Introduction
In Part 1, we explored the core components of Microsoft Entra Connect Sync—Connectors, the Connector Space, and the Metaverse—which form the foundation of identity synchronization. But how does data actually move through the system? How does Entra Connect Sync ensure changes in your on-premises Active Directory (AD) are reflected in Microsoft Entra ID?
In Part 2, we’ll dive deep into the synchronization process, exploring how sync objects interact and move identity data through the system.
Let's begin!
We already discussed Sync Engine in the previous post, but here is a recap:
Sync Engine
The Sync Engine is a system that synchronizes identity data across different sources, such as a company’s HR database, Active Directory, and cloud services. It acts as a middleman, ensuring that changes made in one system—like adding a new employee to HR records—are reflected in other connected systems.
And let's dig deeper:
To manage this synchronization, the Sync Engine uses objects, which are digital representations of users, devices, or groups from various sources.
Every object in the sync engine must have a globally unique identifier (GUID), to make sure there are no duplicates and to track relationships between objects.
Types of Objects in the Sync Engine
For recap: Connector Space is where identity data from external systems (like Active Directory, HR databases, or cloud services) is temporarily stored before being processed and synchronized with the metaverse.
Objects in the Connector Space include:
1. Staging Object
This is the most important type.
A staging object is a temporary copy of an object from a connected data source, stored in the connector space before synchronization.
It stores key attributes and operational data needed for synchronization.
Key Characteristics of Staging Objects
Each staging object has a GUID (globally unique identifier) and a distinguished name for identification.
It always includes an object type to define its nature (e.g., user, group, device).
Staging objects from an imported data source always have an anchor attribute (a unique key that remains constant for an object).
NOTE: Newly provisioned objects (created by the sync engine) do not yet have an anchor attribute until they exist in the connected data
source.
Check one user for example in Synchronization Service Manager:
Synchronization Service Manager » Connectors » your local AD connector - Right click » Search Connector Space
Role of Staging Objects in Sync
They store identity attributes(such as name, email, group memberships).
They track operational status for synchronization.
The sync engine does not apply changes immediately. Instead, it stages changes in the connector space before they are processed.
This is where the "pending import" and "pending export" flags come in.
Pending Import
The sync engine has received new or updated data from a connected data source, but it has not yet processed that data.
Example:
A user in your on-premises Active Directory (AD) changes their name.
The user object in the connector space is updated with the new name address, but it has not yet been written to the metaverse.
Until the sync engine applies this change, the object is flagged as "pending import."
Pending Export
The sync engine has processed a change and is ready to send it to a connected system, but it has not yet been applied.
Example:
The sync engine determines that a new employee needs to be provisioned in Microsoft Entra ID (Azure AD).
It creates an export object in the connector space to send this new identity to Entra ID.
However, until the sync engine successfully exports the object, it is flagged as "pending export."
Import Object → Created when sync engine detects an object in a connected data source and stages it in the connector space.
Export Object → Created when an update needs to be sent from the sync engine to a connected data source.
Why is this important?
These flags help the sync engine track unprocessed changes, ensuring that:
✅ Only necessary updates are applied.
✅ No redundant or conflicting changes occur.
✅ Data remains consistent across connected systems.
2. Placeholder
Placeholders are temporary objects in the Sync Engine used to preserve the structure of hierarchical systems like Active Directory. For example, if a user is imported but their manager’s record isn’t available yet, a placeholder is created to represent the missing manager. Once the manager’s record is imported, the placeholder is replaced by the actual object.
3. Disjoined Objects (Disconnector Objects)
These are staging objects in the Connector Space that are not linked to any object in the metaverse.
They exist in the Sync Engine but don’t yet affect synchronization.
An object becomes disjoined if, for example, it fails to meet synchronization criteria.
Object in the metaverse:
Metaverse object:
A metaverse object represents a consolidated view of identity data aggregated from one or more connector space objects (imported from connected data sources).
Automatic Creation & Deletion:
Metaverse objects cannot be manually created or deleted.
They are automatically generated when a connector space object is linked to the metaverse.
If all linked connector space objects are deleted or disconnected, the sync engine automatically removes the corresponding metaverse object.
Attribute Flow & Synchronization:
The metaverse object maintains the most up-to-date identity information through attribute flow, where changes from the connector space are synchronized into the metaverse.
One-to-Many Relationship:
A metaverse object can be linked to multiple connector space objects (from different connected data sources).
However, a connector space object can be linked to only one metaverse object.
Joined objects
When a staging object in the Connector Space is linked to a metaverse object, it becomes a joined object.
This allows data to flow between the metaverse and the external system.
Summary
Objects in the Connector Space → Staging Objects, Placeholders, Disjoined Objects.
Objects in the Metaverse → Unified identity objects.
Objects linked between both → Joined Objects (Connector Objects).
A little illustration that I created shows everything we discussed so far.
Objects from a connected data source are temporarily stored in the Connector Space as staging objects.
Import objects exist in the Connector Space for the on-premises Active Directory (AD).
Export objects exist in the Connector Space for Microsoft Entra ID.
The synchronization process follows these steps:
Inbound Synchronization: The object is first synchronized from the Connector Space to the metaverse, governed by inbound synchronization rules (ISR).
Outbound Synchronization: The object is then synchronized from the metaverse to the target Connector Space as an export object, following outbound synchronization rules (OSR).
This ensures that identity data flows correctly between systems while maintaining consistency across environments.
In the next part we will se everything in action.
Top comments (0)