To begin, first investigate what use cases you need to fulfill. Here is a small list of examples.
- Will users mainly be working from central locations or are they geographically dispersed?
- Do you have (or plan to implement) a standard onboarding process with supplied hardware and credentials or are users encouraged to bring their own devices?
- Will you be solely focused on application logon or will you need to include device sign-in as well?
- Do the applications have local clients, or are they accessed via a browser? Do you have a SSO solution in front of any of them already?
Hybrid infrastructures can be configured to authenticate against Azure CBA that allows a cleaner authentication process without the need for AD FS. While Azure AD is still not acting as the IDP, it is still a good step towards the Microsoft recommended optimal configuration.
📄 Use-Case Guide - Transitional state hybrid architecture with on-premises Active Directory + Azure AD
As hinted at above, this configuration should be thought of as transitional, with the eventual goal to target full adoption of Azure CBA for authentication. This further simplifies the authentication process, offers the best amount of flexibility and allows deployment of strong, phishing resistant authentication processes across the broadest range of endpoints and systems.