Hybrid identities-Describe security, compliance, privacy, and trust in Microsoft 365
It is important to understand that Azure Active Directory is not intended to replace Active Directory Domain Services, nor are the two interchangeable. If an organization has internal servers and an on-premises AD DS implementation, they should not expect to be able to migrate their user identities from AD DS to Entra ID and then deprecate their AD DS domain controllers. It is equally important to understand that Microsoft 365 requires Entra ID; it is not possible to use AD DS identities to authenticate and authorize users for Microsoft 365 applications and services. The converse is also true; using Entra ID identities to provide authentication and authorization services for on-premises resources is impossible.
It is, however, possible to use Entra ID and AD DS together, creating what are known as hybrid identities. A hybrid identity is a user account in both the Entra ID and AD DS directories with the same set of attributes. The usual scenario for hybrid identities is an organization with an existing AD DS infrastructure but considering expanding into the cloud by using Software as a Service (SaaS) products, such as Microsoft 365. The organization might have hundreds or thousands of on-premises identities, but the prospect of re-creating them in Entra ID and then maintaining two identities for each user could be a deciding factor in the organization choosing not to use cloud services.
Hybrid identities are a solution to this problem. Because the assumption is that the AD DS identities already exist, creating hybrid identities is a matter of synchronizing them from AD DS to Entra ID. To do this, administrators must install Azure AD Connect on the on-premises network, which accesses the AD DS directory on a domain controller and replicates all the user accounts it finds to Entra ID (along with their passwords and other attributes).
Note First synchronization
When Azure AD Connect synchronizes on-premises AD DS identities to Entra ID for the first time, new cloud identities for the users are created, but product licenses are not automatically assigned to them. Therefore, in a new Microsoft 365 hybrid identity deployment, administrators must add Microsoft 365 licenses to the Entra ID users after the first synchronization is complete, using the Microsoft 365 admin center or another tool. The administrators can add licenses to Entra ID users individually, but the process can also be performed dynamically by making the license assignment a result of group membership.