Az-500: Quick notes on AAD hybrid identity

Recently I got a question from a friend regarding Azure Active Directory hybrid identity option. The question was part of his exam in Az-500 Microsoft Azure Security Technologies.

In this article, I’d like to provide a bit about the AAD hybrid identity as well as to clarify something about it.


Your network contains an Active Directory forest named The forest contains a single domain. You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named You plan to deploy Azure AD Connect and to integrate Active Directory and the Azure AD tenant.

You need to recommend an integration solution that meets the following requirements:

  • Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant
  • Minimizes the number of servers required for the solution.

Which authentication method should you include in the recommendation?

  • A. Federated identity with Active Directory Federation Services (AD FS)
  • B. Password hash synchronization with seamless single sign-on (SSO)
  • C. Pass-through authentication with seamless single sign-on (SSO)


As long as you work with hybrid identity in Azure you have been familiar with Hybrid identity option and decision tree provided by Microsoft here. At first, Option C sounds like a correct answer because with Password-through authentication (PTA) it help enforces the on-premises account policy at the time of sign-in. For example, access is denied when an on-premises user’s account state is disabled, locked out, or their password expires or the logon attempt falls outside the hours when the user is allowed to sign in.

However, the question is not really asking user-level/account policy. It is asking you password policy and user logon restriction. Moreover, the requirement is to minimize the number of servers. With PTA you need lightweight agent which is recommended to deploy in a dedicated server/virtual machine, while the Password-hash synchronization (PHS) requires the least effort regarding deployment, maintenance, and infrastructure.

With PHS, you do have options to enforce password policy as well as user logon restriction:

So the correct answer should be B – Password hash synchronization with seamless single sign-on (SSO)

Here are a few good references which supports you to answer hybrid identity question:

If you think the answer shouldn’t be B please feel free to leave a comment. Your explanation and comment would be greatly appreciated.

This entry was posted in Identity & Access Control and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.