Hybrid Identity with Microsoft Entra

5 minutes 5 Questions

Hybrid Identity with Microsoft Entra is a solution that bridges on-premises Active Directory environments with cloud-based Microsoft Entra ID (formerly Azure Active Directory), creating a unified identity experience for users across both environments. At its core, hybrid identity allows organizati…

Hybrid Identity with Microsoft Entra: A Complete Guide for SC-900

Why Is Hybrid Identity Important?

In today's enterprise landscape, most organizations do not operate entirely in the cloud. They maintain on-premises Active Directory Domain Services (AD DS) environments while simultaneously adopting cloud services like Microsoft 365, Azure, and SaaS applications. Hybrid identity bridges this gap by enabling a single user identity that can authenticate and access resources both on-premises and in the cloud. Without hybrid identity, users would need separate credentials for on-premises and cloud resources, leading to poor user experience, increased helpdesk costs, and security vulnerabilities.

For the SC-900 exam, understanding hybrid identity is critical because it falls under the broader topic of capabilities of Microsoft Entra and demonstrates how Microsoft approaches identity as the primary security perimeter in a Zero Trust architecture.

What Is Hybrid Identity with Microsoft Entra?

Hybrid identity is the process of connecting your on-premises Active Directory with Microsoft Entra ID (formerly Azure Active Directory) so that users have a single, consistent identity across both environments. This unified identity allows users to sign in once and access both on-premises applications and cloud services seamlessly.

The key component that enables hybrid identity is Microsoft Entra Connect (formerly Azure AD Connect) and its newer version, Microsoft Entra Connect Sync. These tools synchronize user accounts, groups, and other objects from on-premises AD DS to Microsoft Entra ID.

How Does Hybrid Identity Work?

There are three primary authentication methods available in a hybrid identity setup. Understanding all three is essential for the SC-900 exam:

1. Password Hash Synchronization (PHS)
- This is the simplest method of hybrid authentication.
- Microsoft Entra Connect takes a hash of the user's on-premises password hash and synchronizes it to Microsoft Entra ID.
- When a user signs into a cloud service, Microsoft Entra ID validates the password against the synchronized hash.
- The actual password never leaves the on-premises environment; only a hash of the hash is synchronized.
- PHS also enables leaked credential detection, where Microsoft can compare synchronized hashes against known compromised credentials on the dark web.
- This method provides the least on-premises infrastructure dependency because authentication happens entirely in the cloud.

2. Pass-Through Authentication (PTA)
- With PTA, when a user signs into a cloud service, the authentication request is forwarded to the on-premises environment.
- A lightweight agent installed on one or more on-premises servers validates the user's credentials directly against on-premises Active Directory.
- The password is never stored in the cloud in any form.
- This method is preferred by organizations with security policies that require passwords to be validated on-premises.
- PTA requires that on-premises infrastructure be available for authentication to succeed.

3. Federation (with AD FS or third-party providers)
- Federation is the most complex method but provides the most control.
- Microsoft Entra ID redirects the authentication request to a federated identity provider, such as Active Directory Federation Services (AD FS).
- The federated identity provider handles all authentication, and a security token is passed back to Microsoft Entra ID.
- Federation supports advanced scenarios like smartcard-based authentication, third-party MFA solutions, and complex on-premises authentication policies.
- This method requires significant on-premises infrastructure (AD FS servers, Web Application Proxy servers).

Microsoft Entra Connect and Microsoft Entra Connect Cloud Sync

There are two synchronization tools to be aware of:

Microsoft Entra Connect (formerly Azure AD Connect):
- Installed on an on-premises server.
- Handles synchronization of identities between on-premises AD DS and Microsoft Entra ID.
- Supports PHS, PTA, and Federation configurations.
- Provides features like password writeback, device writeback, and group writeback.

Microsoft Entra Cloud Sync (formerly Azure AD Connect Cloud Sync):
- Uses a lightweight provisioning agent on-premises.
- The synchronization engine runs in the cloud rather than on-premises.
- Designed for simpler scenarios and multi-forest environments.
- Supports PHS as the authentication method.
- Easier to deploy and manage compared to the full Microsoft Entra Connect.

Key Concepts for the SC-900 Exam

Seamless Single Sign-On (Seamless SSO):
- Can be enabled alongside PHS or PTA.
- Automatically signs users in when they are on corporate devices connected to the corporate network.
- Users do not need to type their passwords to sign into Microsoft Entra ID and cloud apps.

Password Writeback:
- Allows password changes or resets made in the cloud (via Microsoft Entra Self-Service Password Reset) to be written back to the on-premises Active Directory.
- Ensures password consistency across environments.

Common Scenarios and Considerations:
- PHS is recommended as a backup authentication method even when PTA or Federation is the primary method, ensuring users can still authenticate if on-premises infrastructure goes down.
- PHS enables Microsoft Entra ID Protection's leaked credentials report.
- Federation is typically chosen only when there are specific requirements that PHS and PTA cannot meet.

Exam Tips: Answering Questions on Hybrid Identity with Microsoft Entra

Tip 1: Know the three authentication methods and their differences.
The SC-900 exam frequently tests your understanding of PHS, PTA, and Federation. Remember: PHS is the simplest and most resilient; PTA validates credentials on-premises without storing password data in the cloud; Federation offers the most control but is the most complex.

Tip 2: Understand which method stores password data in the cloud.
Only PHS stores any form of password information in the cloud (a hash of the hash). PTA and Federation do not store passwords in the cloud at all. Exam questions may test this distinction.

Tip 3: Remember that PHS enables leaked credential detection.
If a question asks about detecting compromised credentials, the answer likely involves PHS, because Microsoft compares the synchronized hashes against known compromised credentials.

Tip 4: Know the role of Microsoft Entra Connect vs. Cloud Sync.
Exam questions may ask about the differences. Microsoft Entra Connect is the full-featured synchronization tool, while Cloud Sync is a lighter, cloud-managed alternative. Cloud Sync runs the sync engine in the cloud; Entra Connect runs it on-premises.

Tip 5: Seamless SSO is a companion feature, not a standalone authentication method.
Seamless SSO works with PHS or PTA. It is not a separate authentication method. If a question presents it as a standalone option for hybrid identity authentication, it is likely a distractor.

Tip 6: Federation is for specific, advanced requirements.
If an exam scenario describes a need for smartcard authentication, third-party MFA at the identity provider level, or complex claims-based rules, the answer is likely Federation with AD FS.

Tip 7: Password writeback requires Microsoft Entra Connect.
If a question mentions self-service password reset writing changes back to on-premises AD, the answer involves password writeback configured through Microsoft Entra Connect.

Tip 8: PHS is recommended as a disaster recovery backup.
Microsoft recommends enabling PHS as a backup even when using PTA or Federation. If an exam question asks about ensuring authentication availability during on-premises outages, PHS as a backup is the correct answer.

Tip 9: Focus on the concept, not deep technical configuration.
SC-900 is a fundamentals exam. You need to understand what hybrid identity is, why it matters, and which method to choose in a given scenario. You will not be asked to configure Microsoft Entra Connect step by step.

Tip 10: Link hybrid identity to Zero Trust.
Microsoft frames identity as the new security perimeter. Hybrid identity ensures consistent policy enforcement, conditional access, and MFA across all resources. If a question connects hybrid identity to broader security strategy, think Zero Trust and identity-centric security.

Summary Table for Quick Review:

PHS — Simplest, most resilient, enables leaked credential detection, password hash stored in cloud
PTA — Validates on-premises, no password data in cloud, requires on-premises agents to be available
Federation — Most complex, most control, requires AD FS or third-party IdP infrastructure
Seamless SSO — Works with PHS or PTA, automatic sign-in on corporate network
Microsoft Entra Connect — Full sync tool, installed on-premises
Microsoft Entra Cloud Sync — Lightweight agent, sync engine in cloud, simpler scenarios

By understanding these concepts and their relationships, you will be well-prepared to answer any SC-900 exam question on hybrid identity with Microsoft Entra.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Unlock Premium Access

Microsoft Security, Compliance, and Identity Fundamentals + ALL Certifications

Access to ALL Certifications: Study for any certification on our platform with one subscription
3043 Superior-grade Microsoft Security, Compliance, and Identity Fundamentals practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
SC-900: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More Hybrid Identity with Microsoft Entra questions

45 questions (total)

Start 45 question test