Skip to content
UltiblobStatus
Back to course
Expert90 to 120 minutesInstructor visible

Hybrid identity and Entra ID sync design

A failed sync left duplicate identities, stale groups, unclear source of authority, and Conditional Access gaps.

Business context

The enterprise needs a recoverable hybrid identity design before governance, Exchange, and migration work can succeed.

Technical objective

Choose Azure AD Connect or Cloud Sync patterns, define sync scope, document Conditional Access baselines, and separate simulated tenant checks from future live Graph checks.

Student instructions

  1. 1Review source-anchor, OU scope, staging-mode, and rollback requirements.
  2. 2Map Password Hash Sync, Pass-through Authentication, and federation tradeoffs.
  3. 3Design Conditional Access policies for admins, risky sign-ins, guests, and unmanaged devices.
  4. 4Use the simulated tenant panel for sync and policy validation.
  5. 5Write the break-glass and recovery runbook.

Troubleshooting

  • If policy design blocks emergency access, add named break-glass exclusions and monitoring.
  • If sync scope is too broad, stage by OU, group, and acquisition wave.

Cleanup

  • Export the sync design and CA baseline.
  • Record Graph adapter assumptions.
Launch flow

Provisioning readiness

Pending
Waiting for launch

Click Launch lab to start the provisioning flow and watch each stage complete.

0%
  1. Request accepted
  2. Capacity reserved
  3. Templates queued
  4. Validation running
  5. Workspace ready
ad-dns-healthy
Pending
m365-simulated-tenant-ready
Pending

Required templates

  • Domain Controller template - defined
  • Windows Server 2022 base - defined
  • Microsoft 365 simulated tenant layer - defined

Validation checks

  • AD DS and DNS healthy: Directory services, DNS, and LDAP checks pass inside the tenant network.
  • Simulated M365 tenant ready: The simulated tenant layer exposes users, groups, licensing, Exchange, Teams, SharePoint, OneDrive, Intune, compliance, and service-health scenarios.

Expected result

The sync and access design is complete and clearly labels Simulated Tenant Lab versus future live Microsoft Graph integration.

Reset policy: Simulated tenant policies can reset independently of the Windows pod. Teardown policy: Course pod auto-tears down at TTL expiry with instructor override.