Skip to main content
Skip table of contents

Hybrid Identity Integration with LDAP and Entra ID

Overview

VeridiumID supports Hybrid Identity integration by combining:

  • On-prem Active Directory (LDAP)

  • Microsoft Entra ID

into a unified identity model.

In Hybrid mode:

  • LDAP remains the authoritative source

  • Entra enriches cloud identity data

  • Users merge into a single platform identity

Hybrid Identity Architecture

Unified Hybrid User Model

When a user exists in both:

  • Active Directory

  • Entra ID

VeridiumID merges both records into a single identity object.

Conflict Resolution Strategy

LDAP acts as the authoritative source for:

  • Core identity data

  • Password management

  • Enrollment validation

Entra ID contributes:

  • Cloud metadata

  • Extended attributes

  • Cloud identifiers

Source Attribution

Hybrid users are explicitly tagged as:

CODE 
Hybrid User

This enables:

  • Policy targeting

  • Authentication troubleshooting

  • Security auditing

image-20260210-113918.png

Prerequisites

Before enabling Hybrid mode:

  • Configure the Entra connector

  • Validate Microsoft Graph permissions

  • Configure LDAP connectivity

  • Verify user synchronization

See Entra ID Connector Configuration Steps and Requirements for complete Entra configuration details.

Hybrid Directory Sync Configuration

Navigate to:

CODE 
Admin Manager > Settings > Directory Services > LDAP

and create or edit an existing ldap connection.

image-20260210-112404.png

Enable Hybrid Directory Sync

Enable:

CODE 
Enable Hybrid Directory Sync

Select Entra Tenant

Choose the corresponding configured:

CODE 
Tenant ID

from the available Entra connectors.

Configure Immutable ID Mapping

Use:

CODE 
objectGUID

to bind the LDAP identity to the Entra identity.

This ensures stable identity matching even when:

  • Email addresses change

  • Names change

  • UPNs change

Additionally, ensure that ImmutableID is configured in the LDAP Extended Attributes, mapped to objectGUID, and matches the Immutable ID Mapping defined in the Hybrid Configuration.

image-20260529-133943.png

Hybrid Authentication Behavior

Enrollment Requirements

Operation

Requires LDAP

Requires Entra API

Hybrid Enrollment

Yes

Yes

Hybrid Re-enrollment

Yes

Yes

Authentication Requirements

Operation

Requires LDAP

Requires Entra API

Hybrid Authentication

Yes

No

Password Change

Yes

No

LDAP remains the authoritative password source.

Hybrid Operational Scenarios

Scenario

LDAP Status

Entra Status

Result

Hybrid Enrollment

Up

Up

Success: Merges data from both sources.

Hybrid Re-enrollment

Down

Up

Failure: "No LDAP connection for hybrid user found".

Hybrid Authentication

Up

Down

Partial Success: Authenticates via LDAP; cloud-specific extended attributes may be missing.

LDAP Dependency

Hybrid identities depend heavily on LDAP availability.

If LDAP connectivity is unavailable:

  • Enrollment fails

  • Password operations fail

  • Hybrid identity verification fails

Typical failure message:

CODE 
No LDAP connection for hybrid user found

Hybrid User Capabilities

Supported Features

✅ Active Directory password authentication

✅ Self-service password reset

✅ Password change operations

✅ Unified identity visibility

Limitations

⚠️ Entra password is not used for authentication

⚠️ LDAP outages impact enrollment and password workflows

⚠️ Cloud-only attributes may become unavailable if Entra APIs fail

Security Considerations

Hybrid identity merging prevents:

  • Duplicate user identities

  • Fragmented security policies

  • Inconsistent authorization behavior

Unified identities allow:

  • Consistent policy enforcement

  • Centralized auditing

  • Improved authentication tracking

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close