The company has decided to have a single identity management solution based on the technology, they already run on both public clouds, which is Azure Active Directory:

As you can see in the preceding diagram, each cloud service (either public or hybrid, using Azure Stack or a similar service) is using Azure AD as a single IDM solution.

Based on their security policies, the company has decided to go with Azure AD Connect, using pass through authentication (PTA):

The PTA agent is monitoring the IDM queues in the cloud and authenticating the requests locallys transferring back the authentication token.

As Azure AD works with AWS, too, there is single identity management solution in place, as follows:

For their on-premises cloud environment, the company has decided to go with Azure Stack in a connected mode, in order to leverage Azure AD, too. The design is illustrated in the following diagram:

As you can see in the preceding diagram, Azure Stack and Azure behave the same way technologically, and can therefore be integrated into the express route configuration as another Azure cloud.