What is hybrid identity with Azure Active Directory?

Today, businesses, and corporations are becoming more and more a mixture of on-premises and cloud applications. Users require access to those applications both on-premises and in the cloud. Managing users both on-premises and in the cloud poses challenging scenarios.

Microsoft’s identity solutions span on-premises and cloud-based capabilities. These solutions create a common user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity.

With hybrid identity to Azure AD and hybrid identity management these scenarios become possible.

To achieve hybrid identity with Azure AD, one of three authentication methods can be used, depending on your scenarios. The three methods are:

• Password hash synchronization (PHS)
• Pass-through authentication (PTA)
• Federation (AD FS)

These authentication methods also provide single-sign on capabilities. Single-sign on automatically signs your users in when they are on their corporate devices, connected to your corporate network.

For additional information, see Choose the right authentication method for your Azure Active Directory hybrid identity solution.

Common scenarios and recommendations

Here are some common hybrid identity and access management scenarios with recommendations as to which hybrid identity option (or options) might be appropriate for each.

I need to:	PHS and SSO1	PTA and SSO2	AD FS3
Sync new user, contact, and group accounts created in my on-premises Active Directory to the cloud automatically.
Set up my tenant for Microsoft 365 hybrid scenarios.
Enable my users to sign in and access cloud services using their on-premises password.
Implement single sign-on using corporate credentials.
Ensure no password hashes are stored in the cloud.
Enable cloud-based multi-factor authentication solutions.
Enable on-premises multi-factor authentication solutions.
Support smartcard authentication for my users.4

¹ Password hash synchronization with single sign-on.

² Pass-through authentication and single sign-on.

³ Federated single sign-on with AD FS.

⁴ AD FS can be integrated with your enterprise PKI to allow sign-in using certificates. These certificates can be soft-certificates deployed via trusted provisioning channels such as MDM or GPO or smartcard certificates (including PIV/CAC cards) or Hello for Business (cert-trust). For more information about smartcard authentication support, see this blog.

License requirements for using Azure AD Connect

Using this feature is free and included in your Azure subscription.

Next Steps

• What is Azure AD Connect and Connect Health?
• What is password hash synchronization (PHS)?
• What is pass-through authentication (PTA)?
• What is federation?
• What is single-sign on?