Description
Key Focus Areas:
Hybrid Identity Architecture
Zero Trust Access Governance
Private-Only Workload Exposure
Three-Tier Network Segmentation
Azure Bastion Secure Access
Entra Connect Hybrid Identity
Executive Summary
Architected a Zero Trust hybrid security architecture for enterprise environments integrating on-premises Active Directory with Azure cloud workloads — establishing identity-first access governance, private-only workload exposure, three-tier network segmentation, Just-in-Time administrative access through Azure Bastion, and centralised threat monitoring through Microsoft Sentinel.
The architecture addresses the specific security challenges of hybrid environments where identity spans both on-premises and cloud domains, workloads must remain privately exposed without public IP addresses, and administrative access must be governed without exposing RDP or SSH endpoints to the network.
Unlike purely cloud-native Zero Trust models, this architecture is designed for the operational reality of organisations with existing on-premises Active Directory investments — extending Zero Trust principles consistently across both identity domains without requiring full cloud migration.
Business Drivers
Hybrid enterprise environments face a distinct set of security challenges that purely cloud-native architectures do not encounter. On-premises Active Directory identities must be extended into Azure without creating authentication gaps or inconsistent access governance across the two domains. Cloud-hosted workloads must remain accessible to on-premises users and administrators without public network exposure. Administrative access paths must be governed without relying on VPN-dependent RDP or SSH connectivity.
This architecture was designed to address the security requirements of organisations where hybrid infrastructure creates the following operational risks:
Inconsistent identity governance across on-premises AD and Azure cloud resources — authentication strength and access policies diverge between domains
Public IP exposure of cloud-hosted workloads creating unnecessary attack surface accessible to external threat actors
Flat or insufficiently segmented network architectures enabling lateral movement between web, application, and database tiers following initial compromise
Overexposed administrative access through open RDP and SSH ports creating persistent high-value attack vectors
Limited centralised visibility into authentication activity and infrastructure events spanning both on-premises and cloud domains
Difficulty enforcing least-privilege access consistently across hybrid identity environments with mixed cloud and on-premises resource ownership
Increasing compliance requirements demanding measurable, auditable security controls across the full hybrid estate
Operational Constraints
The architecture was designed to operate within the following constraints specific to hybrid enterprise environments:
On-premises Active Directory is the authoritative identity source — cloud identity governance must extend from and remain consistent with on-premises identity management
Hybrid identity synchronisation must preserve on-premises group memberships, UPN formats, and password hash synchronisation for seamless cloud authentication
Administrative access to cloud workloads must remain operational for on-premises administrators without requiring direct public network exposure of management ports
Workload segmentation must accommodate three-tier application architectures where web, application, and database tiers have distinct connectivity and exposure requirements
Security controls must not introduce excessive operational friction for administrators or end users operating across both on-premises and cloud environments
Centralised monitoring must aggregate telemetry from both on-premises identity infrastructure and Azure cloud services into a unified visibility platform
All security controls must produce auditable evidence aligned to NIST SP 800-207 and CIS Controls v8 compliance requirements
Objectives
Establish unified hybrid identity governance extending on-premises Active Directory authentication into Azure through Entra Connect synchronisation
Enforce consistent Conditional Access policies governing authentication strength and device compliance across all hybrid identities regardless of resource location
Eliminate public IP exposure for all cloud-hosted workloads — no direct internet-accessible management or application endpoints
Implement three-tier network segmentation isolating web, application, and database workload tiers through NSG-enforced traffic controls
Secure all administrative access through Azure Bastion — eliminating open RDP and SSH port exposure entirely
Enforce Just-in-Time VM access reducing management port exposure windows to approved, time-bound access periods only
Centralise security telemetry from both hybrid identity infrastructure and Azure workloads into a unified Sentinel SIEM platform
Align all implemented controls with NIST SP 800-207 Zero Trust Architecture and CIS Controls v8 compliance frameworks
Architecture Principles
Never trust, always verify — no implicit trust based on network location or domain membership alone
Identity as the primary security perimeter — authentication decisions based on verified identity, device state, and contextual risk across both on-premises and cloud domains
Private-only workload exposure — public IP addresses eliminated from all workload and management surfaces
Segmentation by design — web, application, and database tiers are architecturally isolated with explicit allow rules governing inter-tier communication
Least-privilege operational access enforced through RBAC and JIT workflows across all administrative functions
Secure-by-default administrative access — Azure Bastion as the exclusive administrative path eliminating all direct management port exposure
Continuous monitoring across both identity domains — on-premises authentication events and cloud activity logs unified in a single SIEM platform
Compliance by design — security controls mapped to NIST and CIS framework requirements from the initial architecture phase
Architecture Overview
The solution is structured as a four-layer hybrid Zero Trust architecture addressing the specific challenges of hybrid identity, private workload exposure, three-tier segmentation, and centralised monitoring across both on-premises and cloud domains.
1. Hybrid Identity Control Plane
The identity layer establishes unified authentication governance across on-premises Active Directory and Azure Entra ID — the foundational requirement for consistent Zero Trust enforcement in hybrid environments.
Entra Connect — Hybrid Identity Synchronisation
Entra Connect synchronises on-premises Active Directory identities into Microsoft Entra ID, establishing a unified identity plane across both domains.
Synchronisation Component | Configuration | Purpose |
|---|---|---|
Password Hash Synchronisation | Enabled | Cloud authentication without on-premises dependency |
UPN Synchronisation | Matched to routable domain | Consistent user identity across domains |
Group Synchronisation | Selective group sync | Cloud RBAC assignment from on-premises groups |
Device Writeback | Enabled | Hybrid Azure AD join for Conditional Access device compliance |
Seamless SSO | Enabled | Transparent authentication for domain-joined devices |
Password Hash Synchronisation is selected over Pass-Through Authentication for this architecture — providing cloud authentication resilience independent of on-premises AD availability, which is critical for hybrid environments where on-premises connectivity cannot be guaranteed during incidents.
Conditional Access — Unified Access Governance
Conditional Access policies govern every authentication event for hybrid identities — enforcing consistent access requirements regardless of whether the resource is on-premises or cloud-hosted.
Policy | Conditions | Grant Controls |
|---|---|---|
Require MFA — All Hybrid Users | All cloud apps, all hybrid identities | Require MFA |
Block Legacy Authentication | Legacy auth protocols (NTLM, Basic Auth) | Block access |
Require Compliant or Hybrid-Joined Device | Azure portal and management resources | Require Hybrid Azure AD joined or Intune compliant device |
Location-Based Restriction | Authentication from outside named trusted locations | Require MFA + compliant device |
Risk-Based Access Response | Entra Identity Protection: Medium or High risk | Require MFA + require password change |
The device compliance policy specifically leverages Hybrid Azure AD join — enabling on-premises domain-joined devices to satisfy Conditional Access device requirements without requiring full Intune management, which is a critical accommodation for hybrid environments with existing on-premises device management.
2. Network Segmentation Control Plane
The network architecture implements private-only workload exposure with three-tier segmentation enforcing strict inter-tier traffic control through NSG-based micro-segmentation.
Private-Only Workload Exposure
All workloads in this architecture are deployed without public IP addresses. There are no internet-directly-accessible endpoints for application workloads, management interfaces, or administrative services. External application access is mediated through Azure Application Gateway or Azure Front Door where required — internal workloads never receive direct public IP assignment.
This eliminates the most common attack surface in hybrid cloud environments: publicly exposed workloads that are reachable by external threat actors before authentication controls are evaluated.
Three-Tier Network Architecture
Subnet | Tier | Permitted Inbound | Permitted Outbound |
|---|---|---|---|
WebSubnet | Presentation tier | Application Gateway / Front Door only | AppSubnet only |
AppSubnet | Application tier | WebSubnet only | DBSubnet + Azure services |
DBSubnet | Data tier | AppSubnet only | Deny all outbound |
BastionSubnet | Administrative access | Azure Bastion service tags only | VNet (RDP/SSH to targets) |
ManagementSubnet | Management infrastructure | BastionSubnet only | Restricted |
NSG Rule Design Principles:
Default deny-all inbound and outbound rules on all subnets — explicit allow rules define all permitted traffic flows
Inter-tier communication restricted to the minimum required ports for application functionality
Database tier isolated — no direct access from web tier, only from application tier
No subnet-to-subnet communication permitted outside defined application tier flows
NSG flow logs enabled on all subnets for network traffic visibility and forensic investigation
Why Three-Tier Segmentation Matters in Hybrid Environments: On-premises networks frequently have flat or insufficiently segmented architectures that have accumulated over years of growth. Cloud workload deployments provide the opportunity to enforce segmentation from the foundation — preventing the lateral movement patterns that exploit flat network trust in hybrid environments where on-premises compromises can pivot into cloud workloads through hybrid connectivity paths.
3. Workload Access & Protection Layer
The workload protection layer governs administrative access to cloud-hosted VMs through Azure Bastion and Just-in-Time access controls — eliminating all direct management port exposure.
Azure Bastion — Exclusive Administrative Access Path
Azure Bastion provides browser-based RDP and SSH connectivity to Azure VMs through the Azure portal — without requiring public IP addresses on target VMs or open management ports in NSG rules.
Key capabilities:
Secure browser-based RDP and SSH sessions terminating at the Bastion host — no direct VM port exposure required
Integration with Entra ID authentication — administrators authenticate through the Azure portal before Bastion connectivity is established
Session logging and auditing — all Bastion sessions are logged with user identity, target VM, session duration, and activity
No public IP requirement on target VMs — VMs remain entirely private while remaining administratively accessible
Elimination of jump server management overhead — Bastion replaces traditional jumpbox VM models with a managed PaaS service
Why Bastion over Traditional Jumpbox VMs: Traditional jumpbox VMs require ongoing OS patching, security hardening, availability management, and public IP exposure to enable external administrative access. Azure Bastion eliminates this management overhead entirely as a Microsoft-managed PaaS service — providing equivalent administrative access with lower operational cost and no public IP exposure requirement.
Just-in-Time VM Access
JIT VM Access through Defender for Cloud enforces time-bound management port access — complementing Azure Bastion for scenarios requiring direct port-level access governance.
Management ports (RDP 3389, SSH 22) blocked by default through NSG rules — no standing exposure
JIT access requests require explicit user request, source IP specification, and defined access duration
Approved requests dynamically open management ports for the requesting source IP only, for the approved duration
Automatic port closure after access window expiry — no manual cleanup required
Complete audit trail of every JIT request, approval, and access event
Azure RBAC — Least-Privilege Access Governance
Role assignments scoped to the minimum required resource scope — subscription, resource group, or individual resource level
Custom role definitions for hybrid administrator personas requiring specific combinations of permissions across cloud workloads
Regular access reviews through Entra ID Identity Governance — periodic review and removal of stale role assignments
No permanent Owner or Contributor assignments at subscription scope — privileged roles eligible through PIM for time-bound activation
4. Monitoring & Detection Layer
The monitoring layer centralises security telemetry from both on-premises identity infrastructure and Azure cloud workloads — providing unified hybrid visibility that is the most significant operational challenge in hybrid security environments.
Hybrid Telemetry Sources
Source | Telemetry Type | Collection Method |
|---|---|---|
On-premises Active Directory | Authentication events, privileged operations | Microsoft Defender for Identity sensor |
Entra Connect | Synchronisation health, hybrid authentication events | Entra Connect Health |
Microsoft Entra ID | Sign-in logs, audit logs, risky user events | Entra ID diagnostic settings → Log Analytics |
Azure VMs | OS events, authentication, process activity | Azure Monitor Agent |
NSG Flow Logs | Network traffic patterns, denied connections | NSG diagnostic settings → Log Analytics |
Azure Bastion | Administrative session logs | Bastion diagnostic settings → Log Analytics |
Defender for Cloud | Workload threat alerts, security recommendations | Defender for Cloud → Log Analytics |
Microsoft Defender for Identity — On-Premises Coverage
Microsoft Defender for Identity (MDI) sensor deployment on on-premises domain controllers provides identity threat detection that extends Sentinel's visibility into the on-premises AD environment — a critical capability for hybrid architectures where on-premises identity attacks can pivot into cloud resources through Entra Connect synchronisation.
Detection capabilities include:
Pass-the-Hash and Pass-the-Ticket attack detection
Kerberoasting and AS-REP Roasting attack patterns
Privilege escalation through sensitive group membership changes
Lateral movement indicators across on-premises AD infrastructure
Suspicious replication requests and DC shadow attacks
Microsoft Sentinel — Unified Hybrid SIEM
Sentinel ingests telemetry from both on-premises identity infrastructure (through MDI) and Azure cloud services — providing unified incident correlation across the full hybrid estate.
Key detection scenarios specific to hybrid environments:
On-premises compromise pivoting to cloud — detection of on-premises credential compromise followed by suspicious Entra ID sign-in activity from the same identity
Hybrid identity synchronisation abuse — detection of suspicious Entra Connect synchronisation changes or rogue directory synchronisation activity
Lateral movement across hybrid boundary — correlation of on-premises lateral movement indicators with subsequent cloud resource access attempts
Privileged identity escalation — detection of on-premises privileged group membership changes correlating with elevated cloud activity
Architecture Diagram
Technologies Used
Category | Technologies |
|---|---|
Hybrid Identity | Microsoft Entra ID, Entra Connect, Password Hash Synchronisation, Seamless SSO |
Identity Governance | Conditional Access, Entra ID Identity Protection, Azure RBAC |
Network Segmentation | Azure Virtual Networks, NSGs, Three-Tier Subnet Architecture |
Secure Administrative Access | Azure Bastion, Just-in-Time VM Access |
Workload Protection | Microsoft Defender for Cloud, Azure RBAC |
On-Premises Identity Protection | Microsoft Defender for Identity |
Monitoring & SIEM | Microsoft Sentinel, Azure Log Analytics, Azure Monitor |
Compliance Frameworks | NIST SP 800-207, CIS Controls v8 |
Key Challenges Addressed
Consistent identity governance across hybrid domains — addressed through Entra Connect synchronisation establishing a unified identity plane, with Conditional Access policies applying consistent authentication requirements to hybrid identities regardless of which domain hosts the target resource.
Eliminating public infrastructure exposure without reducing operational accessibility — addressed through Azure Bastion providing browser-based administrative access without requiring public IP addresses or open management ports on any workload VM.
Preventing lateral movement between application tiers — addressed through three-tier NSG-enforced segmentation with deny-all defaults and explicit inter-tier allow rules restricting east-west traffic to required application communication flows only.
Governing on-premises-to-cloud administrative access without VPN dependency — addressed through Azure Bastion's managed PaaS model providing secure administrative sessions through the Azure portal without requiring traditional VPN-based jump server infrastructure.
Centralising security visibility across both hybrid identity domains — addressed through Microsoft Defender for Identity sensor deployment on on-premises domain controllers, extending Sentinel's detection coverage into the on-premises AD environment alongside cloud telemetry.
Detecting hybrid-specific attack patterns — addressed through Sentinel correlation rules specifically designed for hybrid attack scenarios — on-premises credential compromise pivoting to cloud resources through synchronised hybrid identities.
Design Decisions & Rationale
Password Hash Synchronisation over Pass-Through Authentication : Pass-Through Authentication routes cloud authentication requests to on-premises AD domain controllers — creating a dependency where cloud authentication fails if on-premises connectivity is disrupted. Password Hash Synchronisation enables cloud authentication to succeed independently of on-premises availability, providing resilience during on-premises incidents, network connectivity failures, or DR scenarios. For hybrid environments where business continuity during on-premises disruption is a requirement, PHS is the more resilient architectural choice.
Azure Bastion over Traditional Jumpbox VMs : Traditional jumpbox VMs require public IP exposure, ongoing OS patching, security hardening, and availability management — creating operational overhead and persistent attack surface. Azure Bastion eliminates all of these as a Microsoft-managed PaaS service. The only trade-off is cost — Bastion has an hourly availability charge regardless of usage. For environments with consistent administrative activity, this cost is justified by the elimination of jumpbox management overhead and public IP exposure.
Three-Tier Segmentation over Flat VNet Architecture : A flat VNet with no tier isolation allows lateral movement from any compromised workload to reach database systems directly. Three-tier segmentation enforces architectural boundaries that contain compromise blast radius — a web tier compromise cannot directly access database systems, requiring an attacker to pivot through the application tier first, significantly increasing the complexity and detectability of lateral movement attacks.
Hybrid Azure AD Join for Conditional Access Device Compliance : Full Intune enrollment for Conditional Access device compliance is operationally disruptive for organisations with large fleets of existing on-premises domain-joined devices. Hybrid Azure AD join satisfies Conditional Access device requirements for domain-joined Windows devices without requiring full MDM enrollment — enabling device-based access governance to be enforced immediately across existing device fleets without a large-scale device migration project.
Microsoft Defender for Identity for On-Premises Coverage : Sentinel without MDI provides excellent visibility into cloud identity events but has no visibility into on-premises AD authentication activity — creating a blind spot that attackers can exploit to compromise on-premises credentials before pivoting to cloud resources. MDI sensors on domain controllers extend threat detection into the on-premises environment and feed alerts directly into Sentinel, closing the hybrid visibility gap that represents the most common detection failure in hybrid security architectures.
Private-Only Workload Exposure as a Default : Public IP addresses on cloud workloads are an unnecessary attack surface in environments where workload access can be mediated through Azure Application Gateway, Azure Bastion, or private VNet connectivity. Eliminating public IPs as a default architectural principle — rather than a per-workload decision — removes this attack surface consistently without requiring case-by-case security review of each workload's exposure configuration.
Trade-offs & Design Constraints
Entra Connect Single Point of Failure : A single Entra Connect instance represents a synchronisation availability risk — if the Entra Connect server fails, identity synchronisation stops and password changes made on-premises will not propagate to the cloud until synchronisation is restored. Production hybrid deployments should implement Entra Connect Staging Mode with a standby server that can be promoted to active synchronisation within minutes of a primary server failure.
Password Hash Synchronisation Security Considerations : PHS synchronises a hash derivative of on-premises password hashes to Entra ID. While this hash is not usable for Pass-the-Hash attacks against on-premises resources, it does mean cloud-stored credentials are derived from on-premises passwords. Organisations with strict data sovereignty requirements for credential material may prefer Pass-Through Authentication or AD FS federation despite the availability trade-offs. The security of PHS depends heavily on the protection of the Entra Connect server itself — it must be treated as a Tier 0 asset.
Azure Bastion Cost for Large Administrative Teams : Azure Bastion Standard SKU pricing includes an hourly availability charge plus per-session data processing charges. For organisations with large administrative teams requiring frequent concurrent sessions, Bastion costs can be significant. The cost-benefit analysis must weigh Bastion's managed service value against traditional jumpbox VM costs including compute, licensing, patching overhead, and the security risk of public IP exposure.
Three-Tier NSG Complexity at Scale : As application workloads multiply across the three-tier architecture, NSG rule management complexity grows. Each new application tier communication requirement demands explicit rule additions — without Infrastructure as Code governance, NSG rule sets become difficult to audit and error-prone to manage. Bicep or Terraform-managed NSG deployments with Policy-as-Code enforcement are essential for maintaining three-tier segmentation consistency at scale.
Conditional Access Coverage for Legacy On-Premises Applications : Conditional Access governs access to Azure AD-integrated applications only. On-premises applications authenticating through Kerberos or NTLM — common in hybrid environments with legacy workloads — cannot be governed through Conditional Access policies. Legacy application modernisation or Microsoft Entra Application Proxy integration is required to extend Conditional Access coverage to on-premises application workloads not yet integrated with modern authentication.
Projected Outcomes
The architecture is designed to deliver the following operational and security outcomes in a production hybrid enterprise environment:
Unified hybrid identity governance providing consistent authentication requirements across on-premises AD and Azure resources through a single Conditional Access policy framework
Complete elimination of public IP exposure for all cloud-hosted workloads and administrative interfaces
Three-tier network segmentation containing lateral movement blast radius within architectural tier boundaries
Secure browser-based administrative access through Azure Bastion eliminating all direct RDP and SSH port exposure
Just-in-Time VM access reducing management port exposure to approved, time-bound access windows only
Centralised hybrid SIEM visibility across on-premises AD identity events and Azure cloud telemetry through unified Sentinel platform
Detection capability for hybrid-specific attack patterns including on-premises-to-cloud pivot scenarios
Alignment with NIST SP 800-207 Zero Trust Architecture and CIS Controls v8 compliance frameworks
Audit-ready security architecture with comprehensive logging across identity, network, and administrative access events
Future Evolution
Entra ID Identity Protection UEBA integration for advanced risk-based Conditional Access policy automation
Microsoft Entra Application Proxy deployment extending Conditional Access governance to on-premises legacy applications without public exposure
Azure Virtual WAN integration for scalable hybrid connectivity governance across multiple on-premises sites and Azure regions
Software-defined micro-segmentation through Azure Network Manager for centralised NSG policy management at scale
Automated compliance validation through Azure Policy continuous assessment and Defender for Cloud regulatory compliance views
Cross-cloud Zero Trust extension applying consistent identity governance to AWS and GCP workloads through Entra ID federation
Continuous compliance drift detection through Infrastructure as Code guardrails preventing manual configuration deviations
Advanced threat intelligence integration enriching Sentinel detections with external IOC feeds for hybrid-specific threat actor TTPs
Key Takeaways
Hybrid identity architecture is the foundational challenge of Zero Trust in hybrid environments — inconsistent governance across on-premises AD and Entra ID creates authentication gaps that attackers exploit
Password Hash Synchronisation provides greater cloud authentication resilience than Pass-Through Authentication for environments where on-premises availability during incidents cannot be guaranteed
Azure Bastion is the appropriate administrative access model for private-only workload architectures — it eliminates public IP and open port exposure while providing a managed, auditable administrative access service
Three-tier network segmentation must be enforced architecturally from the foundation — retrofitting segmentation onto flat networks is operationally complex and frequently incomplete
Microsoft Defender for Identity sensor deployment on on-premises domain controllers is essential for hybrid SIEM coverage — without it, Sentinel has no visibility into the on-premises identity attack surface that hybrid architectures extend into the cloud
Hybrid Azure AD join enables immediate device-based Conditional Access enforcement across existing domain-joined device fleets without requiring full Intune migration — a critical practical accommodation for hybrid environments
Private-only workload exposure should be a default architectural principle, not a per-workload decision — eliminating public IPs consistently removes an attack surface that is otherwise difficult to govern at scale