Most organisations adopting Microsoft 365 already have an on-premises Active Directory environment. Rather than replacing it, Entra ID Connect (formerly Azure AD Connect) synchronises the on-premises directory to Entra ID, creating a hybrid identity model where users have a single identity that works for both on-premises resources (file shares, on-prem apps, legacy systems) and cloud services (M365, Azure, SaaS apps).

The authentication method you choose — Password Hash Synchronisation, Pass-Through Authentication, or Federation — fundamentally changes the architecture's availability, security, and operational profile.

The Three Authentication Methods

Password Hash Synchronisation (PHS)

PHS synchronises a one-way hash of the password hash (not the password itself) from on-premises AD to Entra ID. When a user signs in to a cloud resource, Entra ID authenticates them directly using the synchronised hash.

  • Advantages: Simplest to deploy and operate; cloud authentication survives on-premises AD outages; enables Entra ID Identity Protection (leaked credential detection, sign-in risk).
  • Security note: If Entra ID is compromised, the hash could theoretically be used offline. In practice, the stored value is a salted PBKDF2 hash of the NTLM hash — not directly usable. Microsoft recommends PHS for most organisations.
  • Best for: Most organisations, especially those prioritising availability and simplicity.

Pass-Through Authentication (PTA)

PTA authenticates users against on-premises AD in real-time. When a user signs in to a cloud resource, the authentication request is forwarded to an on-premises PTA agent (a lightweight process running on AD-connected servers) which validates the credentials against Active Directory and returns the result.

  • Advantages: Password never leaves the on-premises network; immediately honours on-premises account status (disabled, locked, expired).
  • Disadvantages: Cloud authentication depends on on-premises infrastructure; at least two PTA agents required for HA; does not support Entra ID Protection leaked credential detection.
  • Best for: Organisations with compliance requirements prohibiting password material from leaving on-premises, and with robust on-premises HA.

Federation (AD FS)

Federation externalises authentication to an on-premises Security Token Service (typically AD FS). Entra ID trusts claims issued by the federation server and grants access based on the token.

  • Advantages: Maximum control over authentication logic; supports smart card and certificate-based authentication; can integrate with non-AD identity stores.
  • Disadvantages: Significantly more complex to deploy and operate; AD FS farm requires HA infrastructure (WAP servers, load balancers); cloud access fails if AD FS is unavailable; Microsoft is actively moving organisations away from federation towards PHS/PTA.
  • Best for: Organisations with specific smart-card/certificate authentication requirements, or existing AD FS investments. Not recommended for new deployments.

Entra ID Connect Sync Architecture

Entra ID Connect runs on a domain-joined Windows Server and performs delta synchronisation every 30 minutes (configurable down to 2 minutes via PowerShell). A staging server should always be deployed in a warm standby configuration — it runs the full sync cycle but does not export changes, allowing rapid promotion if the active connector fails.

Key scoping decisions:

  • OU filtering — synchronise only the OUs that contain objects that need cloud access. Do not sync service accounts, built-in accounts, or decommissioned OUs.
  • Attribute filtering — the default attribute set is broad. For GDPR compliance, consider excluding attributes like telephoneNumber, streetAddress, or other personal data fields that aren't needed in Entra ID.
  • UPN suffix — the on-premises UPN suffix used for cloud sign-in must be a verified custom domain in Entra ID. Plan UPN suffix changes in AD before enabling sync if the default domain (contoso.local) is non-routable.

Entra ID Connect Cloud Sync vs Connect Sync

Entra ID Connect Cloud Sync is a lighter-weight alternative to the full Connect Sync tool. It uses provisioning agents (installed on domain controllers or member servers) rather than a dedicated sync server. It's designed for scenarios with disconnected forests, lightweight sync requirements, or organisations that want Microsoft to manage the sync infrastructure. Limitations include no device writeback, no Exchange hybrid, and no staging server equivalent.

Writeback Features: Bringing Cloud Changes Back On-Premises

  • Password writeback — when a user resets their password via Entra ID SSPR (Self-Service Password Reset) or admin reset, the new password is written back to on-premises AD immediately. Essential for hybrid environments where users authenticate to on-prem systems with their AD password.
  • Group writeback — M365 Groups and Security Groups created in Entra ID can be written back as on-premises distribution groups, making them visible to on-prem Exchange.
  • Device writeback — Entra ID-joined and registered devices are written back to AD as computer objects. Required for some Conditional Access scenarios that target on-prem resources.
"Hybrid identity is where cloud and on-premises meet — and where most enterprise M365 problems originate. Getting the sync architecture right eliminates an entire class of support issues."

Sripadatech designs and implements hybrid identity architectures for organisations migrating to M365. Get in touch to discuss your identity architecture.