Bridging On-Premises AD and the Cloud
Hybrid identity describes an architecture where an organization keeps its on-premises Active Directory as the authoritative source of user accounts while also enabling those same identities to sign into Microsoft 365, Entra ID-integrated SaaS apps, and Azure resources in the cloud. Microsoft Entra Connect (the successor to Azure AD Connect) is the synchronization engine that runs on a Windows Server, reading user, group, and contact objects from on-premises AD DS and writing corresponding objects into Microsoft Entra ID on a recurring cycle, by default every 30 minutes.
Cricket analogy: Like a national cricket board keeping its official player registry at home while also mirroring player profiles to the ICC's global database every 30 minutes so international rankings stay current.
Choosing an Authentication Method
Entra Connect supports three main authentication methods for hybrid users: Password Hash Synchronization (PHS), which securely syncs a hash of the password hash to Entra ID so the cloud can authenticate independently even if on-premises is down; Pass-Through Authentication (PTA), where Entra ID forwards the actual sign-in validation back to lightweight agents that check the password against on-premises AD in real time; and federation, where an external IdP like AD FS issues the token instead of Entra ID doing the password check at all. PHS is Microsoft's recommended default for most organizations because it's the simplest to operate and still allows leaked-credential detection to work against on-premises passwords.
Cricket analogy: Like the DRS having three fallback methods to confirm an lbw call — ball tracking, snickometer, and umpire's call — where the simplest, most reliable method is used by default but others exist as backups.
Sync Architecture: Connector Spaces and the Metaverse
Under the hood, Entra Connect uses a metaverse — a central staging database that reconciles data pulled in through separate connector spaces, one per connected directory (on-premises AD, Entra ID, and optionally other sources) — applying inbound and outbound synchronization rules that decide which attributes flow where and how conflicts are resolved. Administrators scope exactly which OUs and objects participate in sync using organizational unit filtering in the Entra Connect wizard, which is important for excluding service accounts, disabled test users, or an entire OU of contractor accounts that should never appear in the cloud tenant.
Cricket analogy: Like a tournament's central stats engine pulling ball-by-ball feeds from multiple stadium systems into one staging database, then applying rules to decide which numbers (runs, wickets) actually publish to the live scoreboard.
# Force an immediate delta sync cycle instead of waiting for the 30-minute schedule
Start-ADSyncSyncCycle -PolicyType Delta
# Check overall sync scheduler status and last run result
Get-ADSyncScheduler
# Inspect which OUs are currently included in synchronization
Get-ADSyncConnector | Select-Object Name
Get-ADSyncConnectorPartition -Connector 'contoso.com'Entra Connect can also enable Seamless Single Sign-On, which silently authenticates domain-joined, on-network users to Entra ID-backed apps using their existing Kerberos session, without a visible sign-in prompt or requiring Active Directory Federation Services at all.
Attribute Matching and High Availability
Each synchronized object is matched to its cloud counterpart using the immutableID, typically derived from the on-premises objectGUID, and Entra Connect performs 'hard match' when a value already correlates two accounts, or 'soft match' based on matching UPN or proxy addresses when a cloud object was created independently (for example, through a trial Microsoft 365 signup) before hybrid sync was configured — a mismatch here is one of the most common causes of duplicate or orphaned cloud accounts. Because a single Entra Connect server is, by default, a single point of failure for the sync pipeline, Microsoft recommends deploying a staging-mode secondary server that can be promoted to active if the primary fails, and administrators should never run password writeback or device writeback from more than one active server simultaneously.
Cricket analogy: Like matching a player across two different tournament databases by their unique BCCI registration number rather than just their name, since two players can share a name but never that ID, avoiding duplicate profiles.
Running Entra Connect on a single server creates a single point of failure for the sync pipeline. Microsoft recommends deploying a second server in staging mode that is fully configured but not actively exporting; if the primary fails, it can be promoted. Never run two servers in active (non-staging) mode simultaneously with password writeback or device writeback enabled, since conflicting writes can corrupt objects on both sides.
- Entra Connect (formerly Azure AD Connect) synchronizes on-premises AD objects to Entra ID on a default 30-minute cycle.
- Password Hash Synchronization is Microsoft's recommended default authentication method for most organizations.
- Pass-Through Authentication validates sign-ins against on-premises AD in real time via lightweight agents.
- The metaverse reconciles data from separate connector spaces (one per connected directory) before exporting to Entra ID.
- OU filtering in the Entra Connect wizard controls exactly which objects participate in synchronization.
- immutableID-based hard match and UPN/proxy-address-based soft match determine how cloud and on-premises objects correlate.
- A staging-mode secondary server protects against the sync server becoming a single point of failure.
Practice what you learned
1. What is Microsoft's recommended default authentication method for most hybrid organizations?
2. What does Entra Connect's metaverse do?
3. What identifies whether a cloud object should hard-match to an on-premises object?
4. Why does Microsoft recommend a staging-mode secondary Entra Connect server?
5. Which cmdlet forces an immediate synchronization cycle instead of waiting for the schedule?
Was this page helpful?
You May Also Like
Securing Privileged Accounts (Tiered Admin Model)
How Microsoft's tiered administration model, Privileged Access Workstations, and LAPS together prevent a single compromised low-trust machine from escalating into full domain compromise.
AD FS and Federation Basics
How Active Directory Federation Services issues claims-based security tokens to enable single sign-on with partner organizations and claims-aware applications.
Kerberos Authentication
How Active Directory's ticket-based Kerberos protocol authenticates users and services without repeatedly transmitting passwords, and how to diagnose its most common failures.
Related Reading
Related Study Notes in Microsoft Technologies
Browse all study notesWindows 10 / UWP Development Study Notes
.NET · 30 topics
Microsoft TechnologiesWindows Batch Scripting Study Notes
Batch · 30 topics
Microsoft TechnologiesMFC (Microsoft Foundation Classes) Study Notes
C++ · 30 topics
Microsoft TechnologiesSilverlight Study Notes
.NET · 30 topics
Microsoft TechnologiesXAML Study Notes
.NET · 30 topics
Microsoft TechnologiesWPF (Windows Presentation Foundation) Study Notes
.NET · 30 topics