While Microsoft has started the process to deprecate Entra ID Connect Sync and recommend migrating to Entra Cloud Sync, Entra Connect Sync is still supported and being updated.
Microsoft has published a new version of the Entra Connect Sync which, in addition of the usual bug fixes, provides these new or improved capabilities:
- Added support for phishing-resistant authentication methods in the Microsoft Entra Connect setup wizard (preview). Administrators can now sign in using passkeys and FIDO2 security keys through Windows Web Account Manager (WAM) when configuring Microsoft Entra Connect.
- Added support for the France sovereign cloud environment, including Pass-through Authentication, Seamless Single Sign-On, password writeback, and Health Agent monitoring.
- Improved the auto-upgrade process to preserve customer modifications to configuration files. Previously, auto-upgrade overwrote the
miiserver.exe.configfile, discarding any manual customizations. The system now merges customer modifications with the new configuration and validates the result before applying. - Improved the setup process for Application-Based Authentication to handle Trusted Platform Module (TPM)-backed certificates. The system now tests a certificate’s signing capability upfront and handles TPM signature verification correctly.
- Microsoft Entra Connect setup wizard no longer silently falls back to the legacy directory synchronization account when Application-Based Authentication setup fails. The wizard now stops with an error so the underlying issue can be resolved: “Microsoft Entra Connect could not configure application-based authentication for this server. Setup cannot continue.”
- Microsoft Entra Connect no longer automatically switches existing servers from the legacy directory synchronization account to Application-Based Authentication during background sync. New installations continue to configure Application-Based Authentication during setup. To switch an existing server, run the wizard and choose Configure application-based authentication to Microsoft Entra ID.
- PowerShell cmdlets that modify cloud configuration (
Set-ADSyncAADCompanyFeature,Set-ADSyncAADPasswordSyncState) now require explicit-AADUsernamefor interactive admin authentication. The setup wizard uses interactive Microsoft Authentication Library (MSAL) authentication for cloud writes instead of stored service credentials. The uninstall wizard now prompts for admin credentials to clean up cloud configuration; if skipped, local cleanup still proceeds. - Removed Password Hash Synchronization (PHS) self-healing. PHS no longer automatically re-enables its cloud feature flag in the background. If the PHS cloud feature flag is disabled, an administrator must explicitly re-enable it.
- Updated the bundled MSAL from version 4.64.1 to 4.83.3.
- Upgraded the bundled SQL LocalDB from SQL Server 2019 to SQL Server 2022.
- Upgraded the Visual C++ redistributable from version 12 (2013) to version 14.42.34438 (2015-2022).
- Removed the Visual C++ 2013 redistributable dependency.
As always, the new version is available for download from the Entra portal Download Connect Sync Agent – Microsoft Entra admin center

