Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Hybrid identity strategy for Microsoft 365

How to plan the hybrid-identity journey from on-premises AD to Entra ID-only — staged, with the right choices at each stage.

Most organisations with existing on-premises Active Directory can't migrate to Entra ID-only overnight. Hybrid identity — AD and Entra synchronised — is the multi-year transition state most enterprises live in. Designing it well makes the journey tractable; designing it badly creates years of operational debt.

The hybrid identity stack

The components, simplified:

  • On-premises AD DS — the legacy directory. Authenticates Windows endpoints, network resources, line-of-business apps.
  • Microsoft Entra Connect or Cloud Sync — synchronises users, groups, and (optionally) devices from AD to Entra ID.
  • Microsoft Entra ID — the cloud identity provider for Microsoft 365 and SaaS apps.
  • Authentication method — Password Hash Sync, Pass-Through Authentication, or Federation (AD FS).

The strategic choices

Sync engine: Entra Connect or Cloud Sync

  • Entra Connect — mature, supports complex scenarios (multiple forests, complex transformations, Exchange hybrid writebacks). Heavyweight, single-server bottleneck unless you stand up staging.
  • Entra Cloud Sync — lightweight, cloud-managed, active-active agents, simpler. Doesn't yet cover every edge case (some Exchange hybrid writebacks).

For new deployments, start with Cloud Sync. For existing Entra Connect, migrate when Exchange hybrid is decommissioned.

Authentication: PHS, PTA, or Federation

  • Password Hash Sync (PHS) — synchronise password hashes to Entra; auth happens in the cloud. Resilient, simple, supports Identity Protection's leaked-credential detection. Microsoft's recommended default.
  • Pass-Through Authentication (PTA) — auth happens against on-prem AD via agents. Required if policy says password hashes can't leave on-prem. Adds an agent dependency.
  • Federation (AD FS) — auth redirects to your AD FS farm. Heavyweight, harder to operate, the historical legacy option. Migrate off this unless you have specific requirements.

For new deployments, PHS by default. PTA only if regulatory policy requires. Federation: actively migrate away.

Device join: Entra-joined, Hybrid-joined, Domain-joined

  • Entra-joined — Windows devices joined to Entra ID, no on-prem AD dependency. The modern default; supports Intune, Conditional Access compliance, simpler operation.
  • Entra Hybrid-joined — joined to both AD and Entra. Bridge state during migration; useful for accessing on-prem resources while benefiting from cloud management.
  • Domain-joined only — legacy state. Limits cloud-side capabilities.

For new deployments, Entra-joined. For existing fleets, migrate to Entra-joined over time.

The journey

A realistic multi-year journey:

  1. Stand up Entra Connect / Cloud Sync with PHS. Users have one identity.
  2. Migrate to Entra-joined or Hybrid-joined devices. Adopt Intune.
  3. Enable Conditional Access with compliance signals.
  4. Migrate AD FS to PHS if you're on federation. Decommission AD FS.
  5. Reduce on-prem AD scope — migrate line-of-business apps to Entra SSO, retire AD-dependent services.
  6. Cloud-only end state — eventually, AD has only the residual roles it can't escape (file servers, some legacy apps).

Each step is months. The end state is cloud-only identity with no production AD; many organisations are 5–10 years into this journey and still have AD.

What to do today

If you're at the start: aim for Cloud Sync + PHS + Entra-joined as the destination. Migrate progressively. Resist adding new on-prem AD dependencies — anything new should be designed cloud-first.

The hybrid period isn't a bug; it's a feature of being a real organisation with legacy assets. Manage it deliberately, with a clear destination, and the journey gets shorter year by year.