• https://docs.microsoft.com/en-us/learn/modules/hybrid-identity
• Hybrid Identity refers to identity that integrates traditional/on-prem Active Directory with Azure AD.
• Azure AD Connect is the service that integrates on-prem AD with Azure AD.
• Keep in mind the difference between authentication and authorization.

• Azure AD registered: allows users to use their personal devices to access organization (Azure AD controlled) apps and data. Users can authenticate on their device using local or personal credentials—an organization/AAD account is not required.
• Azure AD joined/workplace joined: is when a device is joined to Azure AD and organization credentials (as opposed to personal) are required.
• hybrid Azure AD joined: devices are joined to your on-premises Active Directory and registered with Azure Active Directory
• Seamless SSO

Azure Active Directory Seamless single sign-on (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network.

• You support down-level devices running 8.1.
• You want to continue to use Group Policy to manage device configuration.
• You want to continue to use existing imaging solutions to deploy and configure devices.
• You have Win32 apps deployed to these devices that rely on Active Directory machine authentication.

• https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
• There are three options for hybrid authentication
  • password hash sync
  • pass-thru authentication
  • federated authentication
• https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#architecture-diagrams

• Password hash synchronization. A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD. The Azure AD Connect service is installed on an on-prem server and it syncs on-prem AD users and password hashes to AAD.
• Pass-through authentication. A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn't require the additional infrastructure of a federated environment.
  • Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method.
  • When a user authenticates against AAD it passes the request to on-prem AD via the auth agent to complete the authentication.
  • PTA uses a lightweight on-premises agent that listens for and responds to password validation requests from AAD.
• Federation integration. Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
  • You can setup password sync also for use as a backup in case the ADFS goes down.
  • One use case is to take advantage of additional advanced authentication requirements, like smartcard-based authentication or third-party multifactor authentication

• Synchronization. Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
• Health Monitoring. Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
• Password writeback is an option with AAD that will sync password changes made in AAD back to the on-prem AD.
  • This does not require any inbound firewall rules; it works over the Azure Service Bus relay on the outbound connection of port 443.
  • self-service password reset (SSPR) is the feature that allows users to change passwords in AAD that get synced back to Windows AD. This requires AAD P1 or above.

• https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

1. Do you need on-premises Active Directory integration? If the answer is No, then you would use Cloud-Only authentication.
2. If you do need on-premises Active Directory integration, then do you need to use cloud authentication, password protection, and your authentication requirements are natively supported by Azure AD? If the answer is Yes, Then you would use Password Hash Sync + Seamless SSO
3. If you do need on-premises Active Directory integration, but you do not need to use cloud authentication, password protection, and your authentication requirements are natively supported by Azure AD, then you would use Pass-through Authentication Seamless SSO.
4. If you need on-premises Active Directory integration, have an existing federation provider and your authentication requirements are NOT natively supported by Azure AD, then you would use Federation authentication.

• Azure AD Join allows a Windows 10/11 desktop to be joined to Azure AD for the purposes of controlling access to resources and enforcing requirements on devices.
• For example, an AAD joined BYOD phone could be Intune managed and be required to not be rooted or jail broken to access company resources.

• Permissions needed to install AD Connect
• Three accounts are needed to install AD Connect and three other accounts are needed to run AD Connect and synchronize Windows AD to AAD.
• AD Connect used local MSSQL Server 2012 Express Edition for its datastore