Active Directory Hybrid Deployment: How to Combine Your On-Prem AD & Entra ID

Many organizations use Microsoft’s cloud-based directory service Entra ID alongside an on-premise Active Directory domain. There are several ways to implement such a hybrid identity use case, ranging from sync utilities to domain controllers replicated in cloud VMs.

Entra Connect Sync

Entra Connect Sync is a utility that lets you to sync data from your local AD to Entra ID. You install the application on a domain-joined server and it automatically synchronizes users, groups, devices and account attributes to Entra ID.

Connect Sync allows you to extend your existing Active Directory domain to Entra ID without the need to manage accounts for both services independently. Thanks to pass-through authentication, your users can even use the same password for their shared cloud and on-prem account.

Entra Connect Sync supports different topologies, including linking a single forest to a single Entra tenant, linking multiple forests to one tenant or one forest to multiple tenants. However, there are some restrictions. For example, only one tenant can write back to your local AD (with the exception of password writeback). More information on how to set up Entra Connect.

Entra Cloud Sync

Like Entra Connect Sync, Entra Cloud Sync allows you to synchronize data between Active Directory and Entra ID. However, instead of a local application, Cloud Sync uses Entra’s cloud provisioning agent. This makes Cloud Sync easier to deploy and reduces hardware use on your end.

In addition, Entra Cloud Sync covers additional use cases that are not supported by Connect Sync. For example, Cloud Sync can synchronize data from multiple disconnected forests to a single Entra tenant. This can be useful for organizations that share a Microsoft 365 environment, but have not integrated their on-premise infrastructure.

According to Microsoft, Cloud Sync will replace Connect Sync once it has achieved functional parity. So it’s worth migrating to Cloud Sync as soon as possible.

Active Directory Domain in Azure VM

If you want to extend your Active Directory to the cloud, another option is to host an AD domain in an Azure VM and add this domain to your on-premise forest. For an example of this, please see the reference architecture provided by Microsoft.

Like both Sync options, this approach allows you to share the same identity information between your on-prem domain and cloud environment. It has the additional benefit of allowing you to apply group policy objects to the domain hosted in Azure. However, it does mean you need to deploy and maintain your own cloud VM and domain controller.

References & Additional Information

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.