This chapter covers hybrid Microsoft 365 deployment models, a key topic in the Cloud Concepts domain (Objective 1.2) of the MS-900 exam. Hybrid models allow organizations to integrate their on-premises infrastructure with Microsoft 365 cloud services, enabling a unified identity, data, and application experience. Expect 10-15% of exam questions to touch on hybrid scenarios, focusing on identity synchronization, authentication options, and migration paths. Mastering this content is critical for understanding how enterprises transition to the cloud without abandoning existing investments.
Jump to a section
Imagine a company with two offices: a downtown headquarters (on-premises) and a suburban satellite (cloud). Employees need to collaborate seamlessly—sharing files, attending meetings, and accessing apps—as if they were in one building. The solution is a dedicated commuter bridge (Azure AD Connect) that synchronizes employee badges (user identities) between both locations. When someone is hired at HQ, the bridge copies their badge to the satellite, so they can badge in at either location. Changes like a name change or department transfer are updated across both sides within 30 minutes (sync interval). If the bridge breaks, each location works independently but badges become stale. For secure access, there's a single sign-on turnstile (SSO) that lets employees pass between offices without showing ID again. The bridge also handles password changes: if an employee resets their password at HQ, the bridge carries the new hash to the satellite, so they can log in there too. This commuter bridge is the essence of hybrid identity—it keeps two directories in sync to provide a unified experience.
What Is a Hybrid Microsoft 365 Deployment?
A hybrid Microsoft 365 deployment combines on-premises infrastructure (such as Windows Server Active Directory, Exchange Server, or SharePoint Server) with Microsoft 365 cloud services. The goal is to provide a seamless experience where users, data, and applications exist in both environments but appear unified. The most critical component is identity synchronization, typically achieved through Azure AD Connect, which syncs user objects, groups, and credentials from on-premises AD to Azure Active Directory (Azure AD). Without hybrid identity, users would have separate accounts and passwords for on-premises and cloud resources, leading to management overhead and poor user experience.
Why Hybrid Exists
Organizations adopt hybrid deployments for several reasons: - Gradual Migration: Moving all workloads to the cloud at once is risky and disruptive. Hybrid allows phased migration, keeping some workloads on-premises while others move to the cloud. - Regulatory Compliance: Some data must remain on-premises due to legal or industry regulations. Hybrid enables sensitive data to stay local while using cloud services for non-sensitive workloads. - Existing Investments: Many organizations have heavily invested in on-premises infrastructure like Exchange Server or SharePoint Server. Hybrid extends these investments while adding cloud capabilities. - Identity Management: On-premises AD often serves as the authoritative identity source. Hybrid identity synchronizes this to Azure AD, enabling single sign-on (SSO) and consistent access policies.
How Hybrid Identity Works — The Mechanism
Azure AD Connect is the primary tool for hybrid identity. It runs on a Windows server (or can be deployed as a cloud-managed service via Azure AD Connect cloud sync). The core mechanism is directory synchronization:
Installation and Configuration: An administrator installs Azure AD Connect on a server that can communicate with both on-premises AD and Azure AD. During setup, they choose synchronization options, such as password hash synchronization (PHS), pass-through authentication (PTA), or federation with AD FS.
Initial Sync: Azure AD Connect performs a full synchronization of all user, group, and contact objects from on-premises AD to Azure AD. Each object is matched using the sourceAnchor attribute (typically the objectGUID from on-premises AD). This attribute is immutable after initial sync—changing it would break the link.
Delta Sync: After the initial sync, Azure AD Connect runs delta syncs every 30 minutes by default (configurable via the scheduler). It detects changes in on-premises AD (new users, attribute updates, deletions) and replicates them to Azure AD. The sync engine uses a staging area and connector spaces to track changes.
Password Synchronization: If PHS is enabled, Azure AD Connect synchronizes password hashes from on-premises AD to Azure AD. The actual password is never transmitted; instead, a hash of the password hash (salted and iterated) is sent. This allows users to use the same password for on-premises and cloud resources. PHS also enables hybrid Azure AD join and identity protection features like leaked credential detection.
Writeback: Azure AD Connect can write attributes back to on-premises AD, such as passwords (password writeback), group membership, and device registration. This is essential for self-service password reset (SSPR) in the cloud to write the new password back to on-premises AD.
Key Components and Defaults
Azure AD Connect: The synchronization tool. Default sync interval: 30 minutes. Minimum supported Windows Server version: 2016. Requires .NET Framework 4.7.2 or later.
SourceAnchor: Immutable identifier for each object. Default is objectGUID. Changing it after sync requires re-synchronizing all objects.
Password Hash Synchronization: Default enabled if chosen. Uses SHA256 hashing with salt and iterations. Synchronized hashes are never used for on-premises authentication—only for cloud authentication.
Pass-Through Authentication: Allows authentication to on-premises AD for cloud sign-ins. No password hashes are stored in the cloud. Requires agents on-premises (min 2 for high availability).
Federation (AD FS): Uses Active Directory Federation Services to authenticate users. The cloud redirects authentication to on-premises AD FS. Requires AD FS farm and Web Application Proxy.
Azure AD Connect Health: A monitoring tool that provides insights into sync performance, errors, and authentication health. Can be installed on the Connect server.
Configuration and Verification Commands
While MS-900 does not require deep command-line knowledge, understanding the tools is helpful:
- Azure AD Connect Configuration Wizard: GUI-based tool for initial setup and modifications. Can be rerun to change settings.
- PowerShell Module: ADSync module for scripting. Example to force a delta sync:
Start-ADSyncSyncCycle -PolicyType Delta- Force Full Sync:
Start-ADSyncSyncCycle -PolicyType InitialCheck Sync Status: Use the Synchronization Service Manager (miisclient.exe) to view connector space objects, pending exports, and errors.
Verify Sync in Azure AD: In Azure portal, go to Azure Active Directory > Users. Check that synced users have "Source" = "Windows Server AD".
Interaction with Related Technologies
Hybrid identity is the foundation for other hybrid workloads: - Hybrid Exchange: Requires directory synchronization and optionally Exchange hybrid configuration wizard to connect on-premises Exchange with Exchange Online. Enables free/busy sharing, mail flow, and mailbox migration. - Hybrid SharePoint: Uses hybrid features like hybrid search, hybrid sites, and OneDrive for Business. Requires Azure AD Connect and specific configuration. - Hybrid Teams: For Teams Phone System, hybrid connectivity with on-premises PSTN is possible via Direct Routing or Calling Plans. - Microsoft 365 Apps: Hybrid Azure AD join allows domain-joined devices to access cloud resources seamlessly. Conditional Access policies can enforce MFA or compliance.
Authentication Options Comparison
Password Hash Sync (PHS): Simplest to deploy. Passwords validated in the cloud. Supports hybrid Azure AD join and Identity Protection. No on-premises dependency for authentication.
Pass-Through Authentication (PTA): Validates passwords on-premises. No password hashes in cloud. Requires agents. Useful for organizations that cannot sync password hashes due to policy.
Federation (AD FS): Most complex. Provides rich claims-based authentication and supports third-party MFA. Requires significant on-premises infrastructure. Often used by large enterprises with existing AD FS deployments.
Migration Paths
Hybrid is often a stepping stone to full cloud migration. Common paths: - Staged Migration: Move users in batches. For Exchange, use remote move migration. For SharePoint, use hybrid search then gradually move content. - Cutover Migration: Move all users at once. Typically for small organizations with few mailboxes. - Hybrid Configuration Wizard: For Exchange, runs on-premises and configures hybrid settings automatically.
Troubleshooting Common Issues
Sync Errors: Duplicate proxyAddresses or UPN conflicts cause sync failures. Fix by removing duplicates or using Azure AD Connect's attribute de-duplication rules.
Authentication Failures: If PHS is not syncing, check that passwords are synchronized and that users are using the correct UPN (usually user@domain.com).
Writeback Issues: Password writeback requires specific permissions in on-premises AD. Ensure the Azure AD Connect account has the "Reset password" permission.
Latency: Default sync interval is 30 minutes. For urgent changes, force a delta sync via PowerShell.
Prepare On-Premises Environment
Before deploying Azure AD Connect, ensure the on-premises Active Directory forest meets requirements: functional level of Windows Server 2008 or later (Windows Server 2012 R2+ recommended). The server running Azure AD Connect must be domain-joined and have access to the internet. Verify that UPN suffixes are routable and match the verified domain in Microsoft 365. Clean up duplicate or invalid objects in AD to prevent sync errors. Install necessary prerequisites: .NET Framework 4.7.2+, PowerShell 5.0+, and optionally Microsoft Visual C++ Redistributable.
Install Azure AD Connect
Download the latest version of Azure AD Connect from the Microsoft Download Center. Run the installation wizard. Choose the appropriate installation type: Express (for single-forest, PHS) or Custom (for multiple forests, PTA, or federation). During Express installation, the wizard will prompt for on-premises AD Enterprise Admin credentials and Azure AD Global Admin credentials. It will automatically configure sync with default options. For Custom, you can enable features like password writeback, group writeback, or device writeback.
Configure Synchronization Settings
After installation, the Synchronization Service Manager opens. By default, delta sync runs every 30 minutes. You can customize the sync schedule via PowerShell or by modifying the scheduler. Choose which attributes to sync (default includes most common ones). Configure filtering to sync only specific OUs or domains. Enable optional features like password hash sync, pass-through authentication, or federation. For PTA, install the Authentication Agent on at least two servers for high availability.
Verify Initial Synchronization
After configuration, a full sync runs automatically. Monitor progress in the Synchronization Service Manager. Check for errors in the Operations tab. Verify that users appear in Azure AD under Azure Active Directory > Users. Confirm that the source is 'Windows Server AD' and that attributes like UPN, display name, and email are populated. Test login with a synced user account using their on-premises credentials.
Enable Hybrid Features
With sync working, enable additional hybrid features: hybrid Azure AD join for Windows 10/11 devices (requires device writeback or Azure AD Connect sync of computer objects). Configure seamless SSO by deploying the Seamless SSO PowerShell module. Set up password writeback for SSPR. For Exchange hybrid, run the Hybrid Configuration Wizard. For SharePoint, configure hybrid search and OneDrive. For Teams, ensure user objects have proper SIP addresses and enable Teams Direct Routing if needed.
Enterprise Scenario 1: Large Financial Institution with Regulatory Constraints
A global bank with 50,000 employees must keep customer financial data on-premises due to regulations in multiple countries. They adopt a hybrid model: Exchange Online for internal email (no sensitive data), but on-premises Exchange for customer-facing communications. Azure AD Connect with PTA is chosen because password hashes cannot leave the on-premises network due to compliance. Two PTA agents are deployed behind a load balancer. The sync interval is increased to 60 minutes to reduce load on AD. A common problem is that when AD FS was initially considered, the complexity of managing certificates and federation trust proved too high, so they switched to PTA. Misconfiguration of the PTA agents (e.g., not updating them after domain controller changes) caused intermittent authentication failures, resolved by using Azure AD Connect Health to monitor agent status.
Enterprise Scenario 2: Mid-Sized Manufacturing Company Migrating to Cloud
A manufacturer with 5,000 users wants to move all workloads to Microsoft 365 over 18 months. They start with hybrid identity using PHS and seamless SSO. They deploy Azure AD Connect on a dedicated VM with 4 vCPUs and 8 GB RAM. During the first month, they notice sync delays due to a large number of group membership changes (their HR system updates AD frequently). They optimize by filtering out unnecessary OUs and reducing the sync interval to 15 minutes. They enable password writeback for SSPR, which reduces help desk calls by 30%. The biggest challenge was duplicate proxyAddresses from a legacy email system, causing sync errors. They used the Azure AD Connect tool's attribute de-duplication rules to automatically resolve conflicts.
Enterprise Scenario 3: Government Agency with Air-Gapped Network
A government agency has a classified network that is not connected to the internet. They cannot use Azure AD Connect directly. Instead, they use Azure AD Connect cloud sync (a lightweight agent) installed on a server that has outbound internet access but is in a separate DMZ. The agent syncs only non-sensitive attributes (e.g., username, email) from a read-only replica of AD. They use federation with AD FS for authentication, but the AD FS servers are in a different network segment. The complexity of managing multiple security zones and certificate renewal caused frequent outages. They eventually moved to PHS with a dedicated sync server that has strict firewall rules. The lesson: for high-security environments, minimize on-premises dependencies and use PHS with cloud-only authentication.
MS-900 Exam Coverage
Objective 1.2: Describe cloud concepts for Microsoft 365. Specifically, the sub-objective 'Describe hybrid deployment models' is tested. Questions focus on:
Understanding the three main authentication options: PHS, PTA, and federation.
Knowing the default sync interval (30 minutes) and the tool used (Azure AD Connect).
Recognizing scenarios where hybrid is appropriate (gradual migration, compliance, existing infrastructure).
Identifying the correct tool for identity synchronization: Azure AD Connect (not Azure AD Connect Health, which is monitoring).
Common Wrong Answers and Traps
"Password Hash Synchronization stores actual passwords in the cloud." This is false. Only a hash of the password hash is stored. The actual password never leaves on-premises. Candidates often confuse 'hash' with 'password.'
"Azure AD Connect Health is used for synchronization." No, Health is a monitoring tool. The sync tool is Azure AD Connect itself.
"Federation is required for hybrid identity." False. PHS and PTA are simpler alternatives that do not require federation infrastructure.
"The sync interval is 15 minutes." The default is 30 minutes. It can be changed, but 30 is the default tested on the exam.
"Hybrid deployments require Exchange Server." No, hybrid identity works independently of Exchange. Hybrid Exchange is optional.
Specific Numbers and Terms to Memorize
Azure AD Connect: The tool for hybrid identity.
30 minutes: Default sync interval.
Password Hash Sync (PHS): Most common authentication method.
Pass-Through Authentication (PTA): Uses on-premises agents.
Federation: Uses AD FS.
Seamless SSO: Feature that automatically signs in users on domain-joined devices.
Writeback: Allows cloud changes to be written back to on-premises AD (password writeback, device writeback).
Edge Cases Tested
What happens if Azure AD Connect is down? Users can still authenticate using cached credentials, but changes are not synced until Connect is restored.
Can you have multiple Azure AD Connect servers? Only one active sync server per tenant is supported (except for staging mode).
What is the immutable ID? It's the sourceAnchor (default objectGUID) that ties on-premises object to cloud object. Changing it breaks sync.
How to Eliminate Wrong Answers
If a question mentions 'monitoring,' eliminate Azure AD Connect and look for Azure AD Connect Health.
If a question says 'no password hashes in the cloud,' the answer is PTA or federation.
If a question says 'simplest deployment,' choose PHS.
If a question mentions 'claims-based authentication,' choose federation.
Azure AD Connect is the primary tool for hybrid identity synchronization.
Default sync interval is 30 minutes.
Three authentication options: PHS, PTA, and Federation (AD FS).
PHS is the simplest; federation is the most complex.
Password writeback enables SSPR in hybrid environments.
Seamless SSO is a feature that works with PHS or PTA to auto-sign in users on domain-joined devices.
Hybrid identity is the foundation for hybrid Exchange, SharePoint, and Teams.
These come up on the exam all the time. Here's how to tell them apart.
Password Hash Sync (PHS)
Simplest to deploy and manage
Password hashes stored in Azure AD (hashed, not plaintext)
Supports hybrid Azure AD join and Identity Protection
No on-premises agents required
If on-premises AD is unreachable, users can still authenticate via cached credentials
Pass-Through Authentication (PTA)
Requires on-premises agents (minimum 2 for HA)
No password hashes stored in the cloud
Validates passwords directly against on-premises AD
Supports real-time password validation policies
If all agents are down, cloud authentication fails
Mistake
Azure AD Connect must be installed on a domain controller.
Correct
Azure AD Connect can be installed on any domain-joined server, not necessarily a domain controller. Installing on a DC is discouraged for security reasons.
Mistake
Password Hash Synchronization sends the actual user password to the cloud.
Correct
Only a hash of the hash (salted and iterated) is sent. The original password never leaves on-premises.
Mistake
Hybrid identity requires federation with AD FS.
Correct
Federation is optional. PHS and PTA are simpler alternatives that do not require AD FS.
Mistake
You can use multiple Azure AD Connect servers in active/active mode.
Correct
Only one active sync server is allowed per tenant. Additional servers can be in staging mode for disaster recovery.
Mistake
The default sync interval is 15 minutes.
Correct
The default sync interval is 30 minutes. It can be changed via PowerShell but 30 is the default.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure AD Connect is the synchronization tool that syncs objects from on-premises AD to Azure AD. Azure AD Connect Health is a monitoring tool that provides insights into the health of your sync infrastructure, including sync errors, performance, and authentication activity. They are separate components: Connect does the sync, Health monitors it.
Yes, you can use Pass-Through Authentication (PTA) or federation (AD FS) without storing password hashes in the cloud. PTA validates passwords on-premises via agents. AD FS uses claims-based authentication. However, PHS is the only option that stores password hashes in Azure AD.
Users can still access cloud resources using existing credentials (cached). New users or changes (e.g., password resets) will not be reflected until sync resumes. The sync engine retries automatically. You can monitor errors via Synchronization Service Manager or Azure AD Connect Health.
Use the PowerShell command: Start-ADSyncSyncCycle -PolicyType Delta. You can also run a full sync with -PolicyType Initial. Alternatively, you can trigger a sync from the Azure AD Connect wizard by selecting 'Customize synchronization options' and then 'Synchronize now'.
Seamless SSO automatically signs users in when they are on domain-joined devices connected to the corporate network. It works with PHS or PTA. The user's computer presents a Kerberos ticket to Azure AD via a special endpoint. No additional prompts for password are needed. It is enabled via Azure AD Connect or PowerShell.
Yes, Azure AD Connect supports multi-forest synchronization. You need to configure forest trust and choose the appropriate sync options (e.g., source anchor, matching rules). The wizard allows you to add multiple forests during custom setup.
The immutable ID (sourceAnchor) is an attribute that uniquely identifies an object and links the on-premises AD object to its cloud counterpart. By default, it uses the on-premises objectGUID. It is set during initial sync and cannot be changed without re-syncing the object.
You've just covered Hybrid Microsoft 365 Deployment Models — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?