Identity / Sub-service 02
Entra ID hybrid identity consultant.
Built to survive the next decade.
Entra Connect. Conditional Access. MFA enforcement. Legacy authentication retirement. ADFS decommission. The work most companies started in 2018 and never quite finished.
Service detail
Conditional Access policy design done right
The work most companies started in 2018 and never quite finished. Conditional Access by user, app, location, and risk. MFA enforcement with Authenticator, FIDO2, hardware keys. Legacy auth blocking. ADFS retirement. Documented for the operations team.
What's in scope
- ›Entra Connect installation, sync rule design, attribute filtering
- ›Conditional Access policy design — by user, app, location, risk
- ›Multi-factor authentication rollout (Authenticator app, FIDO2, hardware keys)
- ›Modern authentication enforcement (legacy auth blocking)
- ›Self-service password reset and writeback
- ›ADFS retirement and migration to Entra-only authentication
- ›Hybrid Azure AD Join / Entra Join for managed devices
- ›Privileged Identity Management for tier-0 access control
Why hybrid identity is hard
- ›On-prem AD attribute schema dictates what Entra ID can do
- ›ADFS dependencies are usually undocumented
- ›Conditional Access can lock you out if rolled out in the wrong order
- ›MFA enforcement breaks legacy applications nobody remembered
- ›Service accounts often need separate handling from human accounts
What you get
- ›Documented identity architecture (current and target state)
- ›Conditional Access policy ruleset with break-glass procedures
- ›MFA rollout plan with user communication templates
- ›Legacy auth audit and remediation
- ›ADFS retirement runbook (if applicable)
FAQ
Common questions about hybrid identity.
What does an Entra ID hybrid identity consultant do?
An Entra ID hybrid identity consultant designs and rolls out the identity layer that connects on-premises Active Directory to Microsoft Entra ID, then hardens it to current best practice. Scope: Entra Connect installation, sync rule design and attribute filtering, Conditional Access policy design (by user, app, location, risk), multi-factor authentication rollout (Authenticator app, FIDO2, hardware keys), modern authentication enforcement and legacy auth blocking, self-service password reset and writeback, ADFS retirement and migration to Entra-only authentication, Hybrid Azure AD Join / Entra Join for managed devices, and Privileged Identity Management for tier-0 access control. Build break-glass emergency-access accounts first, deploy in report-only mode for 7-14 days, then enforce — never enable a baseline policy that affects all users without a phased rollout.
What's the difference between Entra Connect and Entra Cloud Sync?
Entra Connect (the older agent, formerly Azure AD Connect) runs on a Windows Server, supports complex sync rules and password hash sync, and is required for hybrid Exchange writeback. Entra Cloud Sync runs as lightweight agents and is the modern alternative for greenfield or simpler topologies. Most existing customers run Entra Connect; we evaluate whether Cloud Sync fits during architecture review.
Should we still run ADFS in 2026?
Almost never. ADFS was the federation answer of 2015 — Entra ID's modern authentication, Conditional Access, and Pass-Through Authentication or Password Hash Sync now cover virtually every scenario ADFS used to. Maintaining ADFS today means running an extra server tier, an extra cert-renewal cycle, and an extra attack surface. ADFS retirement is one of the highest-impact modernization projects we deliver.
How do we roll out Conditional Access without locking users out?
Three rules: build break-glass emergency-access accounts excluded from all CA policies first, deploy every new policy in 'report-only' mode for 7–14 days before enforcing, and never enable a baseline policy that affects all users without a phased rollout. We follow Microsoft's recommended starter policy set, then layer in customer-specific risk-based policies — never the other way around.
What about MFA for service accounts and shared mailboxes?
Service accounts get Workload Identity Federation, managed identities (in Azure), or certificate-based authentication — never username + password + MFA. Shared mailboxes don't authenticate (they're sign-in blocked); access is delegated through the user's primary account. Legacy authentication blocking and conditional access for service principals are part of every Entra hardening engagement.
What does identity look like today?
Tell us about your AD, Entra Connect, and ADFS state. Two-business-day response with scope and a fixed-fee range.