Plan Hybrid Identity Design Decisions - Azure Active Directory

Key Design Decisions for Hybrid Identity

Successfully implementing a hybrid identity solution requires careful planning and consideration of various design choices. This document outlines the critical decisions you need to make to ensure your hybrid identity strategy aligns with your organization's needs and security requirements.

1. Identity Synchronization Strategy

The first major decision revolves around how identities will be synchronized between your on-premises Active Directory Domain Services (AD DS) and Azure Active Directory (Azure AD). You have several options:

Password Hash Synchronization (PHS): Synchronizes a hash of the user's on-premises password hash to Azure AD. This is the simplest and most common method.
Pass-through Authentication (PTA): Authentication requests are passed from Azure AD to an on-premises agent that validates credentials against your on-premises AD DS.
Federation (e.g., with AD FS): Authentication is fully handled by an on-premises federation service.

Your choice will impact user experience, complexity, and infrastructure requirements.

Synchronization Method Decision:

Consider: User experience, security posture, network latency, existing infrastructure, and administrative overhead.

Example: For organizations prioritizing simplicity and strong security with multi-factor authentication managed by Azure AD, PHS is often preferred.

2. User Principal Name (UPN) Strategy

The UPN is the primary identifier for users in Azure AD. It's crucial to have a consistent UPN strategy:

On-premises UPN matches Azure AD UPN: The ideal scenario, ensuring seamless user experience.
Transform on-premises UPN to Azure AD UPN: If your on-premises UPNs are not routable (e.g., using internal domains like .local), you'll need to transform them.



                
                    UPN Matching Decision:
                    Consider: How users will log in to Azure AD resources. Mismatched UPNs can lead to duplicate accounts and user confusion.
                    Example: If your on-premises domain is ad.local, you might transform user UPNs to user@yourcompany.com for Azure AD.

                


                3. Device Management Strategy
                How will you manage devices that access corporate resources?
                
                    Azure AD Joined: Devices are managed by Azure AD.
                    Hybrid Azure AD Joined: Devices are joined to both on-premises AD DS and Azure AD.
                    Azure AD Registered: Personal devices that are registered with Azure AD to access corporate resources.
                

                
                    Device Management Decision:
                    Consider: Device ownership (corporate vs. personal), security policies, and the need for seamless single sign-on (SSO) from managed devices.
                    Example: For corporate-owned devices, Hybrid Azure AD Join or Azure AD Join are typically recommended.
                

                4. Application Integration and Access
                How will you grant users access to your applications, both on-premises and in the cloud?
                
                    Single Sign-On (SSO): Leverage Azure AD for SSO to cloud applications.
                    Conditional Access Policies: Define granular access controls based on user, device, location, and application.
                    Application Proxy: Securely publish on-premises applications for remote access.
                

                
                    Application Access Decision:
                    Consider: Application types (SaaS, legacy on-premises), security requirements, and the need for consistent access controls.
                    Example: Use Conditional Access to enforce multi-factor authentication for all users accessing cloud-based CRM applications.
                

                5. Identity Lifecycle Management
                How will you manage the creation, update, and deletion of user identities?
                
                    Automated Provisioning/Deprovisioning: Utilize tools like Azure AD Connect or SCIM to automate identity lifecycle management.
                    Role-Based Access Control (RBAC): Implement RBAC for efficient permission management.
                

                
                    Lifecycle Management Decision:
                    Consider: The rate of user churn, the need for timely access revocation, and administrative efficiency.
                    Example: Automatically create Azure AD accounts when a new user is added to on-premises AD DS, and disable them upon departure.
                

                6. Disaster Recovery and High Availability
                Ensure your hybrid identity solution remains available in the event of an outage.
                
                    Redundant Synchronization Servers: Deploy multiple instances of Azure AD Connect.
                    Multiple PTA Agents: For Pass-through Authentication, deploy agents in multiple locations.
                

                
                    Resilience Decision:
                    Consider: Business continuity requirements and the impact of identity service downtime.
                    Example: Ensure at least two Azure AD Connect servers are running in staging mode for quick failover.



            
                Related Topics
                
                    Hybrid Identity Overview
                    Deploy Azure AD Connect
                    Conditional Access Policies
                    Device Identity Planning
                    Manage User Access
                

                Resources
                
                    Microsoft Learn: Plan Hybrid Identity
                    Azure AD Connect Design Decisions