Hybrid Active Directory and Microsoft 365 enterprise architecture spanning on-premises multi-forest AD infrastructure across UA and IN sites with four domains (ext.local, grange.local, gmcc.grange.local, agent.ext.local) synchronized to Microsoft Entra ID via dual Entra Connect servers. Identity federation flows through ADFS servers in the internal network and WAP proxy in the DMZ, enabling secure external authentication to Microsoft 365 cloud services including Exchange Online, Microsoft 365 Apps, and Microsoft Sentinel. On-premises Exchange servers operate in hybrid mode for SMTP relay and federation management without hosting mailboxes, reducing on-prem operational burden. This architecture demonstrates best practices for zero-downtime cloud migration, redundancy across geographic sites, and maintaining legacy application compatibility during Microsoft 365 adoption. Fork this diagram on Diagrams.so to customize domain names, add additional sites, or model your own hybrid identity topology.