What's Hybrid Identity?

  • Article

Hello everyone,

Now that I've got Azure AD, how can I take advantage of my investments on ADDS?

This is the main use case for Azure AD, ie. to extend your on-prem Active Directory to the cloud by means of synchronizing your identities from ADDS to Azure AD.

Azure AD Connect is the tool that enables this synchronization.

Once your ADDS identities get synchronized to Azure AD your users may start accessing cloud services and apps using the same username/password as they use on-prem.

We offer flexibility here its not all or nothing, you don't have to sync every single identity and you may also have cloud only users.

The apps can be hosted anywhere from on-prem to the cloud, we offer sign-in solutions that cover most scenarios:

  • Password Synchronization
  • Pass-through Authentication (PTA)
  • Federation (ADFS)
  • Seamless SSO

Password sync allows sSO (same Sign On) user experience when accessing cloud apps, by synchronizing users and their passwords to Azure AD.

PTA gives you the ability to validate the users password on-prem without ADFS, this feature is built on top of the Azure AD application proxy and requires connectors/Agents to proxy requests to your Domain Controllers.

ADFS allows you to keep your users passwords under your control while offering true SSO authenticating your users on-Prem and manage trusts with other service and identity providers .

Last but not least seamless SSO which comes in two different flavors: Password Sync or PTA both providing true SSO without ADFS, password sync does NOT require a connector since passwords are synchronized while Seamless SSO with PTA requires a connector and a computer account for providing SSO from domain joined machines.

By using Azure AD Application proxy with the PingAccess add-on to publish your on-prem apps this functionality is can be extended to custom web apps thus providing a complete solution for most on-prem apps.

Hybrid ID is NOT extending your ADDS infrastructure to the cloud using Azure IaaS, however you may deploy Domain Controllers into Azure Virtual Machines as a Disaster Recovery site or additional branch 'office' provided the necessary connectivity to On-premises AD exists.

Hope it helps!

Paulo Francisco Viralhadas

Premier Field Engineer - Secure Infrastructure - Microsoft