June 15, 2022
min read

Identity management for your Microsoft 365 deployment, at its core, is a relatively straightforward idea – you need to know who a user is in order to effectively limit access to authorized users only. Unfortunately, it is far more complex in practice – particularly when you’re administering a hybrid deployment or one in which some portion of your M365 resources live in an on-premises data center and the rest reside in the cloud.

One of the primary user concerns in a haphazardly managed hybrid deployment is the fact that users need to maintain multiple passwords to access all features of Office 365, which becomes more than just an inconvenience when you figure in the cost of support resources being allocated to the resetting of passwords, so employees can remain productive because the system requires that they keep track of more than one.

To remedy this, Microsoft provides administrators with the tools required to manage user identities in such deployments in a way that allows users to access all M365 resources in a hybrid deployment with a single password.

And while this toolset effectively simplifies the end user’s experience, as we’ll explore below, the provided solutions are inherently complex for IT teams to manage. And as with the administration of any business-critical, software resource, increased complexity in managing M365 means IT tasks take more time to accomplish, which is reflected in your bottom line, and perhaps even more importantly, there is a greater chance of errors being made, which can cause an accumulation of issues to deal with downstream.

CoreView solves this problem by centralizing, and thus significantly simplifying, identity management in hybrid M365 deployments.

Microsoft’s approach to hybrid identities

Microsoft offers three distinct approaches to achieving what they term a hybrid identity – that is, a means of providing end-users access to both on-premises and cloud-hosted resources with a single set of credentials.

Password hash synchronization (PHS)

PHS works by storing a user’s credentials in your on-premises data center and then relaying a hash of the hash that represents those credentials to the cloud portion of your M365 environment. This means that the single source of truth for a user’s identity lives onsite, and any changes to that identity must be made via a secure connection to that portion of your deployment. Once a change has been made, the system relies on Azure AD Connect to update the password hash that is stored in the cloud.

Pass-through authentication (PTA)

Unlike PHS, PTA only stores the original hash of a user’s credentials on-premises. For a user to authenticate with the cloud portion of your M365 environment, the request must be relayed to an agent that must be stood up in your on-prem data center, which then communicates with Azure AD to validate the credentials. This means that this secondary agent must be maintained by the organization’s IT staff, and in order to provide high availability, additional agents must be provisioned and maintained as well.


This is the most complex solution and the most costly to implement. Intended for organizations with highly specific compliance requirements, federation requires significant investment in additional on-prem infrastructure, as it operates outside of the scope of Azure AD. Because of this, there is also a far greater time and skill requirement for any troubleshooting requirements that may arise.

The end-user experience depends entirely on the configuration of the system, which involves a “federation farm” of on-premises servers in order to provide high availability for authentication requests.

Where do M365 administrators leverage native tools for IAM?

When using Microsoft’s native tooling, any password-specific management by your IT staff must be carried out in the on-premises environment via a secure VPN connection. However, M365 group membership is often still managed in the cloud portion of your deployment, which means that IT staff must interact with multiple interfaces to fully manage hybrid identity in your M365 deployment.

CoreView’s approach to hybrid identities

CoreView’s Hybrid Agent dramatically reduces the complexity involved in managing user identity in a hybrid deployment of M365. Whether users are exclusively working with on-prem resources or exclusively working with cloud-based resources, or – more than likely – some combination of the two, all user identity management is managed through a single, unified interface.

This means that wherever your organization is in its journey from maintaining exclusively on-premises M365 resources to a more remote-work friendly cloud-based model, your IT team will interact with the CoreView suite in the same way, which means less training and retraining, fewer opportunities for user error, and ultimately a much more coherent user experience for your IT team.

Regardless of the specific task, an administrator is carrying out – be it password management, group membership, or anything else – all the administrative actions are required to take place in the CoreView UI via the User Card view.

Where do M365 administrators leverage CoreView’s tools?

CoreView simplifies access for IT professionals by providing an enhanced set of administrative options via a single, unified user interface, which dramatically reduces the requisite expertise to administer M365 effectively.

Commands are executed in the cloud environment, and generally don’t require custom PowerShell scripting. That said, CoreView also supports the creation of custom actions that are driven by PowerShell scripts when needed. This means that there is a centralization of your identity-management IT resources, both in terms of how and where IT interacts with your M365 tenant, and in terms of where resources they require are stored.


Identity management – on its face – is a simple idea. You need to know who users are to authenticate them, and thus grant access to the resources they need to do their work. In practice, however, it is a much more complex endeavor – particularly when you’re administering a hybrid M365 environment or one in which a portion of your environment lives in an on-premises data center while the remainder lives elsewhere in the cloud.

A core issue faced here is providing end-users the means of accessing all resources – regardless of where they are hosted – with a single set of credentials. Microsoft recognizes this and provides multiple means of accomplishing this, but they are inherently complex for IT staff to execute.

With CoreView, you can achieve the same targeted end-user experience with far less complexity for your IT staff, which ultimately requires less expertise, is a more coherent user experience for IT staff, and as such is less prone to user error that can accumulate downstream.

Get a personalized demo today

Created by M365 experts, for M365 experts.