Skip to Content

Hybrid Identity Security Baseline – Deep Dive into Azure AD Connect and Entra ID Authentication (EID-EXP-009)

18 March 2026 by
Jaspreet Singh

Hybrid Identity Security Baseline – Deep Dive into Azure AD Connect and Entra ID Authentication (EID-EXP-009)

Hybrid identity is widely adopted in Microsoft 365 environments. Organizations maintain on-premises Active Directory while extending identities to the cloud with Azure AD Connect (now Microsoft Entra Connect).

Although deployment is straightforward, the security implications of hybrid identity are often overlooked. Enabling synchronization changes authentication behavior, alters visibility, and introduces new attack surfaces.

This article presents a technical analysis of the Hybrid Identity Security Baseline experiment (EID-EXP-009) conducted in the f11.ca lab, with a focus on authentication flow, sign-in telemetry, and baseline security gaps.

Hands-on lab (f11)

Hybrid Identity Architecture Overview

In a hybrid identity model, identities synchronize from on-premises Active Directory to Microsoft Entra ID. Password Hash Synchronization (PHS) is the most common authentication method in both SMB and enterprise environments. (What is password hash synchronization with Microsoft Entra ID?, 2024)

Authentication Flow (PHS)

  1. User initiates login to a cloud service (e.g., Microsoft 365)
  2. The request is handled by Microsoft Entra ID.
  3. The stored password hash in Entra ID is used for validation.
  4. Conditional Access policies are evaluated.
  5. MFA (if required) is triggered
  6. The access token is issued.

As a result, authentication is validated in the cloud, even though the identity originates from on-premises Active Directory.

Lab Environment (f11.ca)

The experiment took place in a segmented hybrid lab designed to simulate a real-world enterprise deployment.Core Components

  • HP Gen9 virtualization host (256 GB RAM)
  • Sophos XGS firewall (network segmentation)
  • Dell managed switches
  • Windows Server Active Directory (2 DCs)
  • Azure AD Connect server
  • Windows 11 hybrid-joined client

Identity Configuration

  • Hybrid identity enabled via Azure AD Connect
  • Password Hash Synchronization configured
  • Test users synchronized from on-prem AD to Entra ID.

After synchronization, users could immediately authenticate to cloud services.

What Changes After Enabling Hybrid Identity

A key finding from EID-EXP-009 is:

Hybrid identity functions immediately, but security controls do not.

The moment Azure AD Connect is configured:

  • Users appear in Entra ID.
  • Authentication is enabled for cloud services.
  • Sign-in logs begin capturing activity.

However, security controls are not enforced by default.

Authentication Visibility in Entra ID

After enabling hybrid identity, all authentication activity becomes visible in:Entra Admin Center → Sign-In LogsEach sign-in event includes:

  • User identity (UPN)
  • Application accessed
  • IP address and location
  • Client app type
  • Authentication method (PHS, MFA)
  • Conditional Access evaluation

This offers strong visibility, but it also has limitations.

Key Limitation

Sign-in logs are:They are event records, not security conclusions.They show:

  • What happened

But not always:

  • Whether it was risky

Example scenarios that may appear normal:

  • Same user signing in from different locations
  • Persistent sessions across applications
  • MFA marked as satisfied without context

Security Baseline Gaps Identified

The experiment highlighted several critical baseline gaps commonly found in hybrid environments.

1. Conditional Access Not Enforced

Without structured policies:

  • All users can authenticate freely.
  • No restrictions based on device, location, or risk

2. Legacy Authentication Still Enabled

Protocols such as:

  • IMAP
  • POP
  • SMTP AUTH

may still be active and can bypass modern authentication protections. (The_Exchange_Team, 2022)

3. MFA Not Universally Enforced

In many environments:

  • Admin accounts have MFA.
  • Standard users do not.

This significantly increases the attack surface. (Azure identity & access security best practices, 2026)

4. Monitoring Without Detection

Even though logs exist:

  • No alerts are triggered.
  • No anomalies are highlighted.

Administrators are required to interpret data manually.

Secure Score – Guidance, Not Enforcement

Microsoft Secure Score provides recommendations such as:

  • Enable MFA for all users.
  • Block legacy authentication
  • Configure Conditional Access
  • Reduce privileged roles (Microsoft Secure Score: What It Means and How to Improve It, 2023)

However:

Secure Score does not enforce security.

It serves as guidance only.

Organizations must convert recommendations into actionable controls.

Why This Matters Architecturally

Hybrid identity introduces a dual control plane:

  • On-premises identity (Active Directory)
  • Cloud identity (Entra ID) (What is hybrid identity with Microsoft Entra ID?, 2025)

Authentication decisions are now influenced by:

  • Cloud policies
  • Device state
  • Network location
  • User risk

This makes identity the primary security boundary.

Key Technical Takeaways

From EID-EXP-009:

  • Azure AD Connect enables identity and authentication immediately.
  • Authentication shifts to cloud validation (PHS)
  • Sign-in logs provide detailed telemetry but limited risk context.
  • Security controls must be explicitly configured.
  • Default configurations prioritize functionality rather than security.

What Should Be Implemented Immediately

After enabling hybrid identity, prioritize the following controls:

  • Conditional Access policy architecture
  • MFA enforcement for all users
  • Blocking legacy authentication protocols
  • Monitoring and alerting on sign-in activity
  • Reviewing Secure Score recommendations

Final Thoughts

Hybrid identity is not merely a configuration step; it represents a security transformation.

The moment identities are synchronized to Microsoft Entra ID:

  • Authentication surface expands
  • Visibility increases
  • But so does risk.

EID-EXP-009 demonstrates that organizations should treat hybrid identity deployment as the beginning of identity security, not the conclusion.

This article is based on hands-on testing conducted in the f11.ca hybrid identity lab (Experiment ID: EID-EXP-009).

Related Evidence & Guidance

Hands-on Lab (F11)

Business Risk View


Written by Jaspreet Singh — follow my work on LinkedIn 


References

(2024). What is password hash synchronization with Microsoft Entra ID?. Microsoft Entra ID. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-phs

The_Exchange_Team. (December 19, 2022). Basic Authentication Deprecation in Exchange Online – Time’s Up. Microsoft Community Hub. https://techcommunity.microsoft.com/blog/exchange/basic-authentication-deprecation-in-exchange-online-%E2%80%93-time%E2%80%99s-up/3695312/replies/3722950

(2026). Azure identity & access security best practices. Microsoft Azure Documentation. https://docs.azure.cn/en-us/security/fundamentals/identity-management-best-practices

(2023). Microsoft Secure Score: What It Means and How to Improve It. AMVIA. https://amvia.co.uk/microsoft-365-security/microsoft-secure-score

(2025). What is hybrid identity with Microsoft Entra ID?. Microsoft Entra ID | Microsoft Learn. https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/hybrid-identity

Jaspreet Singh 18 March 2026
Share this post
Tags
Our blogs
MFA Fatigue Attacks in Microsoft 365: Why Risk-Based Conditional Access Is Non-Negotiable (EID-EXP-008)