Is That You, Fish?


Who wants to achieve Hybrid Identity with Azure Active Directory? This girl! And I hope you do too.

Let’s make it happen with some good ole fashion Cloud Computer learning below:

To achieve Hybrid Identity with Azure AD one of the follow three authentication methods can be used:

  1. Password Hash Synchronization (PHS)
  • PHS synchronizes a hash of a users on premise password to Azure AD
  • With AD Connect (PHS) can be configure so all cloud user authentication occurs in Azure AD
  • PHS can optionally be configured as a backup for ADFS

Note: AD Connect express install defaults to deploying PHS


  • Sync users, contacts, and group accounts between On-premise network and Azure-AD
  • Supports Office 365 Hybrid Identity


  • PHS offers the least features
  • MFA is only possible with Azure AD MFA
  • Some organizations restrict passwords being stored in the cloud.
  1. Pass-through Authentication (PTA)
  • Same SSO experience as PHS but with additional security features


  • Sync of users, contacts and group accounts between on-prem andAzure AD
  • Supports Office 365 hybrid identity
  • Users can sign in and access cloud based services\apps using on-prem credentials
  • No Passwords hashes stored in the cloud.
  • Only outbound connecticity from on-prem authentication agents required
  • All on-prem account policies are enforced when users sign in (e.g., expiry, hours, etc.)


  • On-Prem MFA is not supported
  • Not integrated with AD Connect Health
  • Leaked credentials detection is not available
  • Seamless SSO
  1. Federated

Note: A federated identity management system provides single access to multiple systems across different enterprises.

Federation is a collection of Domains that have established trust. (e.g., On-Premise domain connected to Azure AD)

  • Provides Authentication
  • Provides Authorization
  • All user authentication occurs on-premise.


  • Supports an array of third-party MFA solutions
  • Supports Smart Card (CAC) Authentication
  • Allows display of Password Expiry notification in the Office Portal and WIN 10 Desktop
  • Supports all on-prem account policies


  • Requires more infrastructure
  • More complex to configure and maintain
  • Does not support Seamless SSO

Extra Info:

Multi-Factor Authentication – logging into a source using more than one type of authentication

  • Provides additional security
  • Made up of Something you are, have, or know.
  • Delivers strong authentication

Note: MFA can be bypassed on the configuration of the product.

Tyes of MFA:

  • Azure Cloud MFA
  • MFA Server (On-Prem to Azure MFA)
  • RADIUS Integration: RDS server and VPNs
  • Global Administration

Note: All MFA needs to be licensed!

That’s it for today my fellow Devs. Stay tuned, I have a new IPPSec write-up just around the corner.