Identity - Cloud and Hybrid Identities
Start course
1h 10m

Microsoft 365 represents a combination of Office 365, Windows 10 and Enterprise Mobility offerings – providing the most complete set of SaaS technologies that Microsoft has to offer. With Microsoft 365, organizations can deploy a complete solution encompassing both devices and applications, along with applying security and compliance policies to protect the entire suite.

This course will help you as you plan your migration of users and data to Microsoft 365, including planning your identity and authentication solution, and the on-premises infrastructure needed to support your migration. We’ll also help you understand and identify your business requirements and use cases, to help drive your decision-making process when planning to transition your infrastructure to the Microsoft cloud. We’ll spend some time focusing on networking and discuss some of the networking decisions that need to be made to ensure an optimal migration experience, as well as the best experience for your users after migration.

This course will also help you to identify which data needs to be migrated to the cloud, and what the best migration method will be based on your scenario – we’re also going to cover the different types of user identities, how your users will authenticate, and how that’s going to affect your migration planning.

In addition to talking about these different components, we’re also going to run through a few demos – showing you some of the practical steps involved, along with some tips and tricks we’ve picked up along the way. 

Learning Objectives

By the end of this course, you should be able to:

  • Plan a Microsoft 365 Implementation, including the supporting infrastructure
  • Plan your identity and authentication solution, both on-premises and in the cloud
  • Identify your users, data, and mailboxes to be migrated to Microsoft 365
  • Plan the migration of your groups and user data to Microsoft 365

Intended Audience

This course is intended for people who:

  • Want to become a Microsoft 365 administrator
  • Are preparing to take the Microsoft’s MS-100 exam 


To get the most from this course, you should have a general understanding of networking & server administration as well as IT fundamentals such as DNS, Active Directory and PowerShell.


The next item on our list is identity. We've talked already about the different identity types and how they integrate to Office 365 services. Let's now look at some of the steps you need to take to ensure that you're planning your identity solution properly. 

If you're creating a net new tenant without any kind of on-premises integration, say if you're migrating your email and data from another service provider, you'll need to start out by creating a list of all the users, security groups, distribution groups, contacts, service accounts, and admin accounts in your existing environment. Once you have this list created, you can use it to recreate all these objects in Office 365, including creating your groups and populating them correctly. 

Know that there are some scenarios where you'll have an existing active directory with all your users and groups in it, but you might not be planning to integrate this AD with Office 365. This often happens during a divestiture, where you might need to take a subset of users within a company and separate their identities into a unique Office 365 tenant. In this case, these users might still maintain access to your on-premises infrastructure throughout the migration, but their ultimate identity in Office 365 is going to be a cloud identity. In this case, the same principle applies. 

Take the time to perform a proper discovery of your user and group objects that will need to be created in Office 365. The best way to go about this is to use PowerShell to run an export of the various identities and attributes that you need to recreate in Office 365. Cloud identities will not have any specific on-premises infrastructure requirements, no servers required to synchronize or manage identities. Just know, however, that you'll need to always be managing these identities in the Azure AD or the Office 365 admin portal. Any on-premises identity will not be linked to the cloud identity, and users might need to maintain separate usernames and passwords. However, if you plan to configure hybrid identities, where your users are being synchronized from your local active directory into Office 365, you'll need to plan a little bit differently. Hybrid identities, whether using managed or federated authentication, AAD Connect or ADFS, are still going to need to be synchronized from your existing active directory into Azure Active Directory. This means that your source of authority for identity creation and changes is going to be your on-premises directory. This also means that you won't need to create your users or groups in Office 365. Instead, the AAD Connect server will create copies of your identities in your Office 365 directory and keep them in sync afterwards. 

So, you don't have to start out by making a list of all your identity objects that need to be created, although you will still need to have a list of active users that you might want to migrate in order to plan out your migration batches later. Hybrid identities require a minimum of an AAD Connect server to be installed on premises to manage synchronization of your identities to Azure AD. This server is meant to be treated like an appliance. It can be installed on a domain controller or a dedicated member server and needs to be maintained correctly to ensure that it is able to maintain synchronization indefinitely. Synchronized identities with AAD Connect are probably the most common identity type used in Office 365. As Microsoft continues to add features to the AAD Connect server, including things like pass-through authentication and seamless single sign-on, AAD Connect is fast replacing ADFS as the authentication mechanism of choice, as well. 

Since ADFS requires installing four additional servers in the on-premises environment, more and more companies are choosing the far simpler management and authentication experience provided by AAD Connect.

About the Author

Jeremy Dahl is a Senior Technology Consultant who has spent the last 8 years focusing on Microsoft 365 technologies and has been an Office 365 MVP for the last 6 years. Jeremy is a self-proclaimed cloud addict who architects technology solutions that combine cloud technologies with on-premises solutions, allowing organizations to make the most of their existing infrastructure while still taking full advantage of the agility and scalability of what the cloud has to offer.

Jeremy can be found blogging about Microsoft 365 technologies on his website,, and evangelizing the Microsoft cloud on Twitter.