Why hybrid identity is the long game, not a stepping stone to the cloud
Hybrid identity isn't a phase. For many organisations, it's the future.
Published July 7, 2026)
This is the second article in our Active Directory series. Start with Part 1: The Future of Active Directory.
Of all the ideas that IT professionals must get to grips with, the hybrid environment is one of the most ambiguous. On one level, it's simple enough: a hybrid network is one that combines a traditional on-premises datacenter footprint running Windows Server and Linux systems with third-party and private cloud platforms, knitting them together in as seamless a whole as possible.
The reality of securing them is more complex. On-premises networks and cloud platforms are built according to completely different concepts. On-premises environments based around Windows Active Directory reflect IT's past, a time when there was only one way to build a network. The cloud, by contrast, has reinvented many of these same systems and structures around new technologies that turn infrastructure and applications into a service.
For a long time, the prevailing assumption was that most IT would eventually turn into a cloud service in one form or another. This seemed logical; today's application, API, and AI-driven enterprises no longer have time to spend managing the increasingly complex technologies that underpin modern IT. From this point of view, the hybrid network was simply a transitional stage between two different eras, which would lead at some point to the cloud becoming the default.
That point was never defined on any meaningful timescale which is one reason why the concept of the hybrid network underwent an important shift in meaning. Instead of being a transition, the hybrid environment became the norm. This was pragmatic. Many organizations discovered they not only needed their on-premise network to run legacy systems but valued retaining control over some of their IT. Suddenly, the cloud was important but so was traditional datacenter network.
Rather than describing a temporary state on the road to full cloud adoption, "hybrid" came to define a long-term operating model in which both environments would co-exist and be managed as a single IT estate. Today, both meanings persist, which creates a seemingly paradoxical state where hybrid is a transitional state for some organizations while being indefinite or even permanent for many others.
Nowhere is this duality more evident than the dominant Windows platform, which has on-premises Active Directory (AD) on one side and Entra ID, formerly Azure Active Directory, on the other. Most cloud platforms, such as Amazon Web Services (AWS) or the Google Cloud Platform, emerged during the cloud era. Thanks to its operating system heritage, Microsoft is, uniquely, prominent in both on-premises and cloud. This has led to an uneasy tension between the need to serve two worlds, for customers and perhaps for Microsoft itself.
Active Directory is a mainstay of the entire computing era and Microsoft's dominance of it. Many big digital technologies have risen, fallen or evolved beyond recognition since it appeared in 2000 and yet Active Directory remains not only hugely popular but surprisingly unchanged. Inured to constant, disruptive change, the tech industry finds this kind of survival story hard to fathom. Staying the same goes against some kind of unwritten rule. Surely, there are better options than using a directory service whose underlying concepts pre-date the commercial Internet?
For a long time, it appeared that Microsoft took the same view. Active Directory was an old-fashioned directory service that was unable to match with the standards or convenience of modern cloud platforms such as Azure's Entra ID. Windows Server versions came and went but Active Directory added few if any new features and appeared to stand still.
Then in 2025, after years of what was starting to look like managed neglect, the IT world got a surprise nobody saw coming: preview builds of Windows Server 2025 unexpectedly jumped from the functional level 7 of Windows Server 2016 to Domain and Forest Functional Level (FFL) 10.
Functional level is an internal identifier that normally gets little attention but in the World of Active Directory it looms large because it has major implications for domain controller (DC) interoperability between different versions of Windows Server. This signaled something important: far from giving up on Active Directory, Microsoft was quietly extending its capabilities once again.
Active Directory was supposed to be a 'legacy' environment, something organizations would continue to support because this was necessary rather than ideal. Extending its feature set is a subtle but unmistakable change in approach. Clearly, for a company as careful as Microsoft, this wasn't done on a whim.
The new capabilities themselves look relatively minor at first sight but offer a revealing glimpse of Active Directory's positioning. For example, for years Active Directory has made do with an 8KB database page size, something which imposes limits the amount of data such as that can be associated with an object, for example, user information, and device identifiers such as certificates and authentication keys. If this isn't already a problem in Active Directory environment, it soon will be as the number of essential identity objects naturally expands over time. FFL 10 now increases this to an optional 32KB for admins that want to expand the size of directory objects beyond current limits.
Twenty years ago, a typical user object might have included data such as username, email address, a password hash, department ID, and a few group memberships. Today, it would encompass all this plus multiple types of authentication keys, cloud application memberships, compliance labels, application-based attributes, and possibly dozens of group memberships.
Some of the additional data can be explained by natural growth but, unmistakably, the largest part is being driven by the rise in hybrid cloud. Active Directory must therefore evolve because customers need new features. It is no longer always the center of the universe, but it remains important. Today, Microsoft's directory service and its users manage networks in a multi-polar world that takes in external clouds as well as Microsoft's own Entra ID. If organizations continue to use Active Directory as the primary database anchoring their identity management, that database needs to be able to cope with this new hybrid reality.
For most professionals, this will seem like an obvious point long since settled. Cloud systems aren't new. For many, the world has arguably been hybrid for some time, even if this wasn't always acknowledged by vendors. Officially, this has always been the case, but it hasn't always felt so. What Microsoft incrementing Active Directory FFL tells us is that Microsoft now accepts the new hybrid reality.
Despite the encouraging signs, hybrid environments today still face at least two closely-linked challenges when choosing Active Directory as the identity store: cloud integration and security. While the most basic integration task, synchronization, can be managed via an Active Directory Federation Services (AD FS) server, trying to knit together two environments from different computing eras inevitably creates the possibility of security gaps.
This is where hybrid networks become more challenging. Active Directory might have received a few interesting tweaks with the Windows Server 2025 update, but out of the box it remains an aging, vulnerable system with legacy weaknesses. The biggest of these is simply that in the decades since it first appeared identity has become the number one target for attackers, which in a hybrid context means Active Directory itself. This can happen in a variety of ways, including privilege elevation within Active Directory, the targeting of admin accounts, and using a compromised identity to spread an attack to the cloud.
While any identity system can become a systemic vulnerability, including those based in the cloud, Active Directory has well-known problems when it comes to resisting attacks. Out of the box, it lacks important security features such as multi-factor authentication (MFA), conditional access, account monitoring, or secure single sign-on (SSO). Meanwhile, from the other end, cloud systems were designed to be secure on their own terms without much consideration for the need to integrate with on-premise datacenters.
This is where solutions such as UserLock step in to extend the basic security policies set out in Active Directory Group Policy Objects (GPOs). This fills in gaps in Active Directory such as controlling concurrent sessions, RDS, terminal and VPN connections, and by adding a layer of real-time user monitoring. Importantly, where Active Directory can suffer from GPO sprawl, UserLock centralizes MFA, access controls, and session management in a single console.
If Active Directory were being released today, these are controls it would ship with by default. Nevertheless, by adding modern security to an incomplete platform, it becomes possible for organizations to continue using Active Directory as part of a hybrid setup without having to cede control to cloud identity platforms that might not suit their broader needs.
This reminds us that control, ultimately, is what lies at the heart of today's networks. Organizations could hand over their infrastructure to a third-party cloud platform, but many either can't or prefer not to. For years, they have been told this is a dead end way of looking at their environment. The datacenter and the cloud couldn't happily co-exist without major compromise in terms of identity management. But by pairing Active Directory and third-party tools such as UserLock, it is possible to build a hybrid network that is the best of all possible worlds.
)
)
)