Now, in some application development scenarios, there may be a need to reach back into an organizations network to get data.  There are many ways to accomplish this, and each has its merits, such as exposing services, writing to queues (relaying), VPNs, or Azure Express Route.  Each choice has it pros and cons, but I recommend using a secure VPN/Express Route.  This, however, has one BIG stipulation: you need to use dynamic routing. If you use static routing, this is not supported.  VPN solutions come with a premium cost but are worth it in my eyes, as they allow Azure resources to interact with on-premise resources, like the data on the internal network.  But, you should really understand your needs before venturing down this trail.

Most developers make the mistake that they need to move everything to Azure when hybrid solutions may be more in line.  This becomes apparent with larger enterprise-based systems that are not in Azure or good candidates for moving to Azure.  But, creating a secure way to access these resources is paramount.  When considering how to build your hybrid solution, there are three security models you should consider:

1. Synchronized: Is the simplest and quickest method, and may require the user to maintain two passwords unless you sync the hash of the user's password with an on-premises AD.
2. Pass-through: Is a simple password validation against your on-premises AD, hence AAD passes the sign-in validation to an on-premises AD directly.
3. Federated: Is an SSO solution that allows the user to authenticate using on-premises credentials for an Azure resource using the ADFS infrastructure to achieve high availability and scale, which allows you to simplify management with the Azure portal.

Each of these options has their merits, so really consider how you want to approach this and review the pros and cons of each before choosing a path.