Hybrid & External Identities
Most organisations live in two worlds — on-prem and cloud. Learn how hybrid identity bridges them, and how external identities let you collaborate safely with partners and customers.
Why hybrid identity?
Imagine you have a house key and an office key. Wouldn’t it be easier if one key opened both?
Most organisations have been using Active Directory on their own servers for years. All their user accounts, groups, and passwords live there. Now they also want to use Microsoft 365 and Azure — which live in the cloud and use Entra ID.
Hybrid identity connects these two worlds. Your on-prem accounts get synced to the cloud, so employees use one username and one password to access everything — the office file server AND Teams, Outlook, and SharePoint Online.
How identities get to the cloud
Microsoft provides two tools to synchronise on-prem identities to Entra ID:
| Tool | What It Does |
|---|---|
| Microsoft Entra Connect | Installed on a server in your environment. Syncs users, groups, and password hashes from AD DS to Entra ID. The original and most widely deployed sync tool. |
| Microsoft Entra Cloud Sync | A lightweight agent — simpler to deploy, supports multi-forest scenarios. Uses the cloud provisioning service. Best for organisations wanting a less complex setup. |
Both tools copy identity information from on-prem to the cloud. The on-prem AD remains the “source of truth” — changes made there flow up to Entra ID.
Three authentication methods for hybrid identity
Once identities are synced, the next question is: where does password verification happen? There are three approaches, and the exam tests all three:
| Feature | Password Hash Sync (PHS) | Pass-Through Auth (PTA) | Federation (AD FS) |
|---|---|---|---|
| How it works | A hash of the password hash is synced to Entra ID | Entra ID forwards the auth request to an on-prem agent in real time | A federation server (AD FS) handles all authentication on-prem |
| Where password is verified | In the cloud (Entra ID) | On-premises (AD DS) | On-premises (AD FS) |
| Requires on-prem infra for auth | No — works even if on-prem is offline | Yes — agent must be reachable | Yes — AD FS servers must be available |
| Complexity | Lowest | Medium | Highest |
| Best for | Most organisations — simple, resilient | Orgs that need on-prem password policy enforcement | Orgs with existing AD FS or advanced requirements |
| Microsoft recommendation | Primary recommendation | Alternative to PHS | Only if PHS or PTA don't meet requirements |
Key exam concept: Microsoft recommends password hash sync as the primary method for most organisations. It’s the simplest, most resilient option — and it enables advanced features like leaked credential detection in Identity Protection.
Exam tip: 'passwords are synced to the cloud' — true or false?
This is a common exam trap. With password hash sync, your actual password is never synced to the cloud. What gets synced is a hash of a hash — a one-way mathematical transformation. Even if someone intercepted the synced data, they couldn’t reverse-engineer your password from it.
If an exam question says “PHS sends passwords to the cloud” — that option is wrong.
Scenario: Raj decides on hybrid auth for Lakewood University
Lakewood University has 5,000 user accounts in on-premises Active Directory. They just bought Microsoft 365 E3. Raj needs to connect the two.
Decision 1: Raj installs Microsoft Entra Connect to sync all 5,000 identities to Entra ID.
Decision 2: He enables password hash sync. Why?
- Staff and students sign in from home, coffee shops, and campus — cloud-based auth works everywhere
- If the campus network goes down, cloud authentication still works
- It’s the simplest to maintain — Raj is a team of one
Professor Chen doesn’t need to know or care. He signs in the same way he always has. Behind the scenes, his identity now works in both worlds.
External identities
Not everyone who needs access to your resources is an employee. Partners, vendors, contractors, and customers need access too — but they shouldn’t need a full account in your directory.
Microsoft Entra External ID handles two distinct scenarios:
B2B collaboration (business-to-business)
B2B lets you invite external users as guests in your tenant. They sign in with their own identity — their company’s Entra ID, a Google account, or even a one-time email passcode.
How it works:
- Raj sends a guest invitation to a researcher at a partner university
- The researcher accepts and signs in with their own university credentials
- Entra ID creates a guest user object in Lakewood’s directory
- Raj controls exactly which resources the guest can access
- When the project ends, Raj removes the guest
The guest never gets a Lakewood password. Their own organisation manages their credentials.
B2C (business-to-customer)
B2C is for customer-facing applications. It’s a separate Entra ID service that lets customers create accounts and sign in using their social identities (Google, Facebook, Apple) or a local email account.
Think of it as the sign-in experience you see on retail websites: “Sign in with Google” or “Create an account.”
| Feature | B2B Collaboration | B2C (Customer Identity) |
|---|---|---|
| Who uses it | External partners, vendors, contractors | End customers, public users |
| How they sign in | With their own corporate or personal identity | With social accounts (Google, Apple) or local sign-up |
| Where the guest lives | Guest object in your Entra ID tenant | Separate Entra External ID (B2C) tenant |
| Use case | Partner accessing your SharePoint or Teams | Customer logging into your web app or store |
| Who manages the identity | The guest's own organisation | You control the sign-up and sign-in experience |
Scenario: Sam uses B2B and B2C at BrightStar
B2B use: BrightStar Retail works with a distribution company. Sam invites the distributor’s account manager as a B2B guest so they can view the shared inventory spreadsheet in SharePoint — nothing else.
B2C use: Sam is building an online loyalty programme for customers. Shoppers create an account using their Google login or email address. This uses Entra External ID (B2C) — completely separate from BrightStar’s internal directory.
The distributor’s account manager and the loyalty programme shopper are both external identities — but they use different mechanisms for very different purposes.
When to use each approach
| Scenario | Solution |
|---|---|
| Employees need one identity for on-prem and cloud | Hybrid identity with Entra Connect + password hash sync |
| On-prem password policies must be enforced during cloud sign-in | Hybrid identity with pass-through authentication |
| Organisation has existing AD FS investment and complex auth rules | Federation with AD FS |
| External partner needs access to your Teams or SharePoint | B2B collaboration (guest invitation) |
| Customers need to sign in to your public web application | B2C with Entra External ID |
🎬 Video walkthrough
🎬 Video coming soon
Hybrid and External Identities — SC-900 Domain 2
Hybrid and External Identities — SC-900 Domain 2
~10 minFlashcards
Knowledge Check
Lakewood University's campus network goes down due to a power outage. Students still need to access Microsoft 365 from home. Which hybrid authentication method will continue to work?
Sam needs to give a distribution partner's account manager view access to a single SharePoint folder. The partner already has their own Microsoft 365 tenant. What should Sam use?
Which statement about Microsoft Entra Connect is correct?