Introduction

A tenant migration can prepare a new Entra environment while Entra Connect Sync still exports identity changes to the old tenant. On-premises sync appears healthy, but cloud updates land in the wrong directory, one sync server exports to the intended tenant while a previously active or mis-cutover server still targets the earlier one, or failures start only after old tenant credentials are disabled because connector configuration, active-server state, and cutover steps often drift apart.

Treat this as a connector-target and active-server problem instead of a generic directory sync outage. Start by checking which tenant an affected Entra Connect server actually exports to, because migrations often validate the new connector once while scheduled sync or a wrongly activated server continues sending changes to the earlier tenant.

Symptoms

  • Entra Connect Sync still exports to the old tenant after migration
  • Sync cycles complete, but cloud user or group updates appear in the retired tenant
  • One sync server uses the new tenant while another still exports to the previous one
  • Export failures begin only after old tenant credentials or service endpoints are removed
  • On-premises directory changes are healthy, but the intended tenant never receives them
  • The issue started after a tenant migration, sync server replacement, or staging-server cutover

Common Causes

  • The active Azure AD connector still targets the old tenant
  • A previously primary sync server was left active, or a staging-server cutover was handled incorrectly, so the wrong node still performs exports
  • Connector credentials were rotated, but the export target tenant was not changed consistently
  • Scheduler state, staging versus active role, or cutover runbooks updated one sync node but not another
  • Automation or backup-based rebuilds restored an older connector configuration
  • Validation confirmed the new tenant accepted test syncs but did not verify which server performed real exports

Step-by-Step Fix

  1. Capture one affected export cycle and record the active Entra Connect server, connector target, scheduler state, and tenant context it actually uses, because the live export path determines where directory changes really land.
  2. Compare that active sync path with the intended post-migration identity design, because one wrongly active server or stale connector can keep ongoing exports tied to the retired tenant.
  3. Review Entra Connect connector configuration, active versus staging server status, scheduler settings, service credentials, and rebuild automation for references to the old tenant, because export ownership depends on both connector targeting and which node is actually active.
  4. Check every sync node separately if your design includes staging servers, because migrations often prepare the new primary while the previous server still performs exports.
  5. Ensure the Microsoft Entra connector and sync server configured for the intended tenant are the only ones active for export, because preparing a new tenant connection alone does not transfer sync ownership from the previous node.
  6. Use a staging-mode server and pending-export inspection to validate the expected changes on the correctly configured node before a live export, then run a controlled sync from the active node and confirm the intended tenant receives the expected directory change, because a completed sync cycle does not prove the right tenant handled the export.
  7. Verify the old tenant no longer receives cloud object updates from any remaining sync node, because split export paths can stay hidden while both tenants remain reachable.
  8. Review connector credentials, licensing state, and sync rule scope if exports still fail, because the destination can be correct while tenant trust or connector policy still blocks the new path.
  9. Document which team owns sync server activation, connector configuration, and migration validation so future tenant cutovers verify the actual export target before retiring the previous tenant relationship.