L4. Hybrid Identity: Entra Connect and Cloud Sync

Why Hybrid Identity?

Most enterprises operate both on-premises Active Directory and Entra ID. Hybrid identity synchronization bridges these two directories so users can authenticate to both cloud and on-premises resources with a single set of credentials.

The SC-300 exam expects you to know when to use each synchronization tool and which authentication method fits a given scenario.

Entra Connect Sync vs Cloud Sync

Exam tip: Entra Cloud Sync uses a lightweight provisioning agent and is managed entirely from the cloud. Entra Connect Sync requires a dedicated on-premises server and is configured locally. For simple sync scenarios, Cloud Sync is the recommended modern approach.

Authentication Methods

When a synced user signs in to a cloud resource, their credentials must be validated. Three methods are available:

Password Hash Sync (PHS)

On-premises password hashes are synced to Entra ID (hashed again for security). Authentication happens entirely in the cloud. This is the simplest method and provides the highest availability because it has no dependency on on-premises infrastructure during sign-in.

Pass-Through Authentication (PTA)

Authentication requests are forwarded to on-premises agents that validate credentials against Active Directory in real time. Passwords never leave on-premises. Requires at least one PTA agent with connectivity to a domain controller.

Federation (AD FS or third-party)

All authentication is redirected to an on-premises federation server (typically AD FS). This provides maximum flexibility for complex claim rules but introduces the highest operational overhead and lowest availability due to the dependency on federation infrastructure. Exam tip: Microsoft recommends PHS as the primary authentication method for its simplicity and resilience. Even when using PTA or federation, enabling PHS as a backup is a best practice: if PTA agents or AD FS go down, you can failover to PHS.

Source of Authority

For synced (hybrid) users, the on-premises Active Directory is the source of authority. This means:

• User attributes (name, department, phone) are managed on-premises and synced to the cloud
• Changing these attributes in Entra admin center will be overwritten at the next sync cycle
• Some attributes (like cloud-only attributes) can still be managed in Entra ID

Exam tip: If a question describes changing a synced user's department in the Entra admin center and asks why it reverts, the answer is source of authority. The on-premises directory wins for synced attributes.

Seamless SSO

Entra Seamless SSO works with PHS and PTA to provide automatic sign-in for users on domain-joined devices connected to the corporate network. Users do not see a password prompt when accessing cloud resources from their corporate workstation. Seamless SSO uses Kerberos tickets from the on-premises domain.

Staging Mode

Entra Connect can be deployed in staging mode: the server synchronizes data but does not export changes to Entra ID. This is used for disaster recovery (a standby server) or for testing sync rules before applying them in production.