Design Considerations
Start course

If your organization uses Active Directory (AD) for its identity management, and you would like to use those identities in Azure or Microsoft 365, then you will need to implement Azure Active Directory Connect.

This course is divided into three sections. The first section is on designing an identity strategy. In this section, we'll look at our AD identities and consider what work needs to be done and what we need to think about ahead of time. The second section is on implementing identity synchronization using AD Connect. We will consider what needs to be synced and what authentication options are available. In the last section, we'll look at managing identity synchronization using Azure AD Connect. We'll look at what it takes to manage and sync and reconfigure options after AD Connect has been initially configured.

Learning Objectives

  • Design a hybrid identity solution
  • Implement Azure Active Directory Connect
  • Manage synchronized identities

Intended Audience

  • Azure administrators
  • Microsoft 365 administrators


  • Basic understanding of Active Directory and Office 365
  • To do the examples yourself, you will need an on-premises Active Directory structure and an Azure subscription

When designing our directory synchronization, it's important to understand the different authentication methods we can have with Azure AD Connect. The first method is cloud-only authentication. So, this is where Azure AD Connect will synchronize the user account between the on-prem and cloud accounts. However, the password will not be synchronized, so that will remain separate. In this case, the user will then have to authenticate separately on-premise, as they do in the cloud. This is a very simple setup, but it does mean they have separate usernames and passwords. 

The second method is password hash sync. This is where the hash of the on-prem password is synchronized up to Azure AD, and the password will then match both on-premises and up in the cloud. The password's synced every two minutes, so as soon as the user changes the password on-premise, they will be able to log in within a couple of minutes up in the cloud, meaning that they have a single sign-on experience with the same password wherever they're signing in. 

The third authentication method is pass-through authentication. This requires a small agent to be installed on the AD Connect server that will act as a pass-through, or bridge agent, for the authentication requests that come in. So, this will make an outbound call from the on-premise server up to Azure AD and find any authentication requests that are queued up for it there. We can have multiple agents in order to make this high availability, and interestingly enough, no updating is required because the management agents will auto-update themselves. 

And the final, and probably most complicated of the four authentication methods, is ADFS or Active Directory Federation Services. This is where authentication is passed off to our on-premise domain controllers through a set of servers that are configured on-prem. In this method, no passwords are stored up in the cloud. It is all done on-premise, and it very much relies on those on-premise servers for authentication and therefore requires a considerable amount of resources in order to make the ADFS service resilient because we're now relying on those servers in order to get authentication. Without those, we will not be able to authenticate to the cloud.

About the Author

Matt is a freelance system administrator with over 20 years of experience in IT. His current focus is on the great features of Microsoft Azure and Office 365. He’s always had a fascination for anything techie and loves learning and sharing that knowledge.