Introduction
Microsoft Entra Connect helps integrate your on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). In the past, it used Microsoft Entra Connector account to authenticate and sync identities from Active Directory to Microsoft Entra Connect. This account uses a username and password to authenticate requests.
But using passwords can be risky and hard to manage—especially when it comes to security, automation, and keeping things up to date.
Now, Microsoft is moving to a better method called application-based authentication. Instead of using passwords, it uses a special app identity with a certificate. This is more secure, easier to manage, and works better with automated tools.
When did Microsoft enforce this transition?
Beginning with version 2.5.76.0, the service will automatically onboard application authentication within six hours if the service is using a username and password to authenticate to Microsoft Entra ID.
Prerequisites
These prerequisites are needed to set up automatic authentication with application identity.
- Microsoft Entra Connect version 2.5.76.0 or greater for automatic onboarding
- Microsoft Entra account with at least a Hybrid Identity Administrator role.
- Optional: TPM 2.0 present and ready to use (highly recommended for security).
How the Automatic Switch Works in Entra Connect
Microsoft made this change smooth and automatic, but it helps to know what’s happening behind the scenes. Here’s how Entra Connect moves from using passwords to using a secure app identity:
- Entra Connect looks at your current configuration to see if you’re still using a regular account with a password
- If everything looks good, Entra Connect automatically creates a new Secure App Identity called a service principal. This identity gets the right permissions to keep syncing your directories
- Entra Connect creates a certificate and links it to the new app identity
- This certificate replaces the need for a password and is stored safely
- The sync engine updates itself to use the new app identity and certificate
- Your directory sync keeps running smoothly—no password needed anymore
- All changes are logged so you can track what happened
- You can check the logs in local server or Entra ID Admin Portal to confirm that the switch was successful.
Demonstration
To show how this transition works in real life, I have deployed a lab environment using Entra Connect Sync version 2.4.129.0. Then I synchronized on-premises Active Directory with Microsoft Entra ID to observe how the software automatically switches from account-based to application-based authentication.
This approach enables visibility of Entra Connect Sync’s automatic upgrade and its seamless transition to Application Based Authentication.
Automatic Software Upgrade
- My current version of Entra Connect Software version is: 2.4.129.0
- I document the details of the “Microsoft Entra Connector Account” by navigating to Azure AD Connector → Properties → Connectivity. This account is responsible for writing directory synchronization data from the on-premises Active Directory to Microsoft Entra ID during the sync process.
- And, also I confirmed the same account in Entra ID.
- After a few hours, the Entra Connect software was automatically updated to version 2.5.79.0.
- This occurred because the earlier version qualified for an automatic upgrade. I verified the audit logs and confirmed that the automatic upgrade was successful. This was indicated by Event ID 301 in the Directory Synchronization log.
- I went a step further to track the Entra Connect Sync versions before and after the upgrade. By reviewing Event ID 309 in the Directory Synchronization logs, I was able to confirm both the initial and final version details, ensuring that the upgrade was accurately recorded.
Initial Version
Final Version
- With this upgrade, my lab Entra Connect Sync server became eligible for automatic transition to application-based authentication.
Automatic Switch to Application-Based Authentication
After the automatic software upgrade, I waited approximately seven hours before checking whether the authentication switch had completed. And—magic! The transition from the legacy service account to application-based authentication was successfully completed, with no manual intervention required. The process was seamless, confirming that Entra Connect had handled the upgrade and authentication shift exactly as intended.
Verification
I logged into the Entra ID admin portal and verified that the application was successfully created. I also confirmed that the certificate was uploaded by the Entra Connect Sync server, and that the required permissions were automatically configured.
- Entra ID Application
- Certificate uploaded from Entra Connect Sync Server
- Entra ID Application Permission
- Authentication Configuration includes : Application ID, Who Manages the application, Certification details etc.
Auditing
I also reviewed audit logs from both the Entra Connect Sync server and Entra ID to trace the actions performed during the authentication rollover.
- Event ID 904
- Event ID 2524
- Event ID 1013
- The Entra ID portal provided audit logs detailing the deletion of the Entra Connect Sync service account.
Final Thoughts
This transition is seamless and secure, requiring minimal manual effort. Use the audit logs and portal checks to validate the change. This guide can help you document or replicate the process in your own environment.
Reference Article:
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-version-history
