What Does Hybrid Identity Design Mean?
Also known as: Hybrid Identity Design, Azure AD Connect, AZ-305 identity design, hybrid identity Azure, Microsoft Entra ID hybrid
On This Page
Quick Definition
Hybrid Identity Design is about planning how your users will sign in once and access everything they need, whether that thing is stored in your office computers or in the cloud. It combines your existing company directory, like Active Directory, with a cloud directory, like Azure Active Directory. This way, you don't have to manage separate usernames and passwords for the same person in two different places.
Must Know for Exams
Hybrid Identity Design is a cornerstone objective in the Microsoft Azure Architect Design (AZ-305) exam. This exam is about designing infrastructure solutions, and identity is the foundation of all security and management. The exam blueprint explicitly includes the objective 'Design identity, governance, and monitoring solutions' and a significant sub-objective on 'Design an identity solution'. Candidates are expected to understand when to recommend a hybrid identity solution versus a cloud-only identity solution.
The exam tests your ability to make design decisions based on business requirements. You will be given scenarios where a company has an existing on-premises Active Directory and is moving to Azure. You must recommend the correct synchronization tool (Azure AD Connect vs. Entra Cloud Sync), the appropriate authentication method (PHS, PTA, or Federation), and how to implement Seamless SSO.
You are also tested on the security implications. The exam will ask about protecting privileged identities and how to design for secure hybrid access. You must understand the difference between Azure AD Domain Services and Active Directory Domain Services, and when to extend your on-premises domain to Azure vs. using Azure AD DS.
Expect scenario-based questions where you must evaluate trade-offs. For example, a question might describe a company that requires immediate account lockout for terminated employees with no cloud connectivity. You would need to know that Pass-through Authentication (PTA) can enforce this, while Password Hash Sync might have a replication delay. Understanding these nuances is key to passing the AZ-305 exam.
Simple Meaning
Imagine you work for a company that has two separate libraries. One library is in your office building, with all the old reference books and historical files. The other library is a new, modern online library that has the latest digital books and online journals. In the old way, you would need a physical membership card for the office library and a completely different username and password for the online library. This is confusing and annoying. Hybrid Identity Design is like creating a single, universal library card that works for both libraries. When you sign in to the online library with your universal card, it automatically checks your membership in the office library too.
To make this work, the system needs to connect the two membership databases. It must constantly make sure that if you change your name or address in the office library database, the same change appears in the online library system automatically. If you leave the company, your card is deactivated in both places at once. This single sign-in system is what we call identity synchronization. It is the core of Hybrid Identity Design.
This design also considers security. Not every person should have access to every book. Some books in the office library might be for managers only. The universal card needs to check not just who you are, but what you are allowed to see. This is done through a process called authentication, which is proving you are who you say you are, and authorization, which is checking what you are allowed to do. Hybrid Identity Design plans all of this so that the experience is seamless for the user, but secure for the company. It is the blueprint for connecting your on-premises world to the cloud world without making users carry two sets of keys.
Full Technical Definition
Hybrid Identity Design refers to the architectural planning and implementation that integrates an organization's existing on-premises Identity and Access Management (IAM) infrastructure, typically Microsoft Active Directory Domain Services (AD DS), with a cloud-based identity provider, most commonly Microsoft Entra ID (formerly Azure Active Directory). The primary goal is to provide a unified identity for users, enabling them to access both on-premises applications and cloud-based resources like Microsoft 365, Azure, and third-party SaaS applications with a single set of credentials.
The foundation of this design is directory synchronization. Microsoft provides the tool Azure AD Connect (or the newer Entra Cloud Sync) to automate this process. Azure AD Connect runs on a server on-premises and performs the continuous synchronization of user objects, group memberships, and password hashes from AD DS to Entra ID. This synchronization is not a one-time copy; it is a continuous, incremental replication. When a user changes their password on-premises, that hash change is synced to the cloud, usually within minutes.
A critical technical component is the authentication method. The hybrid design must choose between Password Hash Synchronization (PHS), Pass-through Authentication (PTA), or Federation (e.g., with Active Directory Federation Services AD FS). PHS syncs password hashes so cloud sign-ins can authenticate directly against Entra ID. PTA validates cloud sign-ins against the on-premises Active Directory agent without syncing password hashes. Federation relies on a trust relationship where Entra ID redirects users to an on-premises federation service for authentication.
Another essential element is Seamless Single Sign-On (SSO). This feature automatically signs users into cloud resources when they are on a domain-joined device connected to the corporate network. It eliminates the need for users to re-enter their credentials. This is achieved by allowing Entra ID to issue Kerberos tickets for cloud resources.
Finally, Conditional Access policies are a key part of the design. These policies evaluate signals such as user location, device compliance, and risk level to enforce access controls. A well-designed hybrid identity strategy integrates these policies to cover both on-premises and cloud resources, ensuring that access is granted only when security requirements are met.
Real-Life Example
Think of a large office building with a secure parking garage and multiple floors containing different departments. The old system required employees to have a physical key for the parking garage and a different keycard for each floor. This is like having separate identities for every resource.
Hybrid Identity Design is like installing a modern, centralized security system. Every employee gets a single electronic badge. This badge is your hybrid identity. The system that manages this badge is your identity provider. The building's central security office is your on-premises Active Directory. The cloud-based badge management app that HR uses to order new badges is your Azure Entra ID.
When you are hired, HR creates your profile in the central security office and issues your badge. This is the on-premises identity creation. Then, the system automatically syncs that profile to the cloud app. This is directory synchronization. Now the cloud app knows who you are. When you drive into the parking garage, you swipe your badge. The garage gate checks with the central security office to see if you have parking privileges. This is authentication.
Later, you go to the third floor finance department. You swipe your badge at the door. This time, the door reader sends your badge number to the cloud app, which checks your permissions. The cloud app trusts the badge because it is synced from the central office. This is the hybrid model in action. If you are promoted and given access to the executive floor, the change is made in the central office and synced to the cloud automatically. The next day, your badge works on the new floor. If you leave the company, the badge is deactivated centrally, and the sync ensures it stops working everywhere, including the parking garage and every floor, instantly.
Why This Term Matters
In real IT work, managing two separate sets of identities is a security and operational nightmare. Before hybrid identity design became standard, companies would have to manually create a user in their on-premises Active Directory and then manually create the same user in Office 365 or Azure. This led to errors, stale accounts (where a person is fired but their cloud account remains active), and frustrated users who had to remember multiple passwords.
Hybrid Identity Design solves these problems directly. For a system administrator, it means centralizing user management. You can create, disable, or update a user in one place, and the change is automatically replicated. This saves hours of manual labor and drastically reduces the security risk of orphaned accounts. For cybersecurity, it enables a consistent security posture. Conditional Access policies can be applied uniformly. For example, you can require multi-factor authentication for all sign-ins, whether the user is accessing a file server on-premises or a SharePoint site in the cloud.
For end users, it provides a seamless experience. They sign into their Windows computer on the corporate network and are automatically signed into their email, Teams, and other cloud apps without being asked for credentials again. This improves productivity and reduces helpdesk tickets for password resets.
From a compliance standpoint, it is also critical. Auditors want to see a single source of truth for who has access to what. A well-designed hybrid identity solution provides that. You can report on all user access from a single pane of glass, proving that access controls are consistent and that de-provisioning happens quickly when an employee leaves. Without this design, compliance audits become a painful, manual process of checking two separate systems.
How It Appears in Exam Questions
Questions on the AZ-305 exam about Hybrid Identity Design are almost always scenario-based. They present a fictional company's requirements and ask you to choose the best design from several options. A typical question might describe a company with 10,000 users in an on-premises Active Directory that is migrating to Microsoft 365. They want users to use their existing corporate credentials to sign into Office 365. The question would then present several options: do nothing, implement Azure AD Connect with Password Hash Sync, implement a federation service, or create new cloud-only accounts. The correct answer is to implement Azure AD Connect with Password Hash Sync (or appropriate method) to achieve hybrid identity.
Another common question pattern involves disaster recovery and high availability. The exam might ask how to design for failover of the identity system. For instance, if a company uses Active Directory Federation Services (AD FS) and its on-premises data center goes offline, how can users still sign into cloud apps? The answer might involve deploying a federation proxy in Azure or configuring password hash sync as a backup authentication method.
Configuration questions are less common but still appear. You might be asked to choose the correct version of Azure AD Connect to use or how to configure a staging server. Troubleshooting questions ask why a user cannot sign into a cloud app despite being synced from on-premises. The answer could involve checking for a mismatched UPN suffix or a synchronization error in the Azure AD Connect health dashboard.
Architecture questions are the most common. You might be asked to design a hybrid identity solution for a multinational corporation with strict data residency requirements. You would need to recommend multiple synchronization instances or a custom domain setup. These questions test your ability to apply the design principles to complex, real-world scenarios, not just memorize facts.
Practise Hybrid Identity Design Questions
Test your understanding with exam-style practice questions.
Example Scenario
Scenario: A mid-sized company called 'GreenLeaf Books' has 500 employees. They have been using an on-premises Windows Server Active Directory for 15 years to manage user accounts and access to the file servers and printers. The company is now moving to a cloud-first strategy. They have purchased Microsoft 365 Business Premium licenses and want everyone to use Microsoft Teams and Exchange Online. The CEO wants a seamless transition. He does not want employees to have to remember a new password. The IT manager wants to keep managing users from the existing Active Directory because third-party HR software connects to it.
How Hybrid Identity Design applies: The IT team decides to implement Azure AD Connect to synchronize the on-premises Active Directory with Microsoft Entra ID (the cloud directory behind Microsoft 365). They choose Password Hash Sync as the authentication method because it is simple and reliable. They also enable Seamless Single Sign-On. After the sync runs, every employee who has an account in the on-premises Active Directory automatically has an account in the cloud. When an employee logs into their office PC, they are automatically signed into Microsoft Teams and Outlook without typing a password again. When a new employee is hired, the HR system creates their account in the on-premises AD. The sync automatically creates their cloud account. When an employee is terminated, the IT desk disables the on-premises account. The sync propagates the disabled status to the cloud, and the employee loses access to their email and Teams instantly. This scenario perfectly illustrates the practical use of Hybrid Identity Design.
Common Mistakes
Thinking that once you sync users to the cloud, you can manage them from the cloud as your primary directory.
Azure AD Connect is designed to make the on-premises Active Directory the authoritative source. If you try to change a user's details in the cloud, the next sync cycle will overwrite your change with the on-premises value. You must manage users from the on-premises directory.
Always remember the principle of authoritative source. The server running Azure AD Connect syncs from on-premises to cloud. Changes must be made on-premises.
Believing that Hybrid Identity Design requires you to move all your on-premises servers to the cloud.
Hybrid means a mix. You keep your on-premises Active Directory servers running. The design simply connects them to the cloud. You can continue to use on-premises file servers and printers while also using cloud apps.
Understand that hybrid is about connection, not replacement. On-premises resources and cloud resources coexist. The identity system acts as a bridge.
Assuming that implementing Azure AD Connect automatically gives users access to all cloud resources.
Syncing a user account only creates the identity in the cloud. The user still needs to be assigned a license for a cloud service like Exchange Online or SharePoint. They also need to be added to cloud security groups that grant access to specific resources.
Remember the difference between identity synchronization and licensing. Sync creates the user. Licensing and permissions are separate steps that you must also manage, often through group-based licensing.
Thinking that Seamless SSO means you never need a password for cloud sign-ins from outside the office network.
Seamless SSO only works when the device is domain-joined and connected to the corporate internal network. If a user is at home or in a coffee shop, they must type their password. Seamless SSO does not replace the need for a password in all scenarios.
Know the limitation of Seamless SSO: it works only from inside the corporate network on domain-joined devices. For external access, users authenticate normally.
Confusing Azure AD Connect with Azure AD Domain Services.
Azure AD Connect is a synchronization tool that replicates objects from on-premises AD to Entra ID. Azure AD Domain Services is a managed domain service that provides legacy authentication protocols like LDAP and Kerberos to cloud-only VMs. They serve completely different purposes.
Use Azure AD Connect for user sync. Use Azure AD Domain Services for lifting and shifting legacy apps that need domain services in the cloud.
Exam Trap — Don't Get Fooled
The exam presents a question where a company has an existing on-premises Active Directory and wants to use Microsoft 365. The scenario says the company has a slow or unreliable WAN connection to the internet. The trap option is to recommend using Pass-through Authentication because it is 'more secure'.
The correct answer is Password Hash Sync, not Pass-through Authentication. Remember that Pass-through Authentication requires constant connectivity between the cloud authentication servers and the on-premises agents. If the internet connection is slow or unreliable, authentication will fail.
Password Hash Sync, conversely, allows users to authenticate against cached credentials in the cloud even if the on-premises connection is down. Choose authentication methods based on reliability and business requirements, not just on a perceived security benefit. The exam wants you to consider the real-world operational constraints.
Commonly Confused With
Cloud-only identity creates all user accounts directly in the cloud directory, like Microsoft Entra ID, without any connection to an on-premises directory. Hybrid Identity Design requires an existing on-premises directory that is synchronized to the cloud. Cloud-only is simpler but requires you to migrate all user management to the cloud.
A brand new startup with no office IT infrastructure uses cloud-only identity. A 20-year-old company with an existing Active Directory uses Hybrid Identity Design to connect to the cloud.
Identity Federation is a specific authentication method within Hybrid Identity Design. Hybrid Identity is the overall architecture, while Federation (using AD FS or a third-party IdP) is one of several ways to authenticate cloud users against on-premises systems. Not all hybrid designs use federation; many use Password Hash Sync.
Hybrid Identity is the bridge between two cities. Federation is a specific type of toll booth on that bridge that checks your ID against the city database every time you cross. Other toll booths (like PHS) just check if your car matches a list that was copied earlier.
SSO is a feature that allows a user to sign in once and access multiple applications without re-entering credentials. Hybrid Identity Design enables SSO across on-premises and cloud apps, but SSO can also exist in a cloud-only environment. Hybrid Identity is the larger design; SSO is a benefit it provides.
Hybrid Identity is the infrastructure that connects your office badge reader to the cloud building access system. SSO is the result where you swipe your badge once at the front door and can enter any floor without showing it again.
Step-by-Step Breakdown
Requirements Analysis
Before designing, you collect business and technical requirements. This includes understanding the number of users, current authentication methods, security policies, compliance needs, and whether the company needs to support legacy applications. This step determines the scope of the hybrid design.
Authentication Method Selection
You choose between Password Hash Sync (PHS), Pass-through Authentication (PTA), or Federation. This decision depends on factors like security requirements, availability needs, and whether the company requires real-time policy enforcement for user accounts.
Select Synchronization Tool
You choose the appropriate synchronization software. Azure AD Connect is the mature tool for most scenarios. Microsoft Entra Cloud Sync is a lightweight option for simpler environments or when merging multiple forests. This step determines how objects flow from on-premises to cloud.
Directory Preparation
You prepare the on-premises Active Directory for synchronization. This includes cleaning up duplicate accounts, standardizing attributes like UPN suffixes, and setting up an organizational unit structure that can be filtered during sync. Proper preparation prevents synchronization errors.
Installation and Configuration
You install the chosen sync tool on a dedicated server. You configure synchronization rules, select which OUs to sync, and enable optional features like password write-back or device write-back. You also configure the authentication method (e.g., enable PHS or install PTA agents).
Security Integration
You integrate security features like Seamless SSO and enable the security defaults. You also configure Conditional Access policies in Entra ID that apply to hybrid users. This step ensures that the synchronized identities are protected by modern security controls.
Testing and Validation
You test the synchronization by creating a test user on-premises and verifying they appear in Entra ID. You test authentication from inside and outside the network. You also validate that password changes sync correctly. This step catches errors before users are impacted.
Monitoring and Maintenance
You set up monitoring using Azure AD Connect Health to track sync cycles, errors, and performance. You schedule regular reviews of the synchronization configuration and plan for software updates. This ongoing step ensures the hybrid identity environment remains healthy and secure.
Practical Mini-Lesson
Hybrid Identity Design is not just about clicking a button to run Azure AD Connect. In practice, a professional must deeply understand the existing on-premises environment to design a successful hybrid identity. The first real task is often an identity audit. You need to know the state of your Active Directory: are there stale accounts, are user principal names consistent, and are there multiple forests that need to be merged for sync? If your on-premises AD is a mess, the sync will propagate that mess into the cloud.
Once the directory is clean, you decide on the authentication method. In most modern environments, Password Hash Sync plus Seamless SSO is the recommended path. It is simple to implement, does not require additional server infrastructure for federation, and allows for self-service password reset in the cloud. However, if the organization has strict security policies requiring that password validation never leaves the on-premises network, then Pass-through Authentication is the correct choice. Federation is only necessary if you need to integrate with third-party identity systems or have complex claims-based requirements.
Configuring Azure AD Connect is a straightforward wizard, but the decisions made during the wizard have long-term implications. For example, the 'staging mode' feature is critical. You should always run the first sync in staging mode to preview what will be synchronized before actual changes are made. This prevents accidentally creating duplicate cloud objects or modifying existing ones.
What can go wrong? The most common issues are synchronization errors. An attribute like the user's email address might be missing or invalid, causing the sync to fail for that user. These errors appear in the Azure AD Connect Health console, and the administrator must fix the source data in on-premises AD and then run a delta sync. Another common problem is failing to sync a particular OU because the sync scope was not configured correctly.
Hybrid Identity Design connects directly to broader IT concepts like Identity as the new security perimeter. Because the identity is the key to both on-premises and cloud resources, protecting it with multi-factor authentication and Conditional Access is paramount. A professional must also understand networking: the Azure AD Connect server needs outbound internet access to connect to Entra ID, and for PTA, specific firewall rules are required. In summary, implementing hybrid identity requires a blend of directory skills, security knowledge, and troubleshooting ability.
Memory Tip
Think 'Sync, Sign, Secure' for the three pillars of Hybrid Identity Design: Sync your identities, provide Single Sign-On, and Secure access with Conditional Access.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
AZ-305AZ-305 →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
What is the difference between Azure AD Connect and Entra Cloud Sync?
Azure AD Connect is the older, more feature-rich tool that supports complex synchronization scenarios, multiple forests, and things like device write-back. Entra Cloud Sync is a lighter, agent-based tool designed for simpler environments or when you need to sync from multiple disconnected sources. For most AZ-305 scenarios, Azure AD Connect is the default choice.
Can I use Hybrid Identity Design if I don't have an on-premises Active Directory?
No. Hybrid Identity Design specifically refers to connecting an existing on-premises directory to the cloud. If you have no on-premises directory, you simply use cloud-only identity. You would create all users directly in Microsoft Entra ID.
Is Hybrid Identity Design the same as Active Directory Federation Services (AD FS)?
No. AD FS is one possible component within a Hybrid Identity Design. It provides federation authentication. Hybrid Identity Design is the overall architecture that may or may not include AD FS. Many hybrid designs use Password Hash Sync instead of federation.
What happens if my Azure AD Connect server goes offline?
Synchronization will stop. Existing synced user accounts in the cloud will still work because their identities are already present. However, new users created on-premises will not appear in the cloud, and changes to existing users will not be replicated until the sync server is back online.
Can I sync multiple on-premises Active Directory forests to one Azure tenant?
Yes. Azure AD Connect supports multi-forest synchronization. You can configure it to sync users from multiple forests, as long as each forest has a unique identifier. This is a common design for large enterprises with acquired companies.
Does Hybrid Identity Design support password changes from the cloud?
Yes, if you enable the password write-back feature during the Azure AD Connect configuration. This allows users who reset their passwords in the cloud (using self-service password reset) to have that change written back to their on-premises Active Directory account.
Is Hybrid Identity Design a required design for all Azure migrations?
It is not strictly required, but it is highly recommended for organizations that already have an on-premises Active Directory. It simplifies management, reduces security risks from orphaned accounts, and provides a better user experience. Cloud-only identity is only simpler if you are starting from scratch.
Summary
Hybrid Identity Design is the architectural practice of connecting an organization's existing on-premises directory, typically Active Directory, to a cloud-based identity provider like Microsoft Entra ID. This design allows users to have a single identity that works across both local and cloud resources, eliminating the need for multiple passwords and separate account management. For IT professionals preparing for the AZ-305 exam, understanding the components of this design is critical.
You must know the differences between authentication methods (PHS, PTA, Federation), the role of synchronization tools (Azure AD Connect, Entra Cloud Sync), and how to plan for security using Seamless SSO and Conditional Access. The key takeaway is that hybrid identity is about unification and security: unifying identity management in a single source of truth while securing access across all environments. In the real world, this design reduces administrative overhead, improves security posture, and enhances user productivity.
For your exam, focus on scenario-based decision-making around which authentication method and sync tool to use based on business requirements.