We're currently navigating a situation where we have a hybrid setup, with most users in a cloud-only environment via Entra, but one specific client still requires their on-premises Active Directory (AD) to manage local servers. They've also integrated Microsoft 365 Business Premium, but these systems are entirely segregated right now. It's been a while since I've handled a setup like this, and I'm eager to know the best practices in 2026 for streamlining operations, particularly regarding identity management. How can we ensure a unified experience with a single set of credentials and single sign-on (SSO) across PCs and Microsoft 365 services? Specifically, is using Entra Connect with password sync and seamless SSO still the recommended approach? I suspect we'll continue managing devices through Group Policy Objects (GPO), so my primary focus is on the identity management side. Any insights would be greatly appreciated!
2 Answers
We decided not to go hybrid. Instead, we're fully enrolled and manage everything through Intune and Azure AD. For users who absolutely need access to on-prem servers for specific applications, we set them up with local AD accounts to access those resources. We're aiming to phase out our on-prem applications in the near future, hence this setup.
Yes, Entra Connect with password hash sync and seamless SSO is still the go-to method. Many organizations still rely on on-premises AD as the primary identity source and sync that to Entra so users have one set of credentials across AD and M365. Device management through GPO is quite common in environments that are heavily based on AD. From my experience, managing identity is usually straightforward, but operational aspects like onboarding and access requests can get complicated. We pushed a lot of these requests through our service desk which helped streamline the process; we're currently testing Siit, which automates many internal requests and prevents important tasks from slipping through the cracks.
We faced similar challenges mixing on-prem AD with M365. While identity management was manageable, onboarding and offboarding across systems became a real pain. I'm curious about Siit – is it mainly for request routing, or does it also automate changes in AD and M365?