Hybrid Identities
Start course
1h 41m

This Designing for Azure Identity Management course will guide you through the theory and practice of recognizing, implementing, and deploying the services on offer within your enterprise. Learn how to better the protection of your organization by designing advanced identity management solutions. Recommended for those who already have some experience with the subject, this course is comprised of 24 lectures, including demos, and expertly instructed by one of our MS Azure subject matter experts.

Learning Objectives

  • Study and understand what Azure AD Domain Services do and what they can offer
  • Learn to create and manage hybrid identities via Azure AD Connect 
  • Understand the principles of Azure MFA and SSO, and how to enable them
  • Recognize and deploy the key principles of Azure AD B2B and B2C 
  • Learn and utilize Privileged Identity Management

Intended Audience

This course is intended for:

  • IT professionals who are interested in getting certified with MS Azure
  • Those looking to become Azure architects and/or tasked with designing identity management solutions


  • A mid-range knowledge of MS Azure is recommended before starting this course
  • An understanding of identity management concepts

Related Training Content

For more courses related to MS Azure, visit our dedicated Content Training Library.





As the move to the cloud gathers steam, corporations are finding themselves supporting a mixture of on-prem and cloud applications. Users obviously are finding themselves requiring access to those applications as well. This, of course, becomes a challenge to implement. The identity solutions we previously discussed are solutions that span on-prem and cloud-based capabilities. Leveraging these solutions allows an organization to create a common user identity for authentication and authorization to all resources, regardless of whether they are on-prem or in the cloud. This concept is called hybrid identity. Achieving hybrid identity requires the development of one of three authentication methods. The authentication method that is deployed is dependent on the specific scenario being addressed. The three authentication methods include Password Hash Synchronization, Pass-Through Authentication, and Federation. Password Hash Synchronization is also referred to as PHS, while Pass-Through Authentication is referred to as PTA. Federation is referred to as, well, Federation. Password hash synchronization is a sign-in method used as part of a hybrid identity solution. This is accomplished with Azure AD Connect by synchronizing a hash, of the hash, of a user's on-prem AD password to a cloud-based Azure AD instance. This feature is useful for signing in to Azure AD services like Office 365 with the same password as an on-prem AD account, which reduces end-user impact. The password hash synchronization strategy reduces, to just one, the number of passwords that an organization's users need to maintain. As such, password hash synchronization can improve user productivity and reduce helpdesk costs. Password hash synchronization, which is the most common hybrid identity solution, requires an organization to install Azure AD Connect. 

Once Azure AD Connect is installed, directory synchronization between the on-prem Active Directory instance and the Azure Active Directory instance is configured. As part of the synchronization configuration, password hash synchronization is enabled. Azure AD Pass-through Authentication, or PTA, much like Password Hash Synchronization, allows users to sign in to both on-prem and cloud-based apps with the same password. And much like password hash synchronization, this option offers a better end user experience. However, pass-through authentication validates user passwords directly against the on-prem Active Directory, instead of using a synced password hash. A key benefit of pass-through authentication over password hash synchronization is that it affords organizations the ability to enforce their on-prem AD security and password policies, since pass-through authentication is actually leveraging the on-prem credentials. By combining Pass-through Authentication with Seamless Single Sign-On, organizations can allow users to access applications on corporate machines inside the network without the need to type in their passwords again. Azure AD Pass-through Authentication provides an improved end-user experience because it offers end users the ability to complete self-service password management tasks in the cloud. Deployment and administration are easy because Pass-Through Authentication only requires a lightweight agent to be installed on-prem. Since the agent automatically receives updates, there is no management overhead. Pass-Through Authentication offers improved security over Password Hash Synchronization because on-prem passwords are never stored in the cloud. 

Because it works with Azure AD Conditional Access policies, including MFA, Pass-Through Authentication offers additional account protection. Another benefit of Pass-Through Authentication is the fact that the agent only makes outbound connections from the network, removing all requirements for a DMZ as part of a solution. Communication between the on-prem agent and Azure AD is secured via cert-based authentication, which adds another layer of security. Further, the certificates that are used are automatically renewed every few months by Azure AD, removing the requirement to manually maintain them. In addition to high security, Azure AD Pass-Through Authentication offers high availability by allowing the installation of additional agents on multiple on-prem servers. Federation is a bit different from the other two solutions. It is a collection of domains with an established trust, which typically includes authentication, and almost always includes authorization. In a common configuration, a federation might include multiple organizations that have established trust for shared access to a specific set of resources. Federating an on-prem environment with Azure AD allows and organization to use the federation for authentication and authorization. Federation ensures that all user authentication happens on-prem and it provides administrators with the ability to implement more rigorous levels of access control. Federation with ADFS and PingFederate is available. To protect against a failure of the ADFS infrastructure when using federation with ADFS, organizations can set up password hash synchronization, or PHS, as a backup. Doing so allows authentication to continue, despite an ADFS infrastructure failure. All three of these authentication methods including PHS, PTA, and Federation provide single-sign on capabilities, which automatically signs users in when they are on their corporate devices inside the corporate network.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.