3.3 Hybrid Identity and Entra Connect Concepts

What hybrid identity solves

Most organizations already run on-premises Active Directory Domain Services (AD DS) before adopting the cloud. Hybrid identity lets them give users one identity and one set of credentials that works both on-premises and in Microsoft Entra ID, instead of two separate accounts. Users sign in with the same username and password whether they open an internal app or a Microsoft 365 service.

The tool that makes this happen is Microsoft Entra Connect (formerly Azure AD Connect) — an on-premises agent that synchronizes identity objects from AD DS up to the Entra ID tenant. There is also a lighter-weight option, Microsoft Entra Connect cloud sync, which uses a small provisioning agent and pushes configuration to the cloud (useful for multi-forest and disconnected-forest scenarios).

Key split to remember: synchronization (copying the objects) and authentication (where the password is actually checked) are separate decisions. Connect always syncs the objects; you then choose how sign-in is validated.

The three sign-in (authentication) methods

When configuring hybrid identity, an organization picks one of three authentication methods. This is one of the most commonly tested comparisons in the Entra domain.

Microsoft recommends PHS for most organizations because it is simplest, removes dependence on highly available on-premises infrastructure, and still enables cloud features like leaked-credential detection in Identity Protection.

Password Hash Sync, Pass-through Auth, and Federation in depth

Password Hash Synchronization (PHS). Entra Connect computes a hash of the existing AD password hash and syncs that value to Entra ID. The original password is never transmitted, and the synced value cannot be reversed back into the password or used against the on-premises directory. Because authentication then happens entirely in the cloud, sign-in keeps working even if the on-premises servers or network are down.

Pass-through Authentication (PTA). Sign-in requests are validated directly against on-premises AD by one or more lightweight agents, so the password is never present in Entra ID in any form. PTA enforces on-premises account state at sign-in time — a disabled, locked-out, or expired account, or sign-in outside permitted hours, is rejected immediately. This suits organizations with strict security/compliance requirements that want on-prem to remain authoritative.

Federation. Entra ID delegates authentication to a separate trusted system such as AD FS (Active Directory Federation Services) or a third-party IdP. It supports advanced needs (smart cards, certain third-party MFA, specific compliance rules) but carries the largest footprint and most complexity, so Microsoft is steering most customers from federation toward cloud authentication (PHS/PTA).

Choosing a method — and exam cues

Use the scenario wording to pick the method:

• Simplest, least infrastructure, cloud handles sign-in, keep working if on-prem is down → Password Hash Sync (PHS).
• Password must NOT be stored in the cloud / validate against on-prem in real time / enforce on-prem account policy at sign-in → Pass-through Authentication (PTA).
• Use an existing AD FS / third-party identity system, advanced or specialized authentication requirements → Federation.

Common traps: PHS does not send the plaintext password (it sends a non-reversible hash), so "PHS exposes passwords" is wrong. PTA needs agents but no full federation farm. And remember the layered distinction — synchronizing objects with Entra Connect is separate from choosing PHS/PTA/Federation for authentication. For SC-900, you need the purpose and trade-offs of each, not the deployment steps.

Seamless SSO, staged rollout, and the cloud-first direction

Two supporting concepts round out hybrid sign-in. Seamless single sign-on (Seamless SSO) automatically signs corporate users in when they are on a domain-joined device on the corporate network, so they aren't re-prompted for the Microsoft cloud — it can be added to PHS or PTA (federation has its own SSO). Staged rollout lets an organization migrate a subset of users from federation to cloud authentication (PHS/PTA) for testing before switching the whole tenant.

The broader trend the exam reflects is cloud-first: Microsoft now steers most customers away from federation toward PHS or PTA, because keeping authentication in the cloud is simpler, more resilient, and unlocks cloud-native protections like leaked-credential detection in Identity Protection (which depends on the password hash being present in the cloud, i.e., PHS).

• Seamless SSO removes extra prompts for users on the corporate network.
• Staged rollout migrates pilot users off federation before a full cutover.
• PHS is required for cloud leaked-credential detection.
• The recommended modern default is cloud authentication (PHS, then PTA) over federation.

Knowing this direction helps you eliminate "federation" as the answer whenever a scenario stresses simplicity, resilience, or built-in cloud protection.