Active Directory hybrid identity: Extend on-premise Active Directory identity to Entra ID

Managing hybrid identity is where most organizations find themselves: the middle ground between staying on-premises with Active Directory and migrating fully to Entra ID.

Updated July 16, 2026
How to develop a sound access management strategy in Azure Active Directory?

Windows sits between two approaches to identity and access management (IAM). Entra ID is the cloud-first future, where network infrastructure is hosted in third-party environments, beyond the traditional datacenter. At the same time, most organizations still run Active Directory networks on-premises, and they work perfectly well.

But organizations are often caught between their existing AD investment and the pull toward Entra ID. With UserLock, bringing modern access security to AD doesn't have to mean adding management overhead and complexity. UserLock bridges these two worlds, giving on-premises-first organizations simple hybrid identity management without compromising control.

Entra ID vs. on-premises Active Directory

Today’s Windows admins operate in an increasingly complex hybrid world. The networks they built careers on are based around Active Directory (AD) as the Windows IAM solution. But Microsoft’s focus on Entra ID (formerly Azure AD), it's hosted cloud directory service, creates the narrative that on-prem AD is the past. That organizations must choose one over the other. Here's how the two compare in real-world environments.

Entra ID centralizes infrastructure and management

  • Entra ID integrates the Microsoft 365 applications most organizations use into a single platform.

  • Microsoft handles service provision, freeing organizations from running complex infrastructure across multiple locations.

  • Applying security policies and controls, including single sign-on (SSO) and multi-factor authentication (MFA)., is straightforward, and MFA connectivity no longer depends on VPNs.

Active Directory offers greater control

  • Security teams retain full control over IAM in AD without relying on third-party infrastructure.

  • Organizations get certainty about data residency, which is important for strict regulatory requirements.

  • There's less dependence on online connectivity, and on-premise AD is compatible with many legacy applications that Entra ID doesn't support.

Hybrid organizations try to combine the best of both worlds

How do organizations decide which side of this divide they fall on? This depends on their long-term objectives, which fall into three groups.

1. Moving fully to the cloud

The goal is to transition wholesale to Entra ID over time while retreating from on-premises applications. 

Why would they take this route? Simplicity is usually cited as a big driver here, but it also suits organizations that must invest in new infrastructure on an ongoing basis, for example those with a heavy bias towards software development, services or ecommerce.

2. Going hybrid while retaining full IAM control

The motivation here is often to meet regulatory requirements (including data residency rules), and to support legacy applications that Entra ID can't accommodate.

For organizations in highly regulated sectors such as finance, critical infrastructure, and government, remaining in control of the AD directory service is non-negotiable. For these organizations, keeping the directory service on-premises is the baseline requirement. 

3. Staying on-premises while adopting selective cloud services

Many organizations want to extend the life of their current IAM setup, for operational or financial reasons, while standardizing on cloud applications such as Microsoft 365. MFA also becomes more convenient: it no longer depends on datacenter connectivity.

Most organizations fall into the last two groups, meaning that hybrid identity management is about weighing up pros and cons. What’s clear is that even organizations committed to on-premises will often still need to accommodate Entra ID within their setup.

Hybrid identity management creates new security risks

The two IAM systems, AD and Entra ID, share a common lineage and many underlying principles but are designed for very different environments. They're managed differently and they enforce security controls differently.

Most organizations end up with a hybrid identity approach, prioritizing elements of both on-premises AD and Entra ID to get the best of each. But this carries risks. Getting hybrid identity management wrong can create security gaps and management overhead.

Synchronizing AD and Entra ID using Microsoft tools

Organizations need tools that allow them to secure access to on-premises and SaaS resources without compromising either. This shouldn't be difficult. But Microsoft 365 applications assume Entra ID as the IAM and don't work directly with AD.

To bridge this gap, Microsoft provides three tools:

  • Active Directory Federated Services (AD FS) is the older option. It allows organizations to continue using their on-premises AD identity while federating and synchronizing with Entra ID and Microsoft 365 through a single SSO credential.

  • Entra Connect Sync (formerly Azure AD Connect) is an on-premises tool that synchronizes on-premises AD with Entra ID.

  • Entra Cloud Sync does much the same job, but runs from the cloud rather than on-premises.

All three can be complex to set up and manage, and each comes with meaningful limitations.

Is there a better way?

UserLock brings a clear advantage to on-premises and hybrid environments: the ability to keep things simple.

UserLock is built around the principle that on-premises networks should retain as much control as possible. That means IT keeps the centralization and control that matters in on-premises environments.

With UserLock, organizations keep using their existing on-premises AD identity while securely extending SSO access to Entra ID, Microsoft 365, and other SaaS applications.

UserLock combines SAML-based SSO with MFA and access controls to cover the main on-premises and hybrid networking use cases. No complex middleware, no hidden compromises.

Schedule a personalized demo

See how UserLock fits your needs and explore common use cases

How UserLock keeps Microsoft 365 SSO on-premises

With UserLock, authentication can be federated to UserLock SSO via Entra ID, giving employees secure MFA on Microsoft 365 access in a way that seamlessly integrates secure access to both on-premise and remote access environments.

UserLock-Entra-ID

When a user tries to access a Microsoft 365 application from home or work,this request contacts Entra ID for authentication. Because this is federated with UserLock SSO, Entra ID passes UserLock the request. UserLock SSO processes the request after checking the user’s credentials and authorization in the on-premise AD. With UserLock, you get the simplicity of only maintaining one identity, the on-premise identity, for access to all line of business apps.

How UserLock makes on-premise MFA more secure

When using SSO as described above, it is essential to enable MFA an extra security check. Once SSO has been configured, MFA can be turned on in UserLock for the enrolled user, group or organizational unit (OU). 

UserLock allows admins to set MFA by connection type, including by workstation, server, IIS application, VPN, and in the case of Microsoft 365, SaaS.

Granular control MFA

Admins can also apply MFA policies in a highly granular way which differentiates between, say internal and external/SaaS access.

Admins can also specify how often to prompt their end users for MFA, and offer up to two MFA methods (push notifications, authentication apps, or YubiKey/Token2 hardware tokens).

Multiple MFA methods

Setting up MFA and SSO is simple with the UserLock configuration wizard.

MFA in hybrid environments is often a complex problem. UserLock makes this as simple as possible while keeping the IAM handling authentication (on prem AD) onsite.

Hybrid network security doesn't have to mean an identity compromise

Every organization building a hybrid environment faces the same question: which IAM system takes the lead, on-prem AD or Entra ID? There's no universal right answer, but the choice has real implications for how security is managed day to day.

Each approach has its trade-offs, but there's no escaping that on-premises AD offers more control. In regulated industries and critical infrastructure, that control isn't optional.

With UserLock, admins can keep things simple. By keeping authentication in on-premises AD, even for SaaS access, UserLock gives organizations built around on-premises infrastructure the benefits of secure hybrid access, without identity sprawl.

XFacebookLinkedIn

Daniel Garcia Navarro

Engineering Director, IS Decisions

Daniel Garcia is Engineering Director at IS Decisions, where he leads the development of secure and scalable access management solutions. He holds a Master’s degree in Telecommunications Engineering and brings strong technical expertise to enterprise identity security.