Entraneer - Microsoft Entra Engineering & Consulting
Contact Us
Hybrid Environment

Hybrid Entra Environment Architecture

Specialist architecture and engineering for organisations operating across multiple Active Directories, Entra tenants, and disconnected identity systems.

Book Free Consultation

Most Enterprise Identity Environments Are Not Simple

They are the result of years of organic growth, mergers, acquisitions, and pragmatic decisions made under time pressure. Multiple Active Directory forests, multiple Entra ID tenants, and disconnected line-of-business systems all need to coexist and interoperate. Entraneer specialises in bringing order to this complexity without demanding that everything be rebuilt from scratch.

Scenarios

Hybrid Scenarios We Address

We design identity architecture for the real-world complexity of Australian enterprise, government, and financial services environments.

Multi-AD Forests

Multiple AD forests from M&A, geographic distribution, or business unit autonomy

Multi-Tenant Entra

Regulatory separation, shared service models, or legacy of acquisitions

Disconnected Directories

LOB systems, industrial control, or air-gapped environments needing governance

Entra Cloud Sync

Lightweight provisioning agent for multi-forest synchronisation

Entra Connect Sync

Full-featured sync for Exchange hybrid, device writeback, and complex filtering

Staged Cloud Migration

Progressive shift of identity authority to the cloud while maintaining legacy services
Architecture

Microsoft Entra Connect Sync & Microsoft Entra Cloud Sync

Microsoft Entra Connect (formerly Azure AD Connect), the foundation of hybrid identity synchronisation

The choice between Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync, and the specific configuration of either, is one of the most consequential decisions in a hybrid identity architecture. Organisations that previously relied on Azure AD Connect will recognise these tools under their updated Microsoft Entra branding.

Microsoft Entra Connect Sync offers the broadest feature set, including support for device writeback, group writeback, hybrid Exchange configurations, and complex filtering rules. Microsoft Entra Cloud Sync is lighter weight, runs as a provisioning agent, and supports multi-forest scenarios with less infrastructure overhead.

Entraneer frequently designs hybrid synchronisation topologies where some forests use Connect Sync and others use Cloud Sync, depending on the complexity of the requirements. We configure attribute mapping, scoping filters, join rules, and transformation expressions with precision, and validate synchronisation behaviour in pre-production environments before cutover.

Attribute Mapping & Transformation

Precise configuration of how directory attributes flow between AD and Entra ID

Scoping & Filtering

OU-based, attribute-based, and group-based filtering to control what synchronises

Password Hash Sync & SSPR

Password hash synchronisation with self-service password reset writeback

Conflict Resolution

Join rules and precedence handling when the same identity exists across multiple sources

Migration

Incremental Cloud Migration

Very few organisations can execute a wholesale migration from on-premises Active Directory to Entra ID in a single phase. Entraneer designs incremental migration strategies that progressively shift identity authority to the cloud.

1

Endpoint Transition

Configure Entra hybrid join or Entra join for endpoints, establishing cloud-based device management alongside existing Group Policy infrastructure.

2

Application Migration

Migrate application authentication to Entra ID where possible, moving from Kerberos, NTLM, and LDAP dependencies to modern protocols while maintaining functionality.

3

Cloud-Authoritative Provisioning

Establish cloud-authoritative provisioning for new users and progressively migrate existing user authority, shifting the source of truth from on-premises AD to Entra ID.

4

DC Decommission

Decommission on-premises domain controllers on a site-by-site basis as dependencies are retired, with realistic timelines that account for the long tail of legacy requirements.

Challenges

Common Challenge Patterns

Recurring issues we identify and resolve in complex hybrid environments across Australian enterprise and government

UPN Mismatch & Authentication Failures

UPN mismatch between on-premises AD and Entra ID is one of the most common causes of authentication failures in hybrid environments. We assess UPN suffix configuration, identify accounts with non-routable UPNs, and design remediation plans that align UPNs across directories without disrupting active sessions.

Multi-Source Synchronisation Conflicts

When the same user exists in multiple source directories, synchronisation conflicts can produce duplicate accounts, merged attributes from the wrong source, or provisioning failures. We design join rules and precedence models that establish clear authority for each identity and resolve existing conflicts.

Orphaned Cloud-Only Accounts

Cloud-only accounts that bypass governance controls designed around synchronised identities are a common finding in hybrid environments. We identify these accounts, assess their legitimacy, and either bring them under governance or remediate them with appropriate lifecycle management.

Inconsistent Group & Access Models

Inconsistent group naming conventions and access models across AD forests and Entra tenants make access management unreliable across organisational boundaries. We design standardised group taxonomies, naming conventions, and access models that work consistently across your entire hybrid environment.

Managed Services

Microsoft Entra Domain Services & Application Proxy

Formerly Azure AD Domain Services and Microsoft Entra Application Proxy

Microsoft Entra Domain Services (formerly Azure AD Domain Services) provides managed domain services such as domain join, Group Policy, LDAP, and Kerberos/NTLM authentication without the need to deploy and manage on-premises domain controllers. This is essential for legacy applications that require traditional AD DS capabilities but need to operate in a cloud-managed environment. Organisations migrating from Azure AD Domain Services benefit from full compatibility under the updated Entra branding.

Microsoft Entra Application Proxy enables secure remote access to on-premises web applications without requiring a VPN or opening inbound firewall ports. By publishing internal applications through Entra Application Proxy, organisations can extend conditional access and multi-factor authentication to legacy on-premises apps, bridging the gap between cloud-native security controls and traditional infrastructure. Entraneer designs and deploys both Domain Services and Application Proxy as part of a cohesive hybrid identity architecture.

Governance

Microsoft Entra Tenant Governance & Cross-Tenant Synchronization

Microsoft Entra Cross-Tenant Group Synchronization and Microsoft Entra Backup and Recovery

Governing multi-tenant Entra environments requires coordinated policies, consistent access controls, and reliable synchronisation across tenant boundaries. Microsoft Entra Tenant Governance provides the framework for managing identity lifecycle, access reviews, and entitlement management across multiple tenants operating under a single organisational umbrella.

Microsoft Entra Cross-Tenant Group Synchronization automates the provisioning of security groups and their memberships across tenants, ensuring that collaborative access models remain accurate as people join, move, and leave the organisation. Combined with Microsoft Entra Backup and Recovery capabilities, organisations can protect critical identity configurations and restore tenant state after accidental or malicious changes. Entraneer implements these governance controls as part of a unified multi-tenant management strategy tailored to Australian enterprise and government requirements.

Frequently Asked Questions

Can Entra Cloud Sync fully replace Entra Connect Sync?

Not in all scenarios. Entra Cloud Sync does not support device writeback, Exchange hybrid configurations with detailed attribute flow, or some advanced filtering and transformation capabilities available in Connect Sync. However, for straightforward user and group synchronisation from AD to Entra ID, Cloud Sync is simpler to deploy and manage. Entraneer assesses your specific requirements and recommends the right tool for each forest connection, often using both in the same environment.

How do you handle mergers and acquisitions from an identity perspective?

M&A identity integration typically involves establishing trust or synchronisation between the acquired organisation's AD forest and the acquiring organisation's Entra ID tenant. We design a phased approach: immediate B2B collaboration access, followed by directory synchronisation, then progressive application migration, and finally forest consolidation or decommission. The exact sequence depends on business urgency, regulatory requirements, and the technical state of the acquired environment.

What is cross-tenant synchronisation and when should we use it?

Cross-tenant synchronisation is an Entra ID feature that automatically provisions user representations from one Entra tenant into another, enabling seamless collaboration without requiring manual B2B invitation processes. It is appropriate when you have a stable multi-tenant architecture and need users in one tenant to access resources in another on an ongoing basis. Entraneer configures cross-tenant sync with appropriate scoping, attribute mapping, and lifecycle rules to keep the synchronised population accurate and current.

Can you help us reduce the number of Entra tenants we operate?

Yes, tenant consolidation is a common engagement for us. We assess the business and technical reasons each tenant exists, identify which tenants can be consolidated, and design a migration plan that moves users, applications, and configurations to the target tenant with minimal disruption. Tenant consolidation is complex, particularly when tenants contain production applications, conditional access policies, and governance configurations, so we approach it methodically with thorough pre-migration validation.

How do you handle disconnected systems that cannot integrate with Entra ID?

Some systems, particularly older line-of-business applications, industrial control systems, or air-gapped environments, cannot be directly integrated with Entra ID. For these systems, Entraneer designs governance wrappers that ensure account provisioning and deprovisioning are still controlled through your central identity processes, even if the technical integration is indirect. This may involve SCIM-based provisioning agents, scheduled PowerShell automation, or API-driven workflows that bridge the gap between Entra ID and the disconnected system.

Related Services

Ready to Get Started?

Book a free initial consultation to discuss how Entraneer can help your organisation with hybrid entra environment architecture.

Book Free Consultation

We use cookies

We use cookies and similar technologies to help personalise content, measure the performance of our site, and provide a better experience. By clicking Accept, you consent to the use of all cookies.
Learn more.