How to Optimise Azure AD Connect Performance

Azure AD Connect (now Microsoft Entra Connect) synchronises your on-premise Active Directory to Microsoft Entra ID on a 30-minute cycle by default. In most environments this is fast and invisible. In environments with large directories, complex attribute filtering, or heavily nested group structures, sync cycles stretch to hours, causing delayed provisioning, stale identity data in Entra ID, and authentication issues for recently joined or modified accounts.

This guide covers the main performance bottlenecks and how to address each one.

Understand what is taking time

Before optimising anything, measure where time is being spent. Open Synchronisation Service Manager on the Connect server and look at the last several sync cycle runs. Each cycle has three phases: Import (reading from on-premise AD), Synchronisation (applying rules to determine what changes need to be propagated), and Export (writing changes to Entra ID).

Note the duration of each phase. If Import is slow, the bottleneck is reading from your on-premise DC. If Synchronisation is slow, the bottleneck is the sync rules engine processing object changes. If Export is slow, the bottleneck is writing to the Entra ID endpoint.

The Event Viewer on the Connect server (under Applications and Services Logs > Directory Service > AADConnect) provides more granular detail. Look for warnings and errors during sync cycles that indicate which objects are causing processing delays.

Scope synchronisation to what you actually need

The single highest-impact change in most environments: reduce the number of objects being synchronised by filtering to only the OUs and attributes that are needed.

OU filtering. Azure AD Connect lets you select which Organisational Units to include in the sync scope. By default, after Express installation, all OUs are included. If you have OUs containing inactive accounts, service accounts that do not need cloud access, legacy computer objects, or departmental OUs that use on-premise resources only, exclude them.

In the Entra Connect wizard, navigate to Customise synchronisation options > Domain and OU filtering. Deselect OUs that should not be synchronised. After saving, trigger a full import cycle to apply the change.

Attribute filtering. The default synchronisation includes hundreds of AD attributes per user object. Most are never used in Entra ID. Removing unused attributes from the synchronisation scope reduces the data volume in each sync cycle and reduces the work the sync engine does when comparing objects.

Use the Entra Connect wizard under Optional features > Directory extension attribute sync to review which attributes are in scope. Remove any that have no cloud use case. Custom attributes added by applications that are on-premise only are particularly good candidates for exclusion.

Check the V2 endpoint

The Entra Connect V2 endpoint API was introduced to address performance issues with large group synchronisation. If your environment includes large groups (thousands of members) and you are on Entra Connect 1.5 or later, ensure the V2 endpoint is enabled.

The V2 endpoint supports synchronising groups with up to 250,000 members (compared to 50,000 on V1) and processes large group membership updates significantly faster. Enable it in the wizard or via PowerShell:

Set-ADSyncScheduler -UseV2EndPoint $True

For environments with nested groups, the V2 endpoint processes membership resolution more efficiently than V1.

Optimise the server hardware

Azure AD Connect's sync engine is CPU and disk I/O intensive during the Synchronisation phase. The Connect server is often under-provisioned relative to the directory size it manages.

Microsoft's recommended minimums for environments with over 10,000 objects: - 4 CPU cores (8 recommended) - 16 GB RAM - SSD storage for the sync database

If the Connect server is running on HDD storage, migrating the SQL Express sync database to an SSD is one of the most impactful changes for large directories. The sync engine performs thousands of read and write operations to the local SQL database during each cycle.

For very large environments (100,000+ objects), replace the default SQL Express database with a full SQL Server instance. SQL Express has a 10 GB database size limit, which large directories can approach, and it does not support the same I/O parallelism as full SQL Server.

Use staging mode for scheduled maintenance

When making configuration changes to the sync rules, use a staging mode server rather than the production Connect instance. A staging mode server runs sync cycles but does not export changes. You can validate the effect of rule changes on the staging server before applying them to the production server.

Staging mode also allows planned maintenance on the production server without interrupting sync. Switch the staging server to active (turn off staging mode), perform maintenance on the production server, and switch back. This pattern is the correct way to perform Connect upgrades in production environments.

Monitor sync cycle duration over time

A sync cycle that took 20 minutes six months ago and now takes 2 hours has degraded for a reason. Common causes of progressive degradation:

  • Directory growth. More objects, more sync work. If your directory grows 20% year-on-year, sync time grows proportionally unless filtered.
  • Attribute proliferation. Applications adding custom attributes to AD objects increase the data volume per object.
  • Increased group complexity. Dynamic groups, nested groups, and groups with growing membership all increase the sync engine's resolution work.

Set up monitoring on the Event Log entries that record sync cycle start and end times. Alert when cycle duration exceeds a threshold (e.g., 60 minutes) that gives you lead time to investigate before it becomes a problem.

In Log Analytics, if you have Entra Connect Health configured, you can query sync performance history:

AADConnectHealthSyncMonitoringEvents
| where TimeGenerated > ago(30d)
| summarize avg(SyncDurationInSeconds) by bin(TimeGenerated, 1d)
| render timechart

A rising trend in this chart warrants investigation before it reaches the point of impacting user provisioning.

Accelerate provisioning for urgent account changes

The 30-minute default sync cycle means a new account or password reset in on-premise AD can take up to 30 minutes to appear in Entra ID. For urgent provisioning (a new employee needing same-day access), trigger a delta sync manually:

Start-ADSyncSyncCycle -PolicyType Delta

This processes only changes since the last cycle. A delta sync typically completes in a few minutes rather than waiting for the next scheduled cycle. Do not trigger full syncs manually unless you have a specific reason: full syncs process all objects and are significantly more resource-intensive.

Where Critical Cloud comes in

Slow or failing Azure AD Connect sync creates identity problems that surface as user-reported authentication failures, and diagnosing them requires access to both the on-premise AD and the Entra ID portal simultaneously. We manage hybrid identity environments for regulated and technology-led businesses, with sync health monitored as a live operational signal rather than discovered during incident investigation. See how Critical Support works.