You've got on-premises Active Directory. You've also got Microsoft Entra ID (the thing they used to call Azure AD before the rebrand confused everyone). Some of your apps run locally, some are in the cloud, and your user accounts exist in both places.
Welcome to hybrid identity. It's the reality for most companies that didn't start as cloud-native, which is to say, most companies.
Managing identities in one system is straightforward. Managing them across two systems that need to stay in sync? That's where the headaches start.
How most companies end up in hybrid mode
The story usually goes something like this. Your company has been running on-prem Active Directory for years. It handles authentication for your file servers, printers, internal applications, and network access. Everything works, more or less.
Then you adopt Microsoft 365. Or you move workloads to Azure. Suddenly you need Entra ID for cloud authentication. Rather than migrating everything at once (which is terrifying and expensive), you set up Entra Connect to sync your on-prem AD with Entra ID.
Now you have users in both places. On-prem AD is the "source of truth" for most attributes, and Entra Connect pushes those attributes up to the cloud. Users can sign into both on-prem resources and cloud services with the same credentials.
It works. It's also where the complexity starts compounding.
The three real problems with hybrid identity
Problem 1: Where do you make changes?
With Entra Connect syncing from on-prem AD to Entra ID, most attributes flow in one direction. If you change someone's department in on-prem AD, it syncs to Entra ID. Great.
But what about cloud-only attributes? Things like assigned licenses, Entra ID group memberships, and app assignments only exist in the cloud. So now your IT team is managing some things in on-prem AD (via Active Directory Users and Computers or PowerShell) and other things in the Entra ID portal.
Two management surfaces. Two sets of tools. Twice the chances of something getting out of sync.
Problem 2: Group management becomes confusing.
In a hybrid setup, you typically have three types of groups:
- Groups that exist in on-prem AD and sync to Entra ID
- Groups that exist only in Entra ID (cloud-only groups)
- Microsoft 365 groups that have their own lifecycle
Each type behaves differently. Synced groups can only be managed from on-prem. Cloud-only groups can only be managed in Entra. Microsoft 365 groups have their own set of rules.
When you're trying to answer "why can't this person access the SharePoint site?" you might be looking in three different places before you find the answer.
Problem 3: Offboarding is terrifying.
When someone leaves and you have a hybrid setup, you need to handle both sides. Disable in on-prem AD (which syncs the disabled state to Entra ID), but also handle the cloud-specific cleanup: revoke active sessions, remove cloud-only group memberships, pull licenses, manage the mailbox.
If your offboarding process only touches one side, you've got gaps. And gaps in offboarding are security incidents waiting to happen.
Entra Connect: the glue that holds it together (mostly)
Entra Connect (formerly Azure AD Connect) is the synchronization engine that bridges your on-prem AD and Entra ID. It handles:
- User and group sync from on-prem to cloud
- Password hash sync or pass-through authentication
- Device sync (for hybrid Entra ID join)
- Writeback of certain attributes from cloud to on-prem
For most hybrid environments, Entra Connect is essential and generally reliable. But it has some limitations you should know about.
Sync cycles run every 30 minutes by default. That means when you disable an account on-prem, it could take up to 30 minutes before Entra ID reflects the change. For offboarding, that's a 30-minute window where the user might still have cloud access.
Filtering and scoping rules are powerful but finicky. If you only want to sync certain OUs or specific user types, you need to configure filtering rules correctly. Get them wrong and you either sync too much or too little.
Upgrades require planning. Entra Connect runs as a service on a Windows server in your environment. Major version upgrades can require careful migration, especially if you've customized sync rules.
The move to Entra Connect Sync (cloud sync). Microsoft is pushing toward a cloud-based sync solution. It's simpler to set up and manage, but currently has fewer features than the full Entra Connect. Knowing which one to use (and when to migrate) is a whole separate conversation.
Practical tips for surviving hybrid identity
Decide on a management strategy. Are you going to manage users primarily from on-prem AD, or are you shifting toward cloud-first? Having a clear direction prevents the "some things are managed here, some there" chaos.
Document your attribute flow. Write down which attributes come from where. Department from on-prem AD. Licenses from Entra ID. Groups from both. When something goes wrong, this document will save you hours of troubleshooting.
Automate across both systems. Manual processes that only address one side of the hybrid equation leave gaps. When you onboard someone, the automation should handle both the on-prem account creation (if needed) and the cloud-side configuration. Same for offboarding.
Plan for cloud migration. Most companies are moving toward cloud-only identity over time. Even if you're not ready to ditch on-prem AD today, make decisions that move you in that direction. Create new groups in the cloud. Use Entra ID for new application integrations. Reduce your on-prem footprint gradually.
Monitor sync health. Entra Connect can fail silently if you're not watching. Set up alerts for sync errors and check the sync status regularly. A broken sync means your cloud and on-prem directories are drifting apart, and you might not notice until someone can't log in.
The bigger picture
Hybrid identity is a transitional state for most organizations. The long-term direction is cloud identity, with Entra ID as the primary platform. But the transition takes time, and during that transition, you need to manage both worlds effectively.
The organizations that handle this well are the ones that have clear processes, good automation, and a single tool that understands both environments. Trying to manage hybrid identity with two separate sets of manual processes is a recipe for inconsistencies, security gaps, and frustrated IT teams.
If this sounds like your situation, Adcyma is free for up to 25 users. For larger teams, you can start a free 14-day trial. No credit card, no consultants.