Azure, Office 365, Technology

5. Planning for Hybrid Identity Management


Planning for Azure AD/Microsoft 365 Hybrid On-Premise Infrastructure


  • You can integrate M365 with existing directory services and on premises Exchange Server etc….
  • You can synchronise and manage user accounts for both environments. You can add password hash synchronisation or SSO so users can logon to both environments with their on premise credentials
  • When integrating with on premise server products you create a hybrid environment.


Azure Ad Connect Export and Import – Mr T-Bone´s Blog

Azure AD password hash synchronization. The simplest way to enable authentication for on-premises directory objects in Azure AD. Users can use the same username and password that they use on-premises without having to deploy any additional infrastructure. 


Azure AD Pass-through Authentication. Provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, which ensures that the password validation doesn’t happen in the cloud.


Planning out the Identity and Authentication Solutions

Here are the two types of identity and their best fit and benefits.


Cloud-only identity

Hybrid identity


User account only exists in the Azure AD tenant for your Microsoft 365 subscription.

User account exists in AD DS and a copy is also in the Azure AD tenant for your Microsoft 365 subscription. The user account in Azure AD might also include a hashed version of the already hashed AD DS user account password.

How Microsoft 365 authenticates user credentials

The Azure AD tenant for your Microsoft 365 subscription performs the authentication with the cloud identity account.

The Azure AD tenant for your Microsoft 365 subscription either handles the authentication process or redirects the user to another identity provider.

Best for

Organizations that do not have or need an on-premises AD DS.

Organizations using AD DS or another identity provider.

Greatest benefit

Simple to use. No extra directory tools or servers required.

Users can use the same credentials when accessing on-premises or cloud-based resources.

From <>

Azure AD Connect

This provides the account synchronisation from AD DS to Azure AD. It runs on an on premise server and checks for changes in the AD DS, then forwards them to Azure AD.

You can filter which accounts are synced and whether to sync a hashed version of the user passwords, known as password hash synchronisation.

Changes mostly only flow one way. Changes made to accounts in AD DS are synced to the cloud, but changes made to Azure AD accounts are not synced back to AD DS


Administration of Hybrid Identities

These are managed in the same way as standard on premise AD DS users.

Leave a Reply

Your email address will not be published. Required fields are marked *