What is a hybrid identity environment?
A hybrid identity environment is one where an organization maintains both on-premises Active Directory Domain Services (AD DS) and Microsoft Entra ID (formerly Azure AD) simultaneously. The two directories coexist, with user identities typically originating in on-premises AD and synchronized to Entra ID.
This architecture reflects the reality for most mid-market and enterprise organizations. Windows Server infrastructure, legacy line-of-business applications, on-premises file servers, and print services all authenticate against AD. Cloud services — Microsoft 365, Azure, third-party SaaS applications — authenticate against Entra ID. The hybrid model bridges these two worlds.
On-premises AD
Manages authentication for Windows servers, domain-joined devices, legacy apps, file shares, print infrastructure, and on-premises Exchange.
Entra Connect
Synchronizes users, groups, and credential hashes from on-premises AD to Entra ID. The bridge between the two directories.
Microsoft Entra ID
Manages authentication for Microsoft 365, Azure services, and connected SaaS applications. The cloud identity layer.
How synchronization works
Synchronization in a hybrid environment means that changes made in on-premises AD — creating a new user, changing a display name, disabling an account — are automatically reflected in Entra ID. The reverse is not true in most configurations: Entra ID is a read replica of the on-premises directory, not an independent master.
What gets synchronized depends on your configuration, but typically includes:
- User accounts (UPN, display name, email address, department, manager, etc.)
- Security groups and distribution lists
- Password hashes (for password hash synchronization) or authentication passthrough configuration
- Device objects (for Hybrid Entra ID Join scenarios)
The sync cycle runs every 30 minutes by default. Changes made in AD will appear in Entra ID within that window. For urgent changes — like disabling a terminated employee's account — you can trigger a manual delta sync from the Entra Connect server.
The 30-minute gap matters for leavers
If your leaver process disables the account in on-premises AD, the account remains active in Entra ID (and therefore in Microsoft 365 and all connected SaaS apps) until the next sync cycle completes. For security-sensitive terminations, trigger a manual sync immediately after account disable.
Entra Connect vs Entra Cloud Sync
Microsoft offers two synchronization tools for hybrid environments. Choosing the right one matters — migrating between them later has a cost.
Microsoft Entra Connect
The original sync tool, installed as a Windows service on a server in your domain. Entra Connect is the most feature-complete option and supports complex scenarios:
- Multi-forest AD environments
- Complex filtering rules (sync only specific OUs or groups)
- Attribute-level customization and transformation
- Write-back (syncing some changes from Entra ID back to AD — useful for password reset and group management)
- Exchange hybrid configurations
The downside: it requires a dedicated Windows server (or VM), manual patching, and your IT team is responsible for its availability. If the Entra Connect server goes down, sync stops.
Microsoft Entra Cloud Sync
A lighter-weight agent released in 2020. Instead of a full sync engine running on-premises, Cloud Sync uses a small agent that defers processing to the Microsoft cloud. Benefits:
- No dedicated server required — the agent can run on any domain member
- Multiple agents provide high availability without complex configuration
- Managed and updated by Microsoft — less operational burden
- Simpler setup for straightforward single-forest scenarios
Limitations: Cloud Sync does not support all the advanced scenarios Entra Connect handles. Multi-forest environments with complex trust configurations, Exchange hybrid, and certain write-back scenarios still require Entra Connect. Check the Microsoft comparison matrix before committing to Cloud Sync.
Governance challenges in hybrid environments
Hybrid environments create governance challenges that cloud-only organizations do not face. The root issue is that access exists in two places, and it is not always clear which system is the source of truth.
Access lives in two directories
A user may have AD group memberships that grant access to on-premises resources AND Entra ID role assignments that grant access to cloud services. Certifying "all access" requires reviewing both simultaneously.
Write-back creates sync loops
If you enable group write-back (syncing Entra ID groups back to AD), changes made in Entra ID can overwrite manual AD group changes — and vice versa. This needs careful governance to avoid access creep or unexpected removals.
Shadow IT in Entra ID
Because Entra ID is easier to self-service, IT teams sometimes create Entra ID-only groups and app registrations that never sync to AD. These can become invisible to governance tools that only look at on-premises AD.
Orphaned accounts multiply
In a hybrid environment, disabling an account in AD does not immediately disable it in Entra ID (due to sync latency). If someone manually re-enables the Entra ID account, it becomes orphaned — active in the cloud even though disabled on-premises.
Audit trail is split
AD audit events live in Windows Event Log (and Security Log); Entra ID events live in Microsoft Entra audit logs. Correlating the full access history for a user across both systems requires aggregating from multiple sources.
Lifecycle management across both systems
Effective joiner-mover-leaver automation in a hybrid environment needs to address both directories. A process that only provisions in AD (relying on sync to reach Entra ID) will miss Entra ID-specific access. A process that only manages Entra ID assignments will leave AD groups unmanaged.
Joiners
For most hybrid organizations, the right approach is to create the account in on-premises AD (which then syncs to Entra ID), then assign Entra ID-specific access — like Microsoft 365 licenses, app role assignments, and Conditional Access-relevant group memberships — separately. This requires tooling that understands both systems.
Movers
Role changes are the hardest lifecycle event in hybrid environments. Moving someone from one department to another may require: updating their AD OU membership, changing AD group memberships, updating Entra ID group memberships, reassigning application role assignments, and updating HR attributes that drive dynamic group rules. Each of these can live in a different system.
Leavers
The leaver process should: disable the AD account (which triggers the sync to Entra ID), immediately trigger a forced sync for the Entra ID disable, revoke all active Entra ID sessions (via the Revoke Sessions action — this is separate from disabling the account), remove license assignments, and then begin the scheduled cleanup of group memberships. AD group memberships can usually be preserved for a short window for recovery purposes; Entra ID access should be revoked immediately.
Compliance in hybrid environments
Compliance frameworks like SOC 2, ISO 27001, and NIS2 do not distinguish between on-premises and cloud access — they expect you to control all of it. This is where hybrid environments create significant compliance overhead.
Access certification
Access certification campaigns must cover both AD group memberships and Entra ID assignments. If your certification tool only queries Entra ID, you will miss all on-premises access — which auditors will find when they ask you to demonstrate control over privileged server access or shared folder permissions.
Audit trails
Windows AD audit logs are not retained indefinitely by default. To meet the 12-month retention requirement common in SOC 2 and ISO 27001, you need to forward Windows Security Event Log to a SIEM or log retention service. Entra ID audit logs are available in the portal for 30 days; longer retention requires Microsoft Entra ID P1/P2 and Log Analytics.
Privileged access
Active Directory holds some of the most sensitive privileged access in any Windows-based organization — Domain Admin, Enterprise Admin, Schema Admin. These accounts are typically not surfaced in Entra ID Privileged Identity Management (PIM), because PIM manages Entra ID roles, not AD roles. You need a separate process to govern AD privileged accounts.
What auditors ask about hybrid environments
- Can you show all access (AD and Entra ID) for a specific user?
- How long after termination does cloud access remain active?
- Who are your Domain Admins and when was their access last certified?
- How do you detect AD group changes that bypass your IGA tool?
- What is your AD privileged account monitoring strategy?
The path toward cloud-only identity
Microsoft's long-term direction is clear: Entra ID is the future, and Active Directory is a legacy dependency to eventually remove. For most organizations, full migration is a 3–10 year project, and some may never complete it. That is fine — hybrid is a supported, stable architecture.
If you want to reduce AD dependency over time, the typical migration sequence is:
- Move workloads to cloud-native as they are refreshed. When you replace an on-premises application, choose a SaaS or cloud-hosted version that authenticates against Entra ID, not AD.
- Migrate Windows Server workloads to Azure using Microsoft Entra Domain Services (AADDS) for Kerberos/NTLM needs, rather than running your own AD domain controllers.
- Move file storage to SharePoint or OneDrive. This removes one of the largest dependencies on AD (file share ACLs based on AD groups).
- Replace on-premises Exchange with Exchange Online. Hybrid Exchange is one of the more complex reasons to maintain Entra Connect write-back.
- Adopt Entra ID-joined devices (Entra Join) rather than domain-joined (AD Join) for new device deployments.
Realistically, most organizations should plan to run hybrid for the foreseeable future and focus on good governance across both systems rather than trying to eliminate one prematurely.
Common questions
What is a hybrid Active Directory and Entra ID environment?
A hybrid identity environment is one where an organization runs both on-premises Active Directory Domain Services (AD DS) and Microsoft Entra ID (formerly Azure AD) simultaneously. Users and groups are typically mastered in on-premises AD and synchronized to Entra ID via Microsoft Entra Connect (formerly Azure AD Connect). This lets users sign in with the same credentials to both on-premises resources and cloud services.
What is Entra Connect and do I need it?
Microsoft Entra Connect is the synchronization tool that bridges on-premises Active Directory and Entra ID. If you have any on-premises Windows servers, applications, or file shares that authenticate against AD, you almost certainly need it. Entra Connect syncs user accounts, groups, and password hashes (or enables pass-through authentication) so that your cloud identity in Entra ID reflects your on-premises directory.
What is the difference between Entra Connect and Entra Cloud Sync?
Entra Connect is the traditional on-premises sync agent that runs on a Windows server in your domain. Entra Cloud Sync is a lighter-weight, cloud-managed agent introduced in 2020. Cloud Sync works well for straightforward single-forest scenarios; Entra Connect is still preferred for complex multi-forest environments or when you need granular sync filtering.
How do you govern access in a hybrid environment?
Effective hybrid governance requires tools that understand both AD group memberships and Entra ID role assignments. Most identity governance tools were designed for either on-premises or cloud — few handle both natively. A proper hybrid IGA solution should be able to provision and deprovision access in both AD and Entra ID from a single workflow, with a unified audit trail.
Should we migrate from Active Directory to Entra ID only?
For most organizations, a full migration to Entra ID-only (removing on-premises AD entirely) is a multi-year project and not always practical. Legacy applications, file servers, and print infrastructure often have hard dependencies on Kerberos/NTLM authentication that cannot be easily replaced. The realistic path for most organizations is hybrid for the foreseeable future, with gradual migration of workloads to cloud-native as they are refreshed.