From AD to Azure AD – Your Hybrid Identity Journey

April 16, 2020 Troy Micka

For the last twenty years, if you ran a Windows network then you generally used Active Directory to handle your authentication and authorization for users and computers. Historically, this design model has worked well in the four walls of the business and when networks were managed and controlled by the organization’s IT department. As the demands for businesses to go faster, do more and reduce costs have driven businesses to adopt mobile-first and cloud-first mentalities, the design model for Active Directory falls short of where business needs are headed. If Active Directory alone cannot solve this problem what solution should you use?

Identity is the new control plane!

What is Hybrid Identity?

Hybrid Identity represents an identity solution that spans both on-premise systems and cloud-based systems to weave together a common user and system identity for authentication and authorization of resources regardless of location. For Microsoft environments, this solution is Azure Active Directory (Azure AD, AAD) together with Azure AD Connect. Azure AD Connect is Microsoft’s directory integration engine to allow your on-premise Active Directory to communicate with Azure AD.

Why should I choose Hybrid Identity?

You might be thinking, “If I’m moving everything to the cloud, then why do I need hybrid identity?” This question often comes up when we don’t remember all the infrastructure that supports our on-premises systems and networks. Those components are all tied back to our Active Directory infrastructure and have been the beating heart of your enterprise identity solution for years.

When we go to the cloud and begin to leverage Azure AD to create and connect new applications and experiences for our users, we should be careful to avoid creating another silo for identity. A different login for every application leads to headaches at the help desk from an abundance of password resets. One login for multiple applications provides a better user experience. This rotation and lack of uniformity leads to increased help desk calls for password resets because users lock themselves out of systems. At the end of the day humans are not good at managing strong, complex, and separate passwords for different systems.

But what if we could just use our existing Active Directory identity system and extend it into the cloud in a secure and reliable way. This is where Hybrid Identity solutions come into the picture to help ease this transition and ensure your business stays secure.

Choosing a path to Hybrid Identity

Determining which path to take to start your hybrid identity journey can often seem daunting. There are several paths that you can take for starting your hybrid identity journey. As your business grows and changes over time you may find that you move from one path to another. That is ok. No one path is a go-to for all companies and each has their strengths.

Pass-through Sign On

Azure Active Directory Pass-through authentication is a relatively new option to the hybrid identity paths offered by Azure AD that went Generally Available at Ignite in 2017. Pass-through authentication is a good fit for organizations wanting to enforce their on-premises Active Directory security and password policies for authentication while also being able to leverage Azure AD. In this model, users that access applications connected with Azure AD will have their authentication request passed through to their on-premises Active Directory for validation via Azure AD Connect and then have their validated session passed back to Azure AD to continue the logon flow. Pass-through sign on allows you to maintain the control you have on your on-premises Active Directory without requiring you to do as much setup as Federation and without requiring you to sync your password hashes to the cloud.


Federation with Azure AD allows organizations with complex authentication scenarios or with applications that are not supported for authentication with Azure AD directly to be able to integrate their identities across both their on-premises Active Directory and their cloud-based Azure AD tenant. The most common and straight forward setup for Federation with Azure AD is by setting up Active Directory Federation Services (ADFS) using the Azure AD Connect wizard through its guided step-by-step process. Federation gives you the most control over your authentication process. but comes with the complexity of managing a federation infrastructure.

Password Hash Sync

Password hash synchronization is one of the easiest setup options for hybrid identity when your requirements for authentication and authorization are low. Azure AD Connect synchronizes a hash, of the hash, of a user’s password from your on-premises Active Directory instance to your cloud-based Azure AD instance. Password hash synchronization helps by reducing the number of passwords, your users need to maintain to just one. When a user initiates a logon flow with Azure AD their login information will be validated in Azure AD without having to contact your on-premise Active Directory. Password Hash Sync has the lowest bar of entry to getting started with hybrid identity but also has the least customization options available.

Want to get started on your Identity journey today? Click here to get the conversation started.

At New Signature, we’re huge believers in helping companies create more business value through Azure and DevOps. I also believe that to be an effective and high-performing organization, having a strong identity foundation is key to accelerating cloud adoption. From figuring out where to start your Hybrid Identity Journey to initial implementation and beyond, we would love to partner with you along your journey. We’ll set you in the right direction and work with you along the way to ensure a successful transition.

Previous Article
Virgin Atlantic Airways Case Study
Virgin Atlantic Airways Case Study

New Signature takes Virgin Atlantic Airways’ data reporting and analytics into the cloud with Microsoft Azure.

Next Article
This Request Has Been Denied by the Firewall: Configuring Exceptions on Azure Front Door
This Request Has Been Denied by the Firewall: Configuring Exceptions on Azure Front Door

I was recently involved with setting up a website for a not-for-profit. It’s not often I get hands on keybo...