Authenticate to Microsoft Entra ID by using application identity

2025-06-25

Microsoft Entra Connect uses the Microsoft Entra Connector account to authenticate and sync identities from Active Directory to Microsoft Entra Connect. This account uses a username and password to authenticate requests.

To enhance the security of the service, we're rolling out an application identity that uses Oauth 2.0 client credential flow with certificate credentials. In this new method, Microsoft Entra or an administrator creates a single tenant non-Microsoft application in Microsoft Entra ID and uses one of the following relevant certificate management options for the credentials.

Microsoft Entra Connect provides three options for application and certificate management:

Managed by Microsoft Entra Connect (recommended)
Bring Your Own Application (BYOA)
Bring Your Own Certificate (BYOC)

Managed by Microsoft Entra Connect (recommended)

Microsoft Entra Connect manages the application and certificate, which includes creation, rotation, and deletion of the certificate. The certificate is stored in the CURRENT_USER store. For optimal protection of the certificate's private key, we recommend that the machine should use a Trusted Platform Module (TPM) solution to establish a hardware-based security boundary.

When a TPM is available, key service operations are performed within a dedicated hardware environment. In contrast, if a TPM can't be used, Microsoft Entra Connect defaults to storing the certificate in the default Microsoft Software Key Storage Provider and marks the private key as nonexportable for extra protection. Without the hardware isolation provided by a TPM, only software safeguards secure the private key, which doesn't achieve the same level of protection.

For more information on TPM technology, see Trusted Platform Module technology overview.

We recommend the Microsoft Entra Connect certificate management option because we manage the keys and automatically rotate the certificate on expiry. This behavior is the default option in Microsoft Entra Connect Sync versions equal to or higher than 2.5.3.0.

We use the maintenance task to check if the certificate is due for rotation and then automatically rotate the certificate. If the scheduler is suspended or the maintenance task is disabled, autorotation can't happen even though Microsoft Entra Connect Sync manages the certificate.

Bring Your Own Application

In the Bring Your Own Application (BYOA) setup, the customer administrator manages the application that Microsoft Entra Connect Sync uses to authenticate to Microsoft Entra, the application permissions, and the certificate credential that the application uses.

The administrator registers a Microsoft Entra app and creates a service principal. The application needs the required permissions assigned.

The administrator is responsible for creating the certificate, rotation, and deletion of unused or expired certificates. The certificate must be stored in the LOCAL_MACHINE store.

The administrator is responsible for securing the private key of the certificate and ensuring that only Microsoft Entra Connect Sync can access the private key for signing.

Bring Your Own Certificate

In the Bring Your Own Certificate (BYOC) setup, the administrator manages the certificate credential that the application uses. The administrator is responsible for creating the certificate, rotation, and deletion of unused or expired certificates. The certificate must be stored in the LOCAL_MACHINE store.

The administrator is responsible for securing the private key of the certificate and ensuring that only Microsoft Entra Connect Sync can access the private key for signing.

We recommend that you use a TPM or a Hardware Security Module (HSM) to provide a hardware-based security boundary, as opposed to the default. To check the status of your TPM, use the Get-TPM PowerShell cmdlet.

If you use Hyper-V virtual machines (VMs), you can enable the TPM by selecting Security > Enable Trusted Platform Module. You can do this step only on generation 2 VMs. Generation 1 VMs can't be converted to generation 2 VMs. For more information, see Generation 2 VM security settings for Hyper-V and Enable trusted launch on existing Azure Gen2 VMs.

Prerequisites

The following prerequisites are required to implement authentication by using application identity.

Important

New Microsoft Entra Connect Sync versions are available only via the Microsoft Entra admin center.

Following up on the What's New communication, new versions of Microsoft Entra Connect Sync are available only on the Microsoft Entra Connect pane within the Microsoft Entra admin center and will no longer be released to the Microsoft Download Center.

Microsoft Entra Connect version 2.5.3.0 or greater.
Microsoft Entra account with at least a Hybrid Identity Administrator role.
On-premises Active Directory Domain Services environment with a Windows Server 2016 operating system or later.
Optional: TPM 2.0 present and ready to use (recommended for security).

The following extra requirements are needed for the BYOC certificate management option:

A certificate is created in an HSM or TPM by using a Cryptography API: Next Generation provider. The private key is marked as nonexportable. A warning event 1014 is emitted if TPM isn't used. The following certificate configurations are supported:
- KeyLength: 2048
- KeyAlgorithm: RSA
- KeyHashAlgorithm: SHA256
The created certificate is stored in the LOCAL_MACHINE store.
Grant the Microsoft Entra Connect Sync account permission to perform signing by using the private key.

The following extra requirements are needed for the BYOA application management option:

The customer creates a certificate as instructed in the preceding BYOC prerequisites.
The customer registers an application in Microsoft Entra ID and creates a service principal. The necessary permissions are granted via Microsoft Graph API.
The customer registers the certificate with the application.

Installation and upgrade (managed by Microsoft Entra Connect)

The Microsoft Entra Connect Sync managed application and credential is automatically set up during initial installation for new installations. To confirm that Microsoft Entra Connect is using the application identity, use the PowerShell cmdlet Get-ADSyncEntraConnectorCredential.

For upgrades, select Configure application based authentication to Microsoft Entra ID (Preview).

If you didn't select the box during upgrade, the following recommendation appears after installation finishes.

If you didn't select the box during upgrade or you want to switch to application-based authentication, use Tasks.

On the Additional tasks pane, select Configure application based authentication to Microsoft Entra ID (Preview) and then follow the prompts.

Onboard to application-based authentication by using PowerShell

This section is relevant only if you use the BYOC or BYOA options. Microsoft Entra Connect versions lower than 2.5.3.0 use a username and password by default to authenticate to Microsoft Entra ID. To onboard to application-based authentication, an administrator must perform the following steps on a Microsoft Entra Connect Sync version equal to or higher than 2.5.3.0.

Note

Ensure that you're on the Microsoft Entra Connect server and that the Microsoft Entra Connect Sync PowerShell module is installed.

Use the PowerShell command to verify the current authentication method.
```
Get-ADSyncEntraConnectorCredential
```
This step should return the ConnectorIdentityType value currently in use.
Disable the scheduler to ensure that no sync cycles run until this change is completed.
```
Set-ADSyncScheduler -SyncCycleEnabled $false
```
Register an application and create a service principal in Microsoft Entra ID.
- Managed by Microsoft Entra Connect:
```
 Add-EntraApplicationRegistration
```
- Use BYOC:
  
  Note
  
  The certificate SHA256Hash must be provided when you register the application. Use the generation script to generate the hash.
```
Add-EntraApplicationRegistration -CertificateSHA256Hash <CertificateSHA256Hash>
```
  Replace <CertificateSHA256Hash> with CertificateSHA256Hash.
- Use BYOA:
  
  Register a Microsoft Entra app and create a service principal. Note the application ID because you need it in the next section.
Link Microsoft Entra Application with Microsoft Entra Connect Sync by using administrator credentials.
- Managed by Microsoft Entra Connect:
```
Add-ADSyncApplicationRegistration
```
- Use BYOC:
```
 Add-ADSyncApplicationRegistration -CertificateSHA256Hash <CertificateSHA256Hash>
```
- Use BYOA:
```
 Add-EntraApplicationRegistration -CertificateSHA256Hash <CertificateSHA256Hash> –ApplicationAppId <appId>
```
Replace <CertificateSHA256Hash> with CertificateSHA256Hash and <appId> with the ID of the application that was created in Microsoft Entra ID.
Run a verification to confirm that you're now using application identity. Run the following cmdlet to get the current authentication and ensure that it has the ConnectorIdentityType value as Application.
```
Get-ADSyncEntraConnectorCredential
```
Reenable the scheduler to begin the synchronization service by using the following cmdlet:
```
Set-ADSyncScheduler -SyncCycleEnabled $true
```
Remove the Directory Synchronization Account (DSA) from Microsoft Entra ID (recommended).

View the certificate

To view the certificate information, go to Tasks and then select View or export current configuration. Scroll down to the certificate details. The following table provides information about the certificate.

Property	Description
Certificate managed by	Whether Microsoft Entra Connect Sync or BYOC manages the certificate.
Automatic rotation enabled	Whether automatic rotation or manual rotation is enabled.
Certificate thumbprint	Unique identifier for the certificate.
Certificate SHA256 hash	A fingerprint for the certificate generated by using the SHA-256 hashing algorithm.
Subject name	Identifies the entity associated with the certificate.
Issued by	Who is the issuer of the certificate.
Serial number	Uniquely identifies the certificate among certificates by the same issuer.
Not valid before	The first date that the certificate is valid.
Not valid after	The last date that the certificate is valid.

On-demand certificate rotation

Microsoft Entra Connect warns if the certificate rotation is due. That is, if expiration is less than or equal to 150 days. It emits an error if the certificate is already expired. You can find these warnings (Event ID 1011) and errors (Event ID 1012) in the Application event log.

This message is emitted at the scheduler frequency if maintenance is enabled, and the scheduler isn't suspended. Run Get-ADSyncSchedulerSettings to see if the scheduler is suspended or maintenance is enabled or disabled.

If Microsoft Entra Connect manages the certificate, no action is required from you unless the scheduler is suspended or maintenance is disabled. Microsoft Entra Connect Sync adds the new certificate credential to the application and tries to remove the old certificate credential. If it fails to remove the old certificate credential, an error event appears in the Application logs in the Event Viewer.

If you see this error, run the following cmdlet in PowerShell to clean up the old certificate credential from Microsoft Entra. The cmdlet takes the CertificateId value of the certificate that must be removed, which you can obtain from the log or the Microsoft Entra admin center.

Remove-EntraApplicationKey -CertificateId <certificateId>

Use the wizard

After application authentication is enabled, you see another option on the Additional tasks pane. The Rotate application certificate option is now available. From this point, you can rotate the certificate manually. We recommend the Microsoft Entra Connect certificate management option because we manage the keys and automatically rotate the certificate on expiry. This option is the default in Microsoft Entra Connect Sync versions equal to or higher than 2.5.3.0.

Use PowerShell

When you get a warning from Microsoft Entra Connect Sync when you use the BYOC option, we highly recommend that you generate a new key and certificate and rotate the certificate that Microsoft Entra Connect Sync uses by using PowerShell.

Disable the scheduler to ensure that no sync cycles run until this change is completed. Use the following PowerShell cmdlet to disable the scheduler:
```
Set-ADSyncScheduler -SyncCycleEnabled $false
```
Invoke certificate credential rotation when you use the Microsoft Entra Managed option (default mode) but the scheduler is suspended or maintenance is disabled.
```
Invoke-ADSyncApplicationCredentialRotation
```
In BYOC mode, the new certificate SHA256Hash must be provided:
```
Invoke-ADSyncApplicationCredentialRotation -CertificateSHA256Hash <CertificateSHA256Hash>
```
In BYOA mode, the new certificate SHA256Hash must be provided:
```
 Add-EntraApplicationRegistration -CertificateSHA256Hash <CertificateSHA256Hash>
```
Replace <CertificateSHA256Hash> with the CertificateSHA256Hash.
Get the current authentication and confirm that it has the ConnectorIdentityType value as Application. Use the following PowerShell cmdlet to verify the current authentication:
```
Get-ADSyncEntraConnectorCredential
```
Reenable the scheduler to begin the synchronization service:
```
Set-ADSyncScheduler -SyncCycleEnabled $true
```
Verify that the sync cycle is successful.
Remove the old certificate from the LOCAL_MACHINE store for BYOC and BYOA options.

You can rotate the certificate at any point in time, even if the current certificate is still not due for rotation or the current certificate expired.

Script to generate the SHA256 hash of the certificate

# Get raw data from X509Certificate cert
$certRawDataString = $cert.GetRawCertData()

# Compute SHA256Hash of certificate 
$sha256 = [System.Security.Cryptography.SHA256]::Create()
$hashBytes = $sha256.ComputeHash($certRawDataString)

# Convert hash to bytes for PowerShell (Core) 7.1+:
$certHash = [System.Convert]::ToHexString($hashBytes)

# Convert hash to bytes for older PowerShell:
$certHash = ($hashBytes|ForEach-Object ToString X2) -join ''

Resource permission

ADSynchronization.ReadWrite.All

Category	Application	Delegated
`Identifier`	0b41ed4d-5f52-442b-8952-ea7d90719860	0b41ed4d-5f52-442b-8952-ea7d90719860
`DisplayText`	Read, write, and manage identity synchronization with on-premises via Microsoft Entra Connect Sync.	Read, write, and manage identity synchronization with on-premises via Microsoft Entra Connect Sync.
`Description`	Allows the app to read, write, and manage identity data synced with on-premises via Microsoft Entra Connect Sync.	Allows the app to read, write, and manage identity data synced with on-premises via Microsoft Entra Connect Sync.
`AdminConsentRequired`	Yes.	Yes.

Microsoft Graph permissions for BYOA

PasswordWriteback.RefreshClient.All

Category	Application	Delegated
`Identifier`	fc7e8088-95b5-453e-8bef-b17ecfec5ba3	-
`DisplayText`	Read, write, and manage self-service password reset writeback for the Microsoft Entra Connect Sync Agent.	-
`Description`	Allows the app to refresh and re-create on-premises configuration for Microsoft self-service password reset.	-
`AdminConsentRequired`	Yes.	-

PasswordWriteback.RegisterClientVersion.All

Category	Application	Delegated
`Identifier`	e006e431-a65b-4f3e-8808-77d29d4c5f1a	-
`DisplayText`	Read, write, and manage self-service password reset client version configuration for the Microsoft Entra Connect Sync Agent.	-
`Description`	Allows the app to register a newer version of the on-premises Microsoft Entra Connect Sync Agent.	-
`AdminConsentRequired`	Yes.	-

PasswordWriteback.OffboardClient.All

Category	Application	Delegated
`Identifier`	69201c67-737b-4a20-8f16-e0c8c64e0b0e	-
`DisplayText`	Read, write, and manage self-service password reset uninstall/offboard configuration for the Microsoft Entra Connect Sync Agent.	-
`Description`	Allows the app to offboard a version of the on-premises Microsoft Entra Connect Sync Agent.	-
`AdminConsentRequired`	Yes.	-

Certificate revocation process

For self-signed certificates, either Microsoft Entra Managed or BYOC, an administrator must perform manual revocation by removing the keyCredential value from Microsoft Entra ID. An on-demand rotation of the certificate is also an option.

For BYOC certificates issued by a Certificate Authority registered with Microsoft Entra, the administrator can follow the certificate revocation process.

Remove a legacy service account by using PowerShell

After you transition to application-based authentication and Microsoft Entra Connect Sync is working as expected, we strongly recommend that you remove the legacy DSA username and password service account by using PowerShell. If you use a custom account that can't be removed, deprivilege it and remove the DSA role from it.

Follow these steps to remove the legacy service account.

Add the service account username and password.
```
$HACredential
```
You're prompted to enter your Microsoft Entra administrator UserPrincipalName value and the password. Enter the username and password.
Next, add the service account.
```
Remove-ADSyncAADServiceAccount -AADCredential $HACredential -Name <$serviceAccountName>
```
The ServiceAccountName value is the first part of the UserPrincipalName value of the service account used in Microsoft Entra ID. You can find this user in the list of users in the Microsoft Entra admin center. If the UPN is aringdahl@fabrikam.com, use aringdahl as the ServiceAccountName value.

Roll back to a legacy service account by using PowerShell

If you want to go back to the legacy service account, you can use PowerShell to revert to using the service account to promptly mitigate the issue. Use the following steps to roll back to the service account.

As part of the rollback, you need to re-create the DSA account. This new account might take up to 15 minutes to take effect, so you might get an "Access Denied" error when you reenable the sync cycle.

Disable the scheduler to ensure that no sync cycles run until this change is completed.
```
Set-ADSyncScheduler -SyncCycleEnabled $false
```
Add the service account. You're prompted to enter your Microsoft Entra administrator UserPrincipalName value and the password. Enter the credentials.
```
Add-ADSyncAADServiceAccount
```
Get the current authentication mechanism and confirm that the ConnectorIdentityType value is back to ServiceAccount.
```
Get-ADSyncEntraConnectorCredential
```
Reenable the scheduler to begin the synchronization service.
```
Set-ADSyncScheduler -SyncCycleEnabled $true
```

Share via