Hybrid Identity with Microsoft Entra ID

Completed

Organizations are a mixture of on-premises and cloud applications. Users require access to those applications both on-premises and in the cloud.

Microsoft identity spans on-premises and cloud-based capabilities. These solutions create a common user identity for authentication and authorization to all resources, regardless of location.

To achieve hybrid identity with Microsoft Entra ID, one of three authentication methods can be used, depending on your scenarios. The three methods are:

• Password hash synchronization (PHS)
• Pass-through authentication (PTA)
• Federation (AD FS)

These authentication methods also provide single-sign on capabilities. Single-sign on automatically signs your users in when they are on their corporate devices, connected to your corporate network.

Common scenarios and recommendations

Below are common hybrid identity and access management scenarios with recommendations as to which hybrid identity option (or options) might be appropriate for each.

I need to:

PHS and SSO1¹

PTA and SSO2²

AD FS3³

Sync new user, contact, and group accounts created in my on-premises Active Directory to the cloud automatically.

Yes

Yes

Yes

Set up my tenant for Office 365 hybrid scenarios.

Yes

Yes

Yes

Enable my users to sign in and access cloud services using their on-premises password.

Yes

Yes

Yes

Implement single sign-on using corporate credentials.

Yes

Yes

Yes

Ensure no password hashes are stored in the cloud.

Yes

Yes

Enable cloud-based multifactor authentication solutions.

Yes

Yes

Yes

Enable on-premises multifactor authentication solutions.

Yes

Support smartcard authentication for my users.⁴

Yes

Display password expiry notifications in the Office Portal and on the Windows 10 desktop.

Yes

¹ Password hash synchronization with single sign-on.

² Pass-through authentication and single sign-on.

³ Federated single sign-on with AD FS.

⁴ AD FS can be integrated with your enterprise PKI to allow sign-in using certificates. These certificates can be soft-certificates deployed via trusted provisioning channels such as MDM or GPO or smartcard certificates (including PIV/CAC cards) or Hello for Business.