A single identity for On-Premises and the Cloud.
Hybrid means a lot of different things in different contexts. To avoid confusion, we are aligning our use of the term hybrid to Microsoft’s definition of “Hybrid Identity”. For Yubico, supporting the Microsoft (Azure) ecosystem, Hybrid Identity means using the same user identity to access both On-Premises and Azure AD resources.
The defining feature of hybrid identity is that user identities are synchronized between an On-Premises directory and Azure AD, and the tool most commonly used to achieve that is Azure AD Connect.
Using Microsoft’s definition of hybrid identity, we can split the uses of the Microsoft ecosystem into three major buckets: Azure Active Directory Cloud Only, Hybrid Identity, and On-Premises Active Directory Only.
The most straightforward example is an Azure-AD Only deployment - this is the sort of deployment you would find at a “cloud first” organization. Azure AD is the only centralized directory service, and all organizational users authenticate directly to Azure AD for access to resources. Local workstation logon is accomplished via Azure AD joined Windows or local device logons are simply not centrally managed. Applications primarily authenticate users via a modern authentication protocol like SAML or OAuth2 & OpenID Connect using Azure AD as the identity provider. Whenever your users see an authentication page or dialog, a Microsoft Azure AD server is on the other end, giving an authoritative response. When on-premises resources need to be utilized, they are accessed via separate credentials or integrated directly with Azure so that they can accept cloud only credentials. For edge-case applications that can’t support Azure AD, a gateway or other appliance that translates between the Azure AD directory and the application’s native user database or directory can be utilized. These non-cloud-ready applications should be relatively rare in a “cloud first” organization, because the increased complexity and infrastructure burden is typically highly undesirable.
For many organizations, Azure AD cloud only is the desired end goal - it greatly reduces the administrative overhead of maintaining the directory infrastructure itself, and allows the organization to focus on what matters most, managing the identities themselves. Azure AD Cloud-Only organizations will likely be the best positioned to adopt the newest advances in authentication as they’re made available from Microsoft.
In a Hybrid Identity scenario, the user identities are synchronized between an On-Premises Active Directory, and Azure AD. Nearly all systems are joined to an On-Premises Active Directory domain, and all centrally managed accounts are managed in that domain. Organizations have three strategies they can use to unify authentication and enable single sign-on (SSO) with their Hybrid Identity solution: Password Hash Sync (PHS), Pass-Through Authentication (PTA), and Active Directory Federation Services (AD FS).
For mature organizations that already have strong centralized authentication, AD FS is very popular. Access to cloud resources is accomplished through federation. In this scenario, when a user sees an authentication dialog, the server that performs the primary authentication (typically a password or smart card) is owned by the organization. These organizations may leverage a 3rd party on-premises or cloud provider for MFA, but if the organization’s federation servers go offline, external users will be unable to authenticate to cloud services. Single Sign-On can still be achieved to access cloud resources after logging in to an On-Premises AD account, but many of the advanced security tools for Azure are unavailable because the authentication decisions are being made by an On-Premises identity provider, not Azure.
Pass-through Authentication (PTA) is used by organizations that don’t want or need to configure AD FS, but also don’t want to synchronize password hashes with Azure AD. Cloud based 3rd party MFA providers are still supported, but there’s no support for on-premises MFA. Cloud services are still unavailable if the on-premises systems go offline.
Password Hash Sync (PHS) is used by organizations where the extra availability afforded by synchronizing password hashes is desirable. 3rd party cloud based MFA providers are still supported, but outages affecting the on-premises infrastructure won’t stop authentication from succeeding in Azure.
Azure features like Staged Rollout can help organizations gradually transition from authentication to an on-premises system to doing all of their authentication in the cloud - and eventually possibly moving out of a hybrid identity model and into a Azure AD cloud-only model.
Other features like Azure AD Hybrid joining of devices can help support organizations in their transitional hybrid architecture
The common thread in all of the hybrid identity scenarios is that the user’s identity is synchronized, and they are able to access resources both in the cloud through a single sign on experience. The mixture of on-premises and Azure AD identity can contribute to complexity, but will ultimately offer the most flexibility in terms of ensuring that all applications (modern or legacy) are protected with the most appropriate authentication method.
Organizations with this type of deployment may have specific regulatory or compliance reasons to remain out of the cloud, or may have confidentiality or availability concerns with cloud-based authentication, or simply haven’t evaluated how to move into the cloud. These organizations are only using on-premises Active Directory to authenticate, and may still use AD FS for federated authentication to other resources or organizations. In this scenario, both on-premises and cloud-based 3rd party MFA providers are available. These environments are some of the most challenging to integrate with phishing resistant or passwordless authentication, because there is a high likelihood of legacy systems that simply don’t support the newer authentication protocols.