Hybrid Identity Cloud Management Horror Stories & How to Prevent Them

Posted by: Sander Berkouwer March 16, 2020

Category: Topic: Cloud Technology

On Saturday, February 29th, 2020, I presented at Azure Saturday Belgrade on Hybrid Identity.

The First Session of Its Kind

I have presented and co-presented a lot of sessions telling and showing people how to set up and manage Hybrid Identity. In more recent years, you might have witnessed me present on the most common mistakes when implementing and managing Hybrid Identity. However, as my experience grew, so did the complexity of my implementations.
The news got around and I was called into a couple of horror stories regarding Hybrid Identity. My ‘six horror stories of Hybrid Identity mismanagement’ session showcases these stories. For me, this was the first time I presented this session and it resonated with the audience.

About Hybrid Identity

Hybrid Identity emerges when you extend the on-premises Active Directory to Azure Active Directory. The easiest way to achieve it is to deploy Azure AD Connect, Microsoft’s free synchronization solution. Objects and their attributes are automatically synchronized from AD to Azure AD. Azure AD knows how to authenticate these users and will act according to the sign-in method specified in Azure AD Connect.

Benefits of Hybrid Identity include:

•  Single sign-on to both cloud and on-premises resources
•  Conditional Access to cloud resources with the option to require multi-factor authentication

hybrid identity management
Single sign-on method; source: Microsoft Azure

My Recommendations for Hybrid Identity Management

For those not able to attend my session, of course, I’ll share my conclusion below. It’s a simple three-point approach:
•  Keep current
•  Implement multi-factor authentication
•  Keep thinking

Keep Current

Organizations have grown used to implementing IT resources and writing them off in four or five years. That approach no longer works. Windows Server releases may still be every three years, but other Hybrid Identity components are updated much faster: Azure AD Connect has a new major release every 6 months. Azure AD appears to change daily.

These different release cycles require continuous integration and an attention to detail on-premises.

You can’t use many features of Hybrid Identity in the following scenarios:
• when your Domain Controllers still run Windows Server 2008
• when your Active Directory still operates at the Windows Server 2003 functional levels
• when your Azure AD Connect server runs Windows Server 2012

Your Hybrid Identity project wouldn’t be the first to go 300% over budget because of everything you need to do to get Active Directory in shape for Hybrid Identity…

You have to keep within the boundaries of support. Microsoft intends to layout these boundaries more sharply starting November 2020 with an 18-month support period by default for Azure AD Connect releases. You have been warned…

Implement Multi-factor Authentication

Multi-factor authentication (or MFA for short) is a method to allow additional verification when people authenticate with their combination of username and password. It extends beyond the things people know (and can convey or leak to an attacker) by requiring proof of something they own (a phone number, or an Authenticator App installation) or requiring proof of something they are (a fingerprint, a face scan, etc.).
Today, requiring multi-factor authentication is the best way to ensure information security. It’s not perfect, but it’s the best thing we’ve got.
Microsoft has been fumbling around in the MFA space the past couple of years but has now finally found its MFA mojo with Conditional Access and Azure AD Identity Protection.
If you’re using Azure MFA Server, then it’s time to say goodbye to it, because it’s getting deprecated; You can’t perform new installs of MFA Servers at the moment, so the deprecation is in its final stages already. Migrate MFA Server to Azure MFA using the built-in Azure MFA Adapter in AD FS on Windows Server 2016, or use the Azure MFA NPS Extension to integrate RADIUS-based resources.
Don’t hesitate because of the price. When you use the new Security Defaults feature in Azure AD, you can require multi-factor authentication for free, and your people can use the free Microsoft Authenticator App to authenticate themselves.

Keep Thinking

My last horror story focused on an organization hat followed every information security manual from Microsoft and had a perfect Secure Score. Unfortunately, a fire burned down one of their central offices and they got locked out of their Azure tenant.

There’s a lot of good information out there and Microsoft’s own Docs pages are the best. However, as an admin, you still have to apply your own common sense. Think about your Identity Single Points of Failure (SPoFs), and mitigate them, before they snag your environment.


I hope you liked my session or at least find my recommendations useful. Until we meet again at an event near you, in a webinar of your interest or on dirteam.com.

About the author – Sander Berkouwer

Sander Berkouwer

Sander Berkouwer is a Dutch IT Professional and has been a Microsoft Most Valuable Professional (MVP) in Directory Services for the past ten years.

He works as senior identity consultant at SCCT in the Netherlands, where he helps colleagues and customers make the most out of Microsoft products, strategies and technologies. Sander is blogging almost daily about Active Directory, his favourite Microsoft technology, on DirTeam.com. He regularly gets invited as a speaker for his enthusiastic approach, his in-depth real-world knowledge and of course as the author of the much-appraised Active Directory Cookbook.

No need for a horror story of your own

Get in touch with our experts to talk about Hybrid best practices.


Keep reading

How to Migrate Your Application from Monolith to Microservices


According to a 2020 O’Reilly report on microservices adoption, 77% of businesses have already adopted microservices, while 92% of them state they are experiencing success after migrating monolith to microservices. The trend to en-masse start using microservices application architecture comes as no surprise considering the multiple benefits that the microservices architecture provides, including: Improved resilience […]

read more

What is Cloud Bursting and Does Your Business Need it?


Back in 2014, NASA launched a satellite called OCO-2 (Orbiting Carbon Observatory 2) to gain more insight into the Earth’s carbon uptake. Two years later, they had petabytes of gathered data that needed to be processed which would have taken over 3 months and cost about $200,000 if they had used on-premise data centers for […]

read more

How Managed Cloud & Open Source Solutions Fuel Business Growth


With the modern business landscape becoming more and more saturated and competitive in recent years, companies worldwide face an ongoing challenge of emerging through the noise and initiating growth. The resources are often suboptimal, which can make the process of developing a cost-effective and sustainable business strategy an insurmountable problem for many companies.  Luckily, with […]

read more