What is hybrid identity?

Today, businesses, and corporations are a becoming more and more a mixture of on-premises and cloud applications. Users require access to those applications both on-premises and in the cloud. This requirement has become a challenging scenario.

Microsoft’s identity solutions span on-premises and cloud-based capabilities. These solutions create a common user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity.

To achieve hybrid identity, one of three authentication methods can be used, depending on your scenarios. The three methods are:

These authentication methods also provide single-sign on capabilities. Single-sign on automatically signs your users in when they are on their corporate devices, connected to your corporate network.

For additional information, see Choose the right authentication method for your Azure Active Directory hybrid identity solution.

Common scenarios and recommendations

Here are some common hybrid identity and access management scenarios with recommendations as to which hybrid identity option (or options) might be appropriate for each.

I need to: PHS and SSO1 PTA and SSO2 AD FS3
Sync new user, contact, and group accounts created in my on-premises Active Directory to the cloud automatically. Recommended Recommended Recommended
Set up my tenant for Office 365 hybrid scenarios Recommended Recommended Recommended
Enable my users to sign in and access cloud services using their on-premises password Recommended Recommended Recommended
Implement single sign-on using corporate credentials Recommended Recommended Recommended
Ensure no password hashes are stored in the cloud Recommended Recommended
Enable cloud multi-factor authentication solutions Recommended Recommended
Enable on-premises multi-factor authentication solutions Recommended
Support smartcard authentication for my users4 Recommended
Display password expiry notifications in the Office Portal and on the Windows 10 desktop Recommended

1 Password hash synchronization with single sign-on.

2 Pass-through authentication and single sign-on.

3 Federated single sign-on with AD FS.

4 AD FS can be integrated with your enterprise PKI to allow sign-in using certificates. These certificates can be soft-certificates deployed via trusted provisioning channels such as MDM or GPO or smartcard certificates (including PIV/CAC cards) or Hello for Business (cert-trust). For more information about smartcard authentication support, see this blog.

Next Steps