Hybrid Identity with Microsoft Entra ID
Organizations are a mixture of on-premises and cloud applications. Users require access to those applications both on-premises and in the cloud.
Microsoft identity spans on-premises and cloud-based capabilities. These solutions create a common user identity for authentication and authorization to all resources, regardless of location.
To achieve hybrid identity with Microsoft Entra ID, one of three authentication methods can be used, depending on your scenarios. The three methods are:
These authentication methods also provide single-sign on capabilities. Single-sign on automatically signs your users in when they are on their corporate devices, connected to your corporate network.
Common scenarios and recommendations
Below are common hybrid identity and access management scenarios with recommendations as to which hybrid identity option (or options) might be appropriate for each.
I need to:
PHS and SSO11
PTA and SSO22
AD FS33
Sync new user, contact, and group accounts created in my on-premises Active Directory to the cloud automatically.
Yes
Yes
Yes
Set up my tenant for Office 365 hybrid scenarios.
Yes
Yes
Yes
Enable my users to sign in and access cloud services using their on-premises password.
Yes
Yes
Yes
Implement single sign-on using corporate credentials.
Yes
Yes
Yes
Ensure no password hashes are stored in the cloud.
Yes
Yes
Enable cloud-based multifactor authentication solutions.
Yes
Yes
Yes
Enable on-premises multifactor authentication solutions.
Yes
Support smartcard authentication for my users.4
Yes
Display password expiry notifications in the Office Portal and on the Windows 10 desktop.
Yes
1 Password hash synchronization with single sign-on.
2 Pass-through authentication and single sign-on.
3 Federated single sign-on with AD FS.
4 AD FS can be integrated with your enterprise PKI to allow sign-in using certificates. These certificates can be soft-certificates deployed via trusted provisioning channels such as MDM or GPO or smartcard certificates (including PIV/CAC cards) or Hello for Business.