy or complex cases that genuinely require it.
What happens if I don't upgrade Entra Connect Sync before September 30, 2026?
Synchronization stops entirely. Microsoft's requirement is that all Microsoft Entra Connect Sync installations must be running version 2.5.79.0 or later by that date, tied to a backend security hardening change — installations left on an older version will stop syncing on September 30, 2026, not degrade gradually or receive an extended grace period. This is specifically a mandatory minimum-version requirement, not a full retirement of directory synchronization as a capability, and doesn't affect Cloud Sync deployments, which follow a different update model. If you're currently running Entra Connect Sync, verify your installed version now and schedule the upgrade well ahead of the deadline — discovering a synchronization outage on or after the deadline is a substantially worse position than a planned, tested upgrade beforehand.
Why should I enable Password Hash Sync if I'm using Pass-Through Authentication or Federation as my primary method?
Because it provides a fast, reliable failover path if your on-premises authentication infrastructure becomes unavailable. Both Pass-Through Authentication and AD FS federation depend on on-premises infrastructure being reachable for every sign-in — if the PTA agents go down or AD FS becomes unavailable, cloud authentication fails entirely under either method alone, since there's no fallback path. Microsoft's own guidance directly recommends enabling Password Hash Sync as a backup in this scenario: it runs continuously in the background on its own independent sync cycle, so it stays current regardless of which method is currently primary, and if an on-premises outage occurs, you can manually switch to Password Hash Sync to restore cloud authentication without waiting for on-premises recovery. This turns a potentially hours-long authentication outage into a deliberate, minutes-long manual failover — a meaningful resilience improvement for a very low ongoing cost.
Should on-premises Domain Admin accounts be synced to Microsoft Entra ID?
Generally, no — this is one of the most important safety practices in hybrid identity design. Syncing privileged on-premises accounts (Domain Admins, Enterprise Admins, Schema Admins, and similar Tier 0 administrative accounts) to Entra ID means that if any of those on-premises accounts is ever compromised — a realistic risk given how frequently on-premises Active Directory environments are targeted — the compromise can extend directly into whatever cloud presence and permissions that synced identity carries in the tenant. Both Cloud Sync and Entra Connect Sync support OU-level and domain-level filtering (or group-based filtering) specifically to control which objects actually synchronize, and excluding privileged administrative accounts and OUs from the sync scope should be a default design decision, not an advanced hardening step applied later. Cloud administrative access should generally be managed through separate, cloud-native privileged accounts rather than synced on-premises credentials.

Popular posts from this blog

The Cloud Incumbent: AWS Bedrock Hosts Every Frontier Model and Amazon Is Betting on Neutrality AWS at $37.6 billion quarterly revenue, growing 28%. $13 billion invested in Anthropic. A $100 billion Anthropic-to-AWS commitment. Trainium with $225 billion in customer revenue commitments. The most quietly powerful AI strategy in the race. By Francis Avorgbedor | Azure Engineer  ·  July 4, 2026  ·  14 min read  ·  Amazon · AWS · Cloud AI 74 SEVENAI Momentum Score — Rank #5 $37.6B AWS Q1 2026 revenue — 28% YoY growth ▲ Fastest in 15 quarters $13B Total Amazon investment in Anthropic to date ▲ Strategic anchor 100K+ Customers running Claude on AWS Bedrock ▲ Distribution moat Amazon's AI strategy is built on a thesis that every other Magnificent Seven company is testing against — and that Amazon is uniquely positioned to win regardless of the outcome. The thesis is neutrality. In a race where Microsoft has bet on OpenAI, Google has bet on Gemini, and Meta has bet...
Performance Fix Foundry Local 1.2 Linux ARM64 Embeddings Offline ASR The Edge Latency Drop: Fixing Latency Spikes by Offloading Embeddings to Foundry Local 1.2 You are paying a full cloud round trip — network, TLS, queue, throttle risk — to turn a twelve-word search query into a vector. That is the most expensive way possible to do one of the cheapest computations in your stack. Foundry Local 1.2 now runs on Linux ARM64, which means embeddings and speech recognition can happen on a Raspberry Pi, a Jetson, or a Graviton instance — offline, unmetered, and in single-digit milliseconds. The failure signature this guide resolves # Application Insights — the embedding call, not the LLM, is your tail latency: name p50 p95 p99 calls/day POST /embeddings (cloud) 89 ms 412 ms 3,847 ms 1,240,000 POST /chat/completions (cloud) 940 ms 1,720 ms 2,910 ms 38,000 ^^^^^^^^ ...
  The 500GB System File That Eats Your Hard Drive Something on your Windows 10 drive is consuming hundreds of gigabytes and the normal tools cannot find it. This guide identifies every known culprit — from hibernation files and shadow copies to runaway backups and the Windows component store — and tells you exactly what is safe to delete, what to leave alone, and what the commands actually do.
How to Reset an Azure Virtual Machine to Factory Settings Using a Managed Disk Azure does not have a single "factory reset" button. What it does have is something better: the OS Disk Swap — a method that swaps out the corrupted or misconfigured OS disk for a clean Windows Server managed disk without deleting the VM, its NICs, its IP addresses, or any attached data disks. Here is how it works, when to use it, and the exact steps to execute it safely. FA Francis Avorgbedor Azure Engineer July 16, 2026 15 min read Azure VMs · Windows Server · Real-World Fix 3 Methods to achieve a clean Windows Server installation on an existing Azure VM ~15min Typical OS Disk Swap duration — VM retains its NICs, IPs, and data disks throughout 0 Data disks affected by an OS Disk Swap — data disks remain attached and untouched 1 Snapshot of the original OS disk you must take before starting — no exceptions Introduction Why Azure Does Not Have a Simple Factory Reset — and What to Do Instead On a ph...

AKS CrashLoopBackOff, Pending Pods, and NotReady Nodes — The Real Fixes Engineers Use

Incident Playbook AKS Kubernetes kubectl 2026 AKS CrashLoopBackOff, Pending Pods, and NotReady Nodes — The Real Fixes Engineers Use Every AKS engineer eventually faces the same nightmare: CrashLoopBackOff at 2am, pods stuck Pending for no clear reason, or nodes flipping to NotReady mid-deployment. The difference between panic and control is knowing the exact diagnostic sequence — and the real fixes that work in production. This guide gives you both. 3 commands get pods, describe pod, and logs diagnose roughly 90% of AKS incidents before you touch anything else Exit 137 The code that means OOMKilled — the container hit its memory limit and was killed by the kernel (128 + SIGKILL 9) Events The bottom of kubectl describe is where the real cause lives — Pending, FailedScheduling, and image errors all surface there CoreDNS The single component behind most "intermittent" production failures — service discovery breaks quietly and looks like an app bug Table of Contents 01 The 3 Comm...
Can I Update My Old Computer to Windows 11 — and How Much Will It Cost? Your i7, 16GB RAM, 512GB SSD machine is powerful enough to run Windows 11 comfortably. The TPM 2.0 and Secure Boot wall is a security checkbox, not a performance ceiling. Here are two proven ways to get past it, what each one costs, and what you are trading away by doing so. $0 Cost of the Windows 11 licence if your existing Windows 10 is genuine — the upgrade remains free in 2026 2 Proven methods to bypass TPM 2.0 and Secure Boot — Rufus (easy) and Registry edit (manual) 25H2 Current Windows 11 version — all known bypass methods tested and confirmed working as of July 2026 Oct 2025 Windows 10 end of life — no more security updates. Staying on Windows 10 now carries real risk. First — Check Your BIOS Before Anything Else You Might Not Actually Need a Bypass Before running any bypass, open your BIOS and look at two settings. Many computers that fail the Windows 11 compatibility check have TPM 2.0 present in the hard...
2026 Edition 100 Tools Software Engineering DevOps AIOps Top 100 Best AI Tools for Azure  Engineers and DevOps Professionals in 2026 85% of developers now regularly use AI tools. Fully AI-generated code accounts for nearly 28% of all pull requests. The question is no longer whether to use AI tools — it is which ones, in which combination, for which part of the lifecycle. This guide cuts through the noise: 100 tools, 10 categories, honest pricing, real use cases, and a selection framework for building your stack without redundancy. 85% Percentage of developers who now regularly use AI tools, per JetBrains' 2025 State of Developer Ecosystem report — up from near zero three years ago 28% Share of all pull requests containing primarily AI-generated code in 2026 — the metric that signals AI coding assistants have moved from experiment to workflow $50B Cursor's reported valuation in April 2026 Series D talks — the number that signals investor confidence in the AI developer tools mark...

Azure Files vs Azure NetApp Files: Which One Should You Choose?

Azure Files vs Azure NetApp Files: Which One Should You Choose? Performance tiers, protocol support, dual-protocol capability, pricing models, SAP/Oracle/HPC suitability, data management features, and the decision framework that maps each workload type to the right service — with step-by-step setup procedures for both. FA Francis Avorgbedor Azure Engineer July 15, 2026 20 min read Azure Storage · Architecture 4 Azure Files tiers: Premium SSD, Standard Hot, Cool, Tx Optimized 3 ANF performance tiers: Standard, Premium, Ultra — all SSD-backed 4TiB ANF minimum provisioning — significant cost floor for small workloads Dual ANF serves the same data via SMB and NFS simultaneously — AF cannot Introduction Two Services, One Surface Area — Completely Different Purposes Microsoft offers two fully managed, enterprise-grade file storage services in Azure. They share a surface area — both serve file shares over standard protocols, both run on managed infrastructure, and both integrate with Microsof...
Troubleshooting Guide AKS Kubernetes Real Solutions kubectl Azure Kubernetes Service (AKS) Troubleshooting Guide: Real Solutions to Common Problems CrashLoopBackOff at 2am. Pods stuck Pending with no obvious cause. Nodes going NotReady mid-deployment. DNS resolution silently failing in production. Every AKS engineer encounters these — the difference between engineers who panic and engineers who stay calm is knowing the exact sequence of diagnostic commands to run. This guide gives you that sequence, the root cause analysis for each failure mode, and the fix. 3 commands 90% of AKS problems are diagnosed with the same three kubectl commands: describe pod, logs --previous, and get events — in that order, every time Exit 137 The exit code that tells you everything: container killed by SIGKILL — either the Linux OOM killer (memory limit exceeded) or kubelet after grace period expired 5 min The CrashLoopBackOff ceiling: Kubernetes applies exponential backoff (10s → 20s → 40s → 80s → 160s → 3...

How to Deploy an AI Chatbot on Azure Using Azure OpenAI and App Service

Step-by-Step Guide Azure OpenAI App Service Production Python How to Deploy an AI Chatbot on Azure Using Azure OpenAI and App Service From zero to a production-grade AI chatbot: provision Azure OpenAI, write a streaming Flask API backend, deploy it on Azure App Service with Managed Identity, wire in conversation history and content safety, and instrument it with Application Insights — all with complete code and Terraform IaC. No API keys in environment variables. No hardcoded secrets. No half-finished PoC patterns. 7 phases This guide covers the full deployment lifecycle: architecture design → resource provisioning → backend code → App Service deployment → streaming → security → monitoring Zero keys The chatbot authenticates to Azure OpenAI using Managed Identity and DefaultAzureCredential — no API keys stored in environment variables, Key Vault, or code SSE Server-Sent Events stream GPT tokens to the browser as they generate — the same token-by-token typing effect users expect from pr...