Despite the industry's relentless push toward cloud-only infrastructure, the reality for most Australian organisations is far more nuanced. According to Microsoft's own data, over 90% of enterprise customers maintain some form of on-premises Active Directory alongside Microsoft Entra ID (formerly Azure AD). Whether due to legacy applications, regulatory requirements, or the practical realities of phased cloud migration, hybrid identity is not a transitional state for most businesses -- it is the operating model for years to come.
Managing hybrid identity poorly leads to security gaps, user frustration, and compliance failures. Managing it well provides a seamless, secure experience where users authenticate once and access both on-premises and cloud resources without friction. This guide covers the practical considerations for syncing Entra ID with on-premises Active Directory, the authentication options available, and the path toward an eventual cloud-only future.
Key Takeaway
Hybrid identity is not a compromise -- it is a pragmatic approach that acknowledges business reality. The goal is not to rush to cloud-only identity, but to ensure your hybrid environment is secure, well-governed, and provides a seamless experience for users.
Why Hybrid Identity Is Still Necessary
The pressure to move "everything to the cloud" often overlooks genuine technical and business constraints:
- Legacy applications -- Many line-of-business applications, particularly in healthcare, manufacturing, and government, require Windows Integrated Authentication (Kerberos/NTLM) against an on-premises AD domain. These cannot simply be pointed at Entra ID.
- Network-dependent services -- Print servers, file shares, RADIUS authentication for Wi-Fi, and network policy servers often depend on on-premises AD.
- Regulatory requirements -- Some industries require certain systems to remain on-premises or within specific network boundaries. APRA-regulated financial institutions, for example, may have specific requirements around identity infrastructure.
- Phased migration -- Cloud migration is rarely a "big bang" event. Most organisations migrate workloads progressively over 12-36 months, requiring hybrid identity throughout the transition.
- Acquired businesses -- Mergers and acquisitions often bring additional AD forests that must be integrated before consolidation to cloud-only is feasible.
Entra Connect Sync vs Cloud Sync
Microsoft provides two synchronisation tools for connecting on-premises AD with Entra ID. Understanding their differences is essential for choosing the right approach.
| Capability | Entra Connect Sync | Entra Cloud Sync |
|---|---|---|
| Architecture | On-premises agent (heavyweight) | Lightweight cloud-provisioning agent |
| Multi-forest support | Yes (single server per topology) | Yes (multiple agents supported) |
| Password Hash Sync | Yes | Yes |
| Pass-Through Authentication | Yes | No |
| Federation (AD FS) | Yes | No |
| Group writeback | Yes | Limited |
| Device writeback | Yes | No |
| Exchange hybrid | Full support | Limited |
| Filtering (OU/attribute) | Extensive | OU-based scoping |
| High availability | Staging server (manual failover) | Multiple agents (automatic failover) |
| Management | On-premises Sync Manager | Cloud-managed via Entra portal |
Entra Connect Sync remains the choice for organisations with complex topologies, Exchange hybrid deployments, or requirements for pass-through authentication and device writeback. Entra Cloud Sync is better suited to simpler environments, multi-forest scenarios requiring lightweight deployment, and organisations that want cloud-managed synchronisation.
Key Takeaway
Microsoft is investing heavily in Entra Cloud Sync as the future synchronisation platform. For new deployments or organisations planning to simplify their hybrid topology, Cloud Sync should be the default consideration. Entra Connect Sync remains necessary for complex, feature-rich scenarios.
Authentication Options: PHS, PTA, and Federation
How users authenticate in a hybrid environment is one of the most consequential design decisions. Microsoft supports three authentication models:
Password Hash Synchronisation (PHS)
PHS synchronises a hash of the on-premises password hash to Entra ID. Authentication happens entirely in the cloud, meaning it works even if your on-premises infrastructure is offline. Microsoft recommends PHS as the primary authentication method for most organisations because it is the simplest to deploy, requires no on-premises infrastructure for authentication, and enables Entra ID Protection features like leaked credential detection.
Pass-Through Authentication (PTA)
PTA validates passwords against on-premises AD in real-time via lightweight agents. Authentication decisions are made on-premises, meaning password policies, account lockout, and logon hours are enforced by the on-premises domain controller. PTA is suitable for organisations with regulatory requirements that passwords must not be stored outside their network boundary, though it introduces a dependency on on-premises availability for cloud authentication.
Federation (AD FS)
Federation delegates authentication entirely to an on-premises AD FS farm. This was historically the only option for hybrid authentication but has largely been superseded by PHS and PTA. Federation remains relevant for organisations that require smart card authentication, third-party MFA integration, or advanced claims-based access rules. However, AD FS infrastructure is complex, expensive to maintain, and represents a single point of failure if not properly architected.
Seamless Single Sign-On (SSO)
Regardless of the authentication method chosen, Seamless SSO provides domain-joined users with automatic sign-in to cloud resources without prompting for credentials. When a user on a domain-joined device accesses a cloud application, Seamless SSO uses Kerberos tickets to authenticate silently with Entra ID.
Seamless SSO works with both PHS and PTA (it is not needed with federation, which provides its own SSO). It requires no additional infrastructure -- just a computer account object in on-premises AD and configuration in Entra Connect. For end users, the experience is seamless: they sign in to their Windows device once and access both on-premises and cloud applications without additional prompts.
Conditional Access in Hybrid Environments
Conditional Access is the policy engine that governs who can access what, from where, on which devices, and under what conditions. In hybrid environments, Conditional Access extends cloud-grade security controls to scenarios involving on-premises resources.
Key Conditional Access considerations for hybrid environments:
- Hybrid Azure AD-joined devices -- Require device compliance or hybrid join as a grant control, ensuring only managed devices access sensitive resources
- Named locations -- Define your office networks as trusted locations and apply stricter controls (MFA, device compliance) for access from unknown locations
- Risk-based policies -- Leverage Entra ID Protection to detect risky sign-ins (impossible travel, anonymous proxies, leaked credentials) and automatically require MFA or block access
- Application-specific policies -- Apply different controls based on application sensitivity. Access to email may require MFA; access to HR or finance systems may additionally require a compliant device.
- Session controls -- Enforce limited session durations, prevent download of sensitive data on unmanaged devices, or require re-authentication for privileged operations
For a deeper exploration of zero trust principles that underpin Conditional Access, see our guide on Zero Trust Architecture Implementation for SMBs.
Migration Path to Cloud-Only Identity
While hybrid identity is the present for most organisations, cloud-only identity is the strategic destination. Planning the migration path now -- even if full execution is years away -- ensures each decision moves you in the right direction.
The typical migration path follows these stages:
- Stage 1: Hybrid with PHS -- Synchronise identities, enable PHS for cloud authentication, deploy Conditional Access and MFA. This is where most organisations should start.
- Stage 2: Application modernisation -- Migrate legacy applications from Kerberos/NTLM authentication to modern protocols (SAML, OIDC, OAuth). Replace on-premises file shares with SharePoint Online or Azure Files with Entra ID authentication.
- Stage 3: Infrastructure migration -- Migrate domain-joined servers to cloud-managed alternatives. Replace on-premises print servers with Universal Print. Move RADIUS authentication to cloud-based alternatives.
- Stage 4: AD decommission -- Once all dependencies are removed, decommission on-premises domain controllers. Entra ID becomes the sole identity provider.
Common Pitfalls in Hybrid Identity
Based on our experience managing hybrid identity for hundreds of Australian organisations, these are the most common mistakes:
- Not enabling PHS alongside PTA or federation -- Even if PTA or federation is your primary authentication method, enabling PHS as a backup ensures users can authenticate if on-premises infrastructure fails. It also enables leaked credential detection.
- Ignoring Entra Connect server maintenance -- The Entra Connect server requires regular patching, monitoring, and version updates. Neglecting it can result in synchronisation failures, security vulnerabilities, or incompatibility with new Entra ID features.
- Over-syncing objects -- Synchronise only the users, groups, and contacts that need cloud access. Syncing test accounts, disabled accounts, or service accounts unnecessarily increases your cloud attack surface and licence costs.
- Not implementing Privileged Identity Management (PIM) -- In hybrid environments, privileged accounts are high-value targets. PIM provides just-in-time elevation, approval workflows, and time-limited access for administrative roles.
- Delaying MFA deployment -- Some organisations defer MFA until their hybrid environment is "stable." This is a critical mistake. MFA should be the first control deployed, not the last.
How Precision IT Manages Hybrid Identity
As a Microsoft Solutions Partner with deep expertise in Entra ID and Active Directory, Precision IT manages hybrid identity environments for organisations across Australia. Our services include:
- Identity assessment and roadmap -- Evaluate your current identity architecture, identify gaps, and create a phased plan toward your target state
- Entra Connect deployment and migration -- Design, deploy, or migrate synchronisation infrastructure with minimal disruption
- Conditional Access implementation -- Design and deploy risk-based access policies that balance security with user experience
- Privileged Identity Management -- Implement PIM for just-in-time access to privileged roles, reducing standing administrative privileges
- 24/7 identity monitoring -- Continuous monitoring of synchronisation health, risky sign-ins, and identity-based threats through Microsoft Sentinel
- Cloud migration planning -- Guide your organisation along the path from hybrid to cloud-only identity at the right pace for your business
Need help securing your hybrid identity environment? Explore our managed IT services, or book a consultation with our identity and access management specialists.