Microsoft Entra ID Hybrid Identity for Berlin SMBs: Connecting Active Directory to the Cloud

Cloud-only identity is the right starting point for new companies. But Berlin SMBs that have been operating for more than five years almost always have on-premises Active Directory, domain-joined workstations, and line-of-business applications that authenticate against a local domain controller. Ripping all of that out and moving to cloud-only is a significant project with real risk. Hybrid identity via Microsoft Entra ID Connect Sync is the pragmatic path: keep what works on-premises, extend identity to the cloud, and give users a single set of credentials that works everywhere.

What Hybrid Identity Means in Practice

In a hybrid identity deployment, user accounts are mastered in on-premises Active Directory. Entra ID Connect Sync (formerly Azure AD Connect) runs on a Windows Server and continuously synchronises those accounts to Entra ID (formerly Azure Active Directory) in the cloud. The result: one identity that works for logging into Windows, Microsoft 365 applications, SharePoint, Teams, and any application that supports SAML or OAuth federation through Entra ID.

From the user perspective, they log into their laptop with their domain credentials and are automatically authenticated to cloud services without entering a password again. From the administrator perspective, user lifecycle management stays in Active Directory Users and Computers — the tool IT has used for years — and changes propagate to the cloud within the sync cycle (default: 30 minutes).

Entra ID Connect Sync: Architecture

Entra ID Connect Sync is a lightweight Windows Server application that runs as a service. It requires:

A Windows Server 2016 or later (physical or virtual) with internet connectivity
An Entra ID account with Global Administrator or Hybrid Identity Administrator role for initial configuration
An on-premises AD account with Enterprise Admin rights for the initial installation
The server should not be a domain controller — deploy it on a dedicated member server

The synchronisation engine reads from AD, transforms the attributes via rules, and writes to Entra ID. It is one-directional by default: AD is authoritative, Entra ID is the replica. Writeback features (password writeback, group writeback, device writeback) exist but require explicit configuration and the appropriate licence tier.

Authentication Method: Password Hash Sync vs Pass-Through Authentication

This is the decision that matters most for SMBs. You have two main options:

Password Hash Sync (PHS) synchronises a hash of the user’s AD password hash to Entra ID. Authentication against cloud services happens in the cloud without contacting the on-premises domain controller. If the domain controller goes offline, users can still authenticate to Microsoft 365.

Pass-Through Authentication (PTA) validates passwords against the on-premises AD in real time via a lightweight agent. No password material leaves the premises, but if the on-premises infrastructure is unavailable, cloud authentication fails too.

For most Berlin SMBs, Password Hash Sync is the correct choice. The resilience benefit (cloud auth works even when on-premises is down) outweighs the theoretical advantage of keeping passwords entirely on-premises. PHS also enables Entra ID Identity Protection’s leaked credentials detection, which cross-checks your password hashes against Microsoft’s breach intelligence database and alerts on compromised accounts — a security capability that is unavailable with PTA.

Seamless Single Sign-On

Seamless SSO (also called Seamless Azure AD SSO) is a separate feature from the sync configuration but works alongside PHS or PTA. It allows domain-joined Windows devices to authenticate to Entra ID silently using Kerberos tickets, without prompting the user to enter their Microsoft 365 password.

Enabling it requires:

Enabling Seamless SSO in the Entra ID Connect Sync configuration wizard
Rolling out a Group Policy to add https://autologon.microsoftazuread-sso.com to the Intranet zone in Internet Explorer / Edge on domain members (this allows Kerberos tickets to be passed to Microsoft servers)
Verifying the AZUREADSSOACC computer account was created in Active Directory

After this, users on domain-joined devices will SSO into Microsoft 365 without additional authentication prompts. Combined with Conditional Access policies in Entra ID, you get a clean experience where compliant domain members get transparent access and unmanaged or non-compliant devices are challenged for MFA.

Entra ID Application Proxy: Publishing On-Premises Apps

Many SMBs running hybrid identity also have internal web applications — an ERP, a project management tool, a legacy intranet — that are only accessible on-premises. Entra ID Application Proxy allows you to publish these applications to the internet through Entra ID authentication, without opening firewall ports or deploying a reverse proxy.

The Application Proxy connector runs on a Windows Server inside the corporate network and establishes an outbound connection to the Entra ID service. Remote users authenticate to Entra ID (with MFA enforced via Conditional Access) and the proxy tunnels the request to the internal application. From the application’s perspective, the request arrives from the internal connector. No VPN is required for the end user.

For SMBs still running on-premises applications that remote workers need to access, Application Proxy is a significantly simpler and more secure architecture than maintaining a VPN. Combined with seamless SSO, users get Kerberos-authenticated access to internal applications without entering credentials a second time.

Common Configuration Mistakes

The mistakes we see most frequently in hybrid identity deployments at Berlin SMBs:

Installing Entra ID Connect Sync on a domain controller. The software explicitly supports this but Microsoft recommends against it. On a domain controller, a compromise of the sync account has domain-wide implications. Use a dedicated member server.
Not configuring password writeback. Without password writeback, users who reset their password via the Entra ID self-service portal will have their Microsoft 365 password changed but their AD password unchanged. The next time they log into a domain-joined device, they will use the old password — and then the next sync cycle will overwrite their Entra ID password back to the AD version. Enable password writeback if you plan to use self-service password reset (SSPR).
Not monitoring sync health. Entra ID Connect Sync has a health monitoring dashboard at entra.microsoft.com > Identity > Monitoring & health > Connect sync. Sync errors that are not caught mean users created in AD do not appear in Microsoft 365, which becomes a support ticket.

The Migration Path to Cloud-Only

Hybrid identity is a transition architecture for many organisations. The long-term direction for SMBs without legacy constraints is cloud-only identity with Entra ID, Intune-managed devices replacing domain-joined workstations, and cloud-native applications replacing on-premises line-of-business systems. Hybrid identity is the bridge that allows SMBs to get to Microsoft 365 without requiring a big-bang migration of every on-premises workload simultaneously.

The typical sequence for Berlin SMBs we work with: deploy hybrid identity and seamless SSO, onboard devices to Intune while keeping domain join for existing machines, migrate file servers to SharePoint, retire the VPN in favour of Application Proxy and Conditional Access, and decommission the domain controller when the last on-premises workload has been migrated. That process takes twelve to twenty-four months depending on the complexity of the existing environment.

What IT Experts Berlin Configures

Our hybrid identity engagement covers Entra ID Connect Sync installation and configuration, password hash sync with seamless SSO, optional Application Proxy for internal web application publishing, Conditional Access policy baseline, and sync health monitoring setup. The deployment takes two to three days for a typical SMB environment. Reach out for a scoping call.

Conditional Access Policies: Securing Hybrid Identity in Microsoft 365

GDPR Cloud Compliance: Hybrid Identity Governance Under GDPR

Passwordless Authentication: Windows Hello for Business in Hybrid Environments

Azure AD Password Protection: Extending Entra Policy to On-Premises Active Directory

Entra PIM: Eliminating Standing Admin Access in Your Hybrid Identity Environment

Azure AD Connect Health: Monitor your hybrid identity sync pipeline in real time

Microsoft Entra ID Hybrid Identity for Berlin SMBs: Connecting Active Directory to the Cloud

What Hybrid Identity Means in Practice

Entra ID Connect Sync: Architecture

Authentication Method: Password Hash Sync vs Pass-Through Authentication

Seamless Single Sign-On

Entra ID Application Proxy: Publishing On-Premises Apps

Common Configuration Mistakes

The Migration Path to Cloud-Only

What IT Experts Berlin Configures

Microsoft Sentinel for Small Businesses in Berlin: SIEM Without the Complexity

Windows LAPS – Automated Local Administrator Password Rotation for Small Businesses in Berlin

Microsoft Intune for Small Business: Modern Device Management Without the Complexity

Microsoft 365 Einrichtung für kleine Unternehmen in Berlin – So gelingt der Start

Microsoft Defender for Identity für kleine Unternehmen in Berlin

DMARC, SPF und DKIM erklärt: So schützen Sie Ihre Geschäfts-E-Mails und verhindern Spoofing

What Hybrid Identity Means in Practice

Entra ID Connect Sync: Architecture

Authentication Method: Password Hash Sync vs Pass-Through Authentication

Seamless Single Sign-On

Entra ID Application Proxy: Publishing On-Premises Apps

Common Configuration Mistakes

The Migration Path to Cloud-Only

What IT Experts Berlin Configures

Similar Posts