The Hybrid Identity Puzzle: Entra ID Meets On-Prem AD

Identity is where hybrid projects quietly succeed or fall apart. Get it right and nobody notices. Get it wrong and every other workstream stalls behind it.

The options, plainly

• Password hash sync (PHS) — the pragmatic default. A hash of a hash syncs to Entra. Simple, resilient, survives an on-prem outage.
• Pass-through authentication (PTA) — validation happens on-prem, in real time, via lightweight agents. Good when policy forbids any password material in the cloud.
• Federation (AD FS) — maximum control, maximum operational burden. Reach for it only when you genuinely need it.

My default recommendation

Start with password hash sync plus seamless SSO. Add complexity only when a hard requirement forces you to.

Most organisations that run AD FS are carrying it for a reason that expired years ago. The migration off it is one of the highest-leverage things I do on a hybrid engagement — fewer moving parts, fewer 3am pages, and a cleaner path to Conditional Access doing the heavy lifting.

The identity layer rewards boring choices. Make them deliberately.