TTechclick ⚡ XP 0% All lessons
Microsoft · Identity & Access · Hybrid IdentityInteractive · L1 / L2 / L3

Microsoft Entra Hybrid Identity — Connect, Cloud Sync & the Right Auth Method

Most orgs have users in on-premises Active Directory and Microsoft 365 at the same time. This lesson shows you how Entra Connect and Cloud Sync bridge that gap, which of the three authentication methods suits each environment, how seamless SSO removes password prompts, and how staged rollout lets you migrate without a cutover weekend.

📅 2026-06-20 · ⏱ 18 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master Microsoft Entra hybrid identity in 2026: Entra Connect vs Cloud Sync, Password Hash Sync vs Pass-Through Auth vs Federation, seamless SSO, attribute writeback, and staged rollout explained clearly.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Sync engines

Entra Connect vs Cloud Sync — agents, rules, scope.

 2

Auth methods

PHS vs PTA vs Federation — trade-offs mapped.

 3

Seamless SSO

Kerberos ticket, no password prompt, how it works.

 4

Writeback & staged rollout

Push attributes back + migrate groups safely.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Can users sign in to Microsoft 365 with their on-premises AD password by default?

Answered in Sync engines.

2. Which auth method sends a hash of the password hash to Entra ID?

Answered in Auth methods.

3. What allows domain-joined devices to sign into Microsoft 365 without a password prompt?

Answered in Seamless SSO.

Most engineers think…

Most people assume hybrid identity is just 'install a tool and it syncs'. They then hit a late-night cutover that goes wrong when changing federation to cloud auth — because they never understood which knobs actually control sign-in behaviour.

Hybrid identity is a stack of three decisions: which sync engine (Entra Connect Sync or the newer Cloud Sync), which authentication method (Password Hash Sync, Pass-Through Authentication or Federation with ADFS / third-party IdP), and what optional features layer on top (Seamless SSO, writeback, staged rollout). Getting these three decisions right before you deploy — not during — is what separates a clean migration from a 2 a.m. call.

① Sync engines — Entra Connect Sync vs Entra Cloud Sync

Every hybrid identity deployment needs a sync engine to copy user, group and contact objects from on-premises Active Directory into Microsoft Entra ID. Microsoft offers two: Entra Connect Sync (the mature, server-installed engine) and Entra Cloud Sync (the newer, lightweight agent model where the sync logic lives in the cloud portal, not on your server).

Entra Connect Sync is best when you need deep customisation — complex attribute-flow rules, device writeback, Exchange hybrid writeback, or multi-forest topologies with a single sync server holding the full picture. Entra Cloud Sync suits most new deployments, multi-forest AD environments, and orgs that want Microsoft to manage the sync configuration in the cloud without a dedicated sync server.

Key difference to state in an interview

Entra Connect Sync runs the entire engine on-premises; Entra Cloud Sync runs the engine in Microsoft's cloud and uses a lightweight on-premises agent only to read from AD and write back. Microsoft now recommends Cloud Sync for new deployments where its feature set is sufficient.

Figure 1 — Hybrid identity sync — on-prem AD to Entra ID
Both sync engines follow the same high-level pipeline; only where the engine runs differs.Hybrid identity sync — on-prem AD to Entra IDOn-prem ADsource of truthSync engineConnect or Cloud SyncStaging / filterscoping & rulesEntra IDcloud directoryM365 / appssign-in & access
Both sync engines follow the same high-level pipeline; only where the engine runs differs.
Quick check · Q1 of 10 · Understand

What is the main architectural difference between Entra Connect Sync and Entra Cloud Sync?

Correct: b. The core difference is where the sync engine runs. Entra Connect Sync installs and runs the full engine on-premises. Entra Cloud Sync places the configuration and engine in the cloud; only a lightweight agent runs locally to read from AD.
👉 So far: Entra Connect Sync = full engine on-premises, deep customisation; Entra Cloud Sync = engine in the cloud, lightweight agent on-prem, preferred for new deployments.

② Authentication methods — PHS, PTA and Federation

Syncing identities is separate from deciding how users authenticate. After sync, you choose one of three methods. Password Hash Sync (PHS) stores a salted hash of the on-premises password hash in Entra ID. Sign-in happens entirely in the Microsoft cloud — no on-premises call at runtime, so it works even if your data centre is down. It also enables leaked-credential detection (Identity Protection correlates the hash against known breach lists).

Pass-Through Authentication (PTA) keeps the password hash on-premises. When a user signs in to the cloud, Entra ID forwards the credential to a lightweight PTA agent on-premises that validates it against AD in real time. No hash leaves the boundary — good for compliance mandates, but sign-in depends on the agent being reachable. Federation delegates the entire authentication to an external IdP such as ADFS or Okta; the cloud trusts whatever token the IdP issues. Federation gives you smart-card, certificate-based and complex conditional logic, but at the cost of ADFS servers, certificates, and a single point of failure if the IdP is down.

The exam line: PHS = simplest, most resilient; PTA = password stays on-prem; Federation = most control, most infrastructure. All three can coexist with Seamless SSO, and you can migrate from Federation to PHS/PTA using staged rollout without a big-bang cutover.

Figure 2 — PHS vs PTA vs Federation — at a glance
Choose based on resilience needs, compliance boundaries, and existing infrastructure.PHS vs PTA vs Federation — at a glancePHS & PTAPHS: hash stored in cloud, worksPTA: real-time on-prem validationNo ADFS servers requiredEntra Identity Protection worksEasiest to migrate from FederationFederation (ADFS)Auth fully delegated to on-premSmart card & cert-based authADFS servers, WAP neededDown if IdP is unreachableMost customisation for legacy apps
Choose based on resilience needs, compliance boundaries, and existing infrastructure.
🔑
Password Hash Sync
tap to flip

Syncs a salted hash of the on-prem password hash to Entra ID. Authentication is cloud-only at runtime — works even when on-premises AD is down. Enables leaked-credential detection via Identity Protection.

🔄
Pass-Through Auth
tap to flip

Password hash stays on-premises. A PTA agent validates credentials against AD in real time when users sign in. Meets compliance mandates that forbid cloud-side password storage, but sign-in depends on agent availability.

🏛
Federation (ADFS)
tap to flip

Authentication is fully delegated to an on-premises or third-party IdP. Supports smart cards, certificates, and complex claim rules. Requires ADFS servers and Web Application Proxy; down if the IdP is unreachable.

🎫
Seamless SSO
tap to flip

Uses a Kerberos ticket for the AZUREADSSOACC computer account. Domain-joined browsers silently exchange the ticket for a cloud token — no extra password prompt needed on Windows 7/8.1/10/11.

Enable PHS even when using PTA or Federation

Microsoft strongly recommends enabling Password Hash Sync as a backup even if your primary method is PTA or Federation. If the on-prem IdP or PTA agents go down, you can switch Entra ID's sign-in method to PHS in minutes with no user impact — your disaster recovery strategy costs nothing extra.

Quick check · Q2 of 10 · Apply

A financial regulator forbids storing any password hash outside the organisation's data centre. Which auth method must you choose?

Correct: c. Pass-Through Authentication validates credentials against on-premises AD in real time and never stores a password hash in Entra ID. PHS stores a hash of the hash in the cloud, which may violate the mandate.
👉 So far: PHS = simplest, most resilient, hash in cloud; PTA = password stays on-prem, agent validates live; Federation = full IdP delegation, most infrastructure. Enable PHS as a backup for all three.

③ Seamless SSO — no password prompt on domain-joined devices

Seamless SSO is an optional feature that layers on top of PHS or PTA (not needed with full federation, which handles SSO itself). When enabled, Entra Connect creates a computer account named AZUREADSSOACC in every synced AD domain and sets a Kerberos service key on it. When a domain-joined Windows device authenticates to a Microsoft 365 resource, the browser silently fetches a Kerberos service ticket for AZUREADSSOACC from the on-premises KDC and sends it to Entra ID's token endpoint, which validates it and issues a cloud token — no password prompt required.

Seamless SSO supports Windows 7, 8.1 and 10/11 domain-joined machines. For Windows 10 and later, Microsoft recommends Primary Refresh Token (PRT) via Hybrid Entra Join or Entra Join as the preferred SSO mechanism — but Seamless SSO is still widely used for down-level clients. Note: starting July 2026 Windows Server will default Kerberos encryption to AES-256 (from RC4), so organisations must ensure the AZUREADSSOACC account key is updated to avoid Seamless SSO failures.

Figure 3 — Seamless SSO — Kerberos ticket flow
A domain-joined browser silently obtains a Kerberos ticket and exchanges it for a cloud token.Seamless SSO — Kerberos ticket flowUser logs ondomain-joined PCBrowser requestaccess M365 appKDC ticketfor AZUREADSSOACCEntra ID validatesKerberos tokenCloud token issuedno password prompt
A domain-joined browser silently obtains a Kerberos ticket and exchanges it for a cloud token.
'Seamless SSO replaces ADFS' — it does not

Seamless SSO only removes the password prompt on domain-joined Windows devices using PHS or PTA. It cannot issue SAML tokens, handle smart-card auth, or replace ADFS claim rules. If you still need SAML federation for on-prem apps, ADFS (or a third-party IdP) remains required even with Seamless SSO enabled.

▶ Watch a Password Hash Sync sign-in end to end

How Priya's browser authenticates to Microsoft 365 via PHS + Seamless SSO. Press Play for the healthy path, then Break it to see the classic failure.

① User sign-inPriya opens Outlook Web App. The browser is redirected to login.microsoftonline.com.
② PHS lookupEntra ID finds Priya's synced account and compares the submitted credential against the stored password hash — no on-prem call needed.
③ Seamless SSOOn a domain-joined PC, the browser automatically sends a Kerberos ticket for AZUREADSSOACC — Priya sees no password prompt at all.
④ Token issuedEntra ID issues an access token and refresh token. Priya lands in Outlook with no friction.
Press Play to step through the healthy PHS + Seamless SSO path. Then press Break it.
Quick check · Q3 of 10 · Remember

Which Active Directory computer account does Entra Connect create to enable Seamless SSO?

Correct: d. Entra Connect creates the AZUREADSSOACC computer account in every synced AD domain and derives a shared Kerberos service key from it. The browser fetches a Kerberos service ticket for this account to enable silent cloud sign-in.
👉 So far: Seamless SSO creates AZUREADSSOACC in AD; the Kerberos ticket for that account gives domain-joined browsers a silent cloud token. Update to AES-256 Kerberos key after July 2026 Windows Server update.

④ Attribute writeback & staged rollout

Attribute writeback is the reverse direction of sync: data flows from Entra ID back to on-premises AD. The key scenarios are: Group writeback (Microsoft 365 Groups and security groups pushed to AD so on-prem apps can see them), Device writeback (Entra-registered device objects written to AD for ADFS conditional access), and Password writeback (SSPR writes a changed cloud password back to on-premises AD immediately, keeping both directories in sync). Exchange Hybrid writeback copies Exchange Online mailbox attributes to the on-premises AD so the on-prem Exchange sees full mailbox routing data. Writeback requires Entra Connect Sync or the relevant Cloud Sync feature to be licensed and turned on.

Staged rollout — migrate without a cutover

Staged rollout lets you move a pilot security group from federation to PHS or PTA without converting the entire federated domain at once. You add a group to the staged-rollout feature flag in Entra ID; those users authenticate via PHS/PTA + Seamless SSO while the rest of the domain stays federated. You can test, validate MFA, confirm Conditional Access policies, and then convert the domain only when ready. Limitation: password writeback via SSPR is not supported while a group is in staged rollout, and the maximum number of groups per feature is ten.

Figure 4 — Entra hybrid features — one sync, many capabilities
Entra Connect or Cloud Sync sits at the centre; optional features layer on top.Entra hybrid features — one sync, many capabilitiesEntra Connect/ Cloud SyncPassword Hash SyncPass-Through AuthSeamless SSOPassword WritebackGroup WritebackStaged Rollout
Entra Connect or Cloud Sync sits at the centre; optional features layer on top.

Priya at a Mumbai financial services firm faces this

After enabling SSPR (self-service password reset) in Entra ID, users reset their cloud password successfully — but their on-premises AD password is unchanged, locking them out of VPN and on-prem systems an hour later.

Likely cause

Password writeback was not enabled in Entra Connect Sync, so reset passwords are only updated in Entra ID, not written back to on-premises AD.

Diagnosis

Check Entra admin centre ▸ Password reset ▸ On-premises integration — the 'Write back passwords to your on-premises directory' toggle shows Off.

Entra admin centre ▸ Password reset ▸ On-premises integration
Fix

Enable password writeback in Entra Connect Sync wizard (optional features) and turn on the toggle in the portal. Writeback is near-real-time; after the next sync cycle, SSPR resets will propagate to on-prem AD.

Verify

Test SSPR for a pilot user — VPN login with the new password succeeds within one sync cycle (default 30 min delta sync, or trigger an immediate sync with Start-ADSyncSyncCycle -PolicyType Delta).

Check sync health before and after any writeback change

Run Get-ADSyncConnectorRunStatus in the Entra Connect shell or check the Entra admin centre ▸ Entra Connect ▸ Health dashboard. Connector errors after enabling writeback almost always mean insufficient on-prem AD permissions for the MSOL_ sync account on the writeback target OUs.

Quick check · Q4 of 10 · Analyze

You want to move 500 pilot users from ADFS federation to Password Hash Sync without converting the whole domain. What is the correct approach?

Correct: c. Staged rollout targets specific security groups with a feature flag so those users authenticate via PHS while the federated domain stays intact for everyone else. This avoids a risky big-bang domain conversion.
👉 So far: Password writeback needs to be explicitly enabled; staged rollout moves pilot groups from federation to cloud auth without converting the whole domain. Max 10 groups per feature; SSPR writeback is blocked during staged rollout.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which sync engine runs the synchronisation logic entirely in Microsoft's cloud?

Correct: b. Entra Cloud Sync places all sync configuration and the engine in the Entra portal (Microsoft's cloud); only a lightweight provisioning agent runs on-premises. Entra Connect Sync runs the full engine on a local Windows Server.
Q6 · Understand

Why does Microsoft recommend enabling Password Hash Sync even when your primary method is Pass-Through Authentication?

Correct: a. PHS is a resilience safety net. If PTA agents are unreachable, an admin can switch the sign-in method to PHS in the Entra portal in minutes with no user-visible password change required.
Q7 · Apply

A user resets her Entra ID password via SSPR but cannot log on to VPN two hours later. What is the most likely cause?

Correct: c. Without password writeback, SSPR updates only the cloud password. The on-premises AD password is unchanged, so on-prem resources (VPN, on-prem apps) still use the old password. Enabling writeback in Entra Connect propagates the reset to AD.
Q8 · Analyze

After a Windows Server update, domain-joined users start seeing a password prompt in the browser when accessing Microsoft 365. Seamless SSO is still enabled. What is the most likely root cause?

Correct: d. From July 2026 Windows Server updates the default Kerberos encryption to AES-256. If the AZUREADSSOACC key is still RC4, the KDC refuses to issue a service ticket and Seamless SSO falls back to an interactive prompt. Rolling over the key with Update-AzureADSSOForest fixes it.
Q9 · Evaluate

An organisation wants to pilot a move from ADFS to PHS for 200 employees without risking the other 10,000. What is the correct approach?

Correct: a. Staged rollout is the designed solution for incremental federation-to-cloud-auth migration. The 200 users authenticate via PHS while ADFS remains active for everyone else — no domain conversion needed until validation is complete.
Q10 · Evaluate

A compliance officer says no password hash or derivative may leave the corporate boundary. Which configuration satisfies this?

Correct: b. Only PTA (with PHS disabled) guarantees that no password hash ever leaves the on-premises boundary. PHS by definition sends a hash of the hash to Entra ID. Enabling PHS as a backup alongside PTA would violate the mandate.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

In one or two sentences: what three decisions define a Microsoft Entra hybrid identity deployment? Then compare with the expert version.

Expert version: The three decisions are: (1) which sync engine — Entra Connect Sync (on-premises engine, deep customisation) or Entra Cloud Sync (cloud engine, lightweight agent); (2) which authentication method — Password Hash Sync (simplest, cloud validates), Pass-Through Authentication (on-prem validates live) or Federation (IdP does everything); and (3) which optional features to layer on — Seamless SSO for no-prompt sign-in on domain-joined devices, writeback for SSPR and group/device sync back to AD, and staged rollout for safe federation-to-cloud migrations.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Entra Connect Sync
The original Azure AD Connect, now renamed. Runs the full synchronisation engine on a Windows Server with deep attribute-flow customisation and advanced writeback support.
Entra Cloud Sync
A newer provisioning model where sync configuration lives in the Entra portal and only a lightweight agent runs on-premises. Preferred for new deployments.
Password Hash Sync (PHS)
An authentication method that stores a salted hash of the on-premises AD password hash in Entra ID, enabling fully cloud-side validation and leaked-credential detection.
Pass-Through Authentication (PTA)
An authentication method where a lightweight on-prem agent validates credentials against AD in real time; no password hash leaves the corporate boundary.
Federation
An authentication model where Entra ID delegates sign-in to an external IdP (e.g. ADFS) and trusts the token it issues. Supports smart cards and complex claim rules.
Seamless SSO
A feature that uses a Kerberos service ticket for the AZUREADSSOACC computer account to silently authenticate domain-joined devices to Entra ID without a password prompt.
Password Writeback
An Entra Connect feature that propagates SSPR password changes from Entra ID back to on-premises Active Directory in near-real time.
Staged Rollout
A migration feature that moves specific security groups from federation to cloud authentication (PHS or PTA) without converting the entire federated domain at once.

📚 Sources

  1. Microsoft Learn — Choose the right authentication method for Microsoft Entra hybrid identity. learn.microsoft.com/en-us/entra/identity/hybrid/connect/choose-ad-authn
  2. Microsoft Learn — What is password hash synchronization with Microsoft Entra ID?. learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-phs
  3. Microsoft Learn — Microsoft Entra Connect: Seamless Single Sign-On — how it works. learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-how-it-works
  4. Microsoft Learn — Microsoft Entra Connect: Cloud authentication via Staged Rollout. learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-staged-rollout
  5. Microsoft Learn — Migrate from federation to cloud authentication in Microsoft Entra ID. learn.microsoft.com/en-us/entra/identity/hybrid/connect/migrate-from-federation-to-cloud-authentication
  6. OneUptime Blog — How to Set Up Azure AD Connect Cloud Sync for Hybrid Identity with Password Hash Synchronization (2026). oneuptime.com/blog

What's next?

Got the hybrid identity plumbing? Next, go deep on Entra ID Conditional Access — how to gate every sign-in on device compliance, location, risk level and session controls.

Next · All interview lessons → Practice on exam.techclick.in →