Hybrid Identity & Azure AD Connect
Azure AD Connect bridges on-premises AD and Entra ID, synchronizing identities across both worlds -- but each sync method introduces a unique attack surface that adversaries are eager to exploit.
Most organizations do not move to the cloud overnight. They run both on-premises Active Directory and Entra ID at the same time -- this is called hybrid identity. Azure AD Connect is the tool that synchronizes user accounts, groups, and passwords between the two. It supports three authentication methods: Password Hash Synchronization (PHS) copies a hash of your password to the cloud so Entra ID can verify logins directly. Pass-through Authentication (PTA) keeps passwords on-premises and forwards cloud login requests to an on-premises agent for verification. Federation (ADFS) uses Active Directory Federation Services to issue SAML tokens for cloud authentication. PHS is the simplest and most recommended by Microsoft because it works even if your on-premises environment goes down.
Imagine two countries that want their citizens to move freely between them. They build an embassy bridge with three possible designs: a simple photocopy system that duplicates passports (Password Hash Sync), a checkpoint where every traveler is verified in real time by their home country (Pass-through Authentication), or a full diplomatic agreement where a trusted embassy handles all identity checks (Federation with ADFS). Each design has different security trade-offs. The bridge itself -- Azure AD Connect -- becomes a high-value target because it has a foot in both countries.
Try It Yourself
Key Takeaways
- Azure AD Connect is a Tier 0 asset with DCSync-equivalent permissions -- protect it like a domain controller.
- PHS copies password hashes to the cloud; PTA validates on-prem in real time; Federation uses SAML tokens.
- Compromising the Azure AD Connect server gives access to both on-prem AD and Entra ID.
- The ADFS token-signing certificate is the crown jewel in federated environments -- its theft enables Golden SAML.
- Microsoft recommends PHS as the primary authentication method for its resilience and simplicity.
Azure AD Connect is the bridge between your on-prem and cloud identity. It holds the keys to both kingdoms, yet many organizations treat it as just another server. Attackers like APT29 specifically target hybrid identity infrastructure.