Learn IAM
Learn IAM

Hybrid Identity: Entra ID and Active Directory

Hybrid Identity: Entra ID and Active Directory

Substantive Overview

For most enterprises, "Hybrid Identity" is not a transitional state—it is the operating model for the foreseeable future. While the long-term goal may be "cloud-native," the reality is that Active Directory (AD) remains the authoritative source for on-premises resources, legacy applications, and server infrastructure. The challenge is not just "syncing users" but extending the trust boundary from the on-premises perimeter to the cloud, establishing Entra ID as the modern control plane.

A robust Hybrid Identity architecture does three things:

  1. Unifies Identity: Creates a single identity for users across on-prem and cloud (Entra Connect).
  2. Modernizes Authentication: Shifts authentication responsibility to the cloud (Password Hash Sync) to enable Zero Trust features like Smart Lockout, Identity Protection, and credential monitoring.
  3. Establishes Device Trust: Bridges on-prem device state (Hybrid Join) to cloud policy (Conditional Access).

"Good" looks like an environment where AD is merely a source of truth for identity attributes and legacy auth (Kerberos/NTLM), while Entra ID handles 100% of authentication and authorization policy. Dependencies on ADFS are removed, and "cloud-native" authentication (PHS) is the standard.

Architecture & Patterns

Pattern 1: Modern Managed Authentication (The Gold Standard)

The most resilient pattern. Users authenticate directly to Entra ID. AD is the source of authority, but Entra ID holds the keys.

Diagram

Pattern 2: Hybrid Device Trust Topology

Critical for Zero Trust. Devices joined to AD register with Entra ID to provide device state as a policy signal.

Diagram

Pattern 3: Legacy Federation (The Anti-Pattern to Retire)

Relying on ADFS for Office 365/Entra ID authentication introduces unnecessary complexity and a massive blast radius.

Diagram

Key Design Decisions

DecisionOptionsRecommendationContext
Auth MethodPassword Hash Sync (PHS) vs. Pass-Through (PTA) vs. Federation (ADFS)PHSPHS enables leaked credential detection and is immune to on-prem outages. PTA/ADFS create hard dependencies on on-prem infra availability.
Sync ToolEntra Connect Sync (Classic) vs. Cloud SyncEntra Connect (for now)Cloud Sync is the future but still lacks parity for complex scenarios (e.g., specific device writeback needs, extensive custom rules). Use Cloud Sync for M&A/disconnected forests.
Anchor AttributeobjectGUID vs. mS-DS-ConsistencyGuidmS-DS-ConsistencyGuidAllows for easier migration of objects between forests without breaking cloud identity linkage.
Group WritebackEnabled vs. DisabledEnabled (Selective)Necessary for Entra ID Governance features to manage on-prem groups, but requires careful scope management.
Device StrategyHybrid Join vs. Entra JoinEntra Join (Roadmap)Hybrid Join is the bridge for existing fleets. New deployments should prioritize Entra Join (cloud-only) where possible to reduce AD dependency.

Implementation Strategy

Phase 0: Discovery & Assessment

  • Inventory: Map all AD Forests, domains, and trust relationships.
  • Health Check: Run IdFix to identify formatting errors (duplicates, illegal characters) in AD.
  • Dependency Map: Identify applications hard-coded to LDAP/ADFS.
  • Network: Ensure connectivity to Azure IP ranges (port 443, 80).

Phase 1: Foundation (Sync)

  • Install Entra Connect: Deploy on a dedicated Tier 0 server (hardened).
  • Configure Filtering: Sync only required OUs. Do not sync admin accounts or service accounts unless explicitly needed.
  • ImmutableID: Configure source anchor (mS-DS-ConsistencyGuid).
  • Soft Match: Match existing cloud users to on-prem users (SMTP/UPN matching).

Phase 2: Authentication Modernization

  • Enable PHS: Turn on Password Hash Sync (even if using ADFS) as a disaster recovery backup.
  • Staged Rollout: Use Entra ID Staged Rollout features to move groups of users from Federation to PHS/MFA without a "big bang" cutover.
  • SSO: Enable Seamless Single Sign-On (SSO) via Kerberos decryption key in AD.

Phase 3: Device & Zero Trust Integration

  • Hybrid Join: Configure SCP in AD and enable Hybrid Join in Entra Connect.
  • Writeback: Enable Device Writeback (if using Windows Hello for Business) and Password Writeback (for SSPR).
  • Conditional Access: Implement "Require Hybrid Joined Device" for sensitive apps.

Phase 4: Operate & optimize

  • Monitoring: Install Entra Connect Health agents.
  • Lifecycle: Establish process for handling sync errors (duplicate attributes).
  • Upgrade: Plan for Entra Connect auto-upgrade or manual quarterly patching.

Risks & Anti-Patterns

RiskLikelihoodImpactMitigation
Syncing Admin AccountsHighCriticalNever sync Domain Admins. Use cloud-only accounts for Entra ID administration (break-glass).
ADFS DependencyMediumHighMigrate to PHS. If ADFS is required for legacy apps, isolate it. Do not use it for O365.
Soft-Match FailuresMediumMediumEnsure UPNs and ProxyAddresses are unique and clean before syncing.
"User Type" ConfusionLowHighTreat Guest users (B2B) distinct from Member users. Don't sync partners as Member objects if possible.
Weak On-Prem SecurityHighCriticalAn on-prem compromise is a cloud compromise in Hybrid. Harden the AD Tier 0 assets ruthlessly.

KPIs & Outcomes

  • Authentication Availability: 99.99% (decoupled from on-prem WAN links via PHS).
  • Sync Latency: under 30 minutes for attribute updates.
  • Security Coverage: 100% of users covered by Identity Protection (requires PHS).
  • Legacy Auth Reduction: 0% of authentications using legacy protocols (IMAP/POP/Basic Auth) against Entra ID.

Workshop Questions

  1. How many AD forests exists, and are there trust relationships between them?
  2. Are there any "disconnected" forests (M&A) that need to sync to the same tenant?
  3. What is the current "Source of Truth" for HR/provisioning?
  4. Do you currently use ADFS? If so, is it for O365 or just 3rd party apps?
  5. Are there legal/compliance requirements preventing password hashes (even salted/hashed) from leaving specific geographies?
  6. How do you currently handle "leavers" – does disabling in AD reliably kill access in cloud?
  7. Do you have "cloud-only" admins, or are you syncing admins from on-prem (Anti-pattern)?
  8. What is the strategy for workstation management (SCCM vs Intune)?
  9. Are you using smartcards/PIV/CAC on-premises?
  10. Do you utilize "Shadow IT" discovery logs to see what users are accessing?
  11. What is the process for resolving sync errors?
  12. Have you run the IdFix tool?
  13. Is Password Writeback required for SSPR?
  14. Do you need to support "Seamless SSO" for older Windows 7/8 clients?
  15. What is the plan for retiring the on-prem Exchange Hybrid server?

Checklist

  • IdFix Run: remediate all attribute errors.
  • UPN Strategy: Align on-prem UPNs to match public email domains (verified domains in Entra).
  • Tier 0 Separation: Ensure Entra Connect server is treated as a Domain Controller equivalent.
  • Firewall Rules: Open outbound 443/80 to Azure ranges.
  • Recycle Bin: Enable AD Recycle Bin on-premises.
  • Staged Rollout: Configure Staged Rollout groups for testing Auth migration.
  • Break Glass: Create 2x Cloud-Only Global Admin accounts (excluded from MFA/Policies).
  • Documentation: Diagram the sync topology and attribute flows.

References