About This Architecture

Hybrid Active Directory and Microsoft 365 enterprise architecture spanning on-premises multi-forest AD infrastructure across UA and IN sites with four domains (ext.local, grange.local, gmcc.grange.local, agent.ext.local) synchronized to Microsoft Entra ID via dual Entra Connect servers. Identity federation flows through ADFS servers in the internal network and WAP proxy in the DMZ, enabling secure external authentication to Microsoft 365 cloud services including Exchange Online, Microsoft 365 Apps, and Microsoft Sentinel. On-premises Exchange servers operate in hybrid mode for SMTP relay and federation management without hosting mailboxes, reducing on-prem operational burden. This architecture demonstrates best practices for zero-downtime cloud migration, redundancy across geographic sites, and maintaining legacy application compatibility during Microsoft 365 adoption. Fork this diagram on Diagrams.so to customize domain names, add additional sites, or model your own hybrid identity topology.

People also ask

How do you design a hybrid Active Directory and Microsoft 365 architecture with multiple on-premises domains and ADFS federation?

This diagram shows a production hybrid architecture with multi-forest AD (ext.local, grange.local, gmcc.grange.local, agent.ext.local) across UA and IN sites synchronized to Microsoft Entra ID via dual Entra Connect servers. ADFS servers provide federation with WAP proxy in the DMZ for external authentication, while on-premises Exchange servers in hybrid mode handle SMTP relay without hosting mail