As the move to the cloud gathers steam, corporations are finding themselves supporting a mixture of on-prem and cloud applications. Users obviously are finding themselves requiring access to those applications as well. This, of course, becomes a challenge to implement. The identity solutions we previously discussed are solutions that span on-prem and cloud-based capabilities. Leveraging these solutions allows an organization to create a common user identity for authentication and authorization to all resources, regardless of whether they are on-prem or in the cloud. This concept is called hybrid identity. Achieving hybrid identity requires the development of one of three authentication methods. The authentication method that is deployed is dependent on the specific scenario being addressed. The three authentication methods include Password Hash Synchronization, Pass-Through Authentication, and Federation. Password Hash Synchronization is also referred to as PHS, while Pass-Through Authentication is referred to as PTA. Federation is referred to as, well, Federation. Password hash synchronization is a sign-in method used as part of a hybrid identity solution. This is accomplished with Azure AD Connect by synchronizing a hash, of the hash, of a user's on-prem AD password to a cloud-based Azure AD instance. This feature is useful for signing in to Azure AD services like Office 365 with the same password as an on-prem AD account, which reduces end-user impact. The password hash synchronization strategy reduces, to just one, the number of passwords that an organization's users need to maintain. As such, password hash synchronization can improve user productivity and reduce helpdesk costs. Password hash synchronization, which is the most common hybrid identity solution, requires an organization to install Azure AD Connect. 

Once Azure AD Connect is installed, directory synchronization between the on-prem Active Directory instance and the Azure Active Directory instance is configured. As part of the synchronization configuration, password hash synchronization is enabled. Azure AD Pass-through Authentication, or PTA, much like Password Hash Synchronization, allows users to sign in to both on-prem and cloud-based apps with the same password. And much like password hash synchronization, this option offers a better end user experience. However, pass-through authentication validates user passwords directly against the on-prem Active Directory, instead of using a synced password hash. A key benefit of pass-through authentication over password hash synchronization is that it affords organizations the ability to enforce their on-prem AD security and password policies, since pass-through authentication is actually leveraging the on-prem credentials. By combining Pass-through Authentication with Seamless Single Sign-On, organizations can allow users to access applications on corporate machines inside the network without the need to type in their passwords again. Azure AD Pass-through Authentication provides an improved end-user experience because it offers end users the ability to complete self-service password management tasks in the cloud. Deployment and administration are easy because Pass-Through Authentication only requires a lightweight agent to be installed on-prem. Since the agent automatically receives updates, there is no management overhead. Pass-Through Authentication offers improved security over Password Hash Synchronization because on-prem passwords are never stored in the cloud. 

Because it works with Azure AD Conditional Access policies, including MFA, Pass-Through Authentication offers additional account protection. Another benefit of Pass-Through Authentication is the fact that the agent only makes outbound connections from the network, removing all requirements for a DMZ as part of a solution. Communication between the on-prem agent and Azure AD is secured via cert-based authentication, which adds another layer of security. Further, the certificates that are used are automatically renewed every few months by Azure AD, removing the requirement to manually maintain them. In addition to high security, Azure AD Pass-Through Authentication offers high availability by allowing the installation of additional agents on multiple on-prem servers. Federation is a bit different from the other two solutions. It is a collection of domains with an established trust, which typically includes authentication, and almost always includes authorization. In a common configuration, a federation might include multiple organizations that have established trust for shared access to a specific set of resources. Federating an on-prem environment with Azure AD allows and organization to use the federation for authentication and authorization. Federation ensures that all user authentication happens on-prem and it provides administrators with the ability to implement more rigorous levels of access control. Federation with ADFS and PingFederate is available. To protect against a failure of the ADFS infrastructure when using federation with ADFS, organizations can set up password hash synchronization, or PHS, as a backup. Doing so allows authentication to continue, despite an ADFS infrastructure failure. All three of these authentication methods including PHS, PTA, and Federation provide single-sign on capabilities, which automatically signs users in when they are on their corporate devices inside the corporate network.