This is the most used scenario in organizations because many of them have started the identity management journey using AD installed on on-premises servers as their own identity management system.

This authentication scenario leverages your existing identity management architecture by expanding your on-premises AD and synchronizing your users and groups to Azure AD using a tool called Azure AD Connect. This tool is responsible for synchronizing the AD objects to the cloud, namely, users, security groups, distribution groups, and contacts.

It is also possible to synchronize the password hash to Azure AD, providing the user with the experience of logging in with his/her User Principal Name (UPN), which is usually his/her email address, and with the same password used in the on-premises AD.

In AD environments, the key features for this scenario are:

• Best experience in most contexts
• Support for exchange coexistence scenarios
• Coupled with Active Directory Federation Services (AD FS) provide the best option for federation and synchronization of identities
• Supports password synchronization at no additional cost
• Does not require any additional software licenses

The following figure summarizes the architecture for an environment where the source identity is managed on-premises and then synchronized to Azure AD:

Some facts about synchronization are as follows:

• Any existing user, group, or contact object that is deleted from on-premises is deleted from Office 365.
• Existing user objects that are disabled on-premises are disabled in Office 365.
• However, licenses are not automatically unassigned. It is possible to use a feature named license management using groups, which requires an additional license called Enterprise Mobility Suite (EMS) E3 or E5. You can read more about this process at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-assignment-azure-portal.
• Objects are recoverable within 30 days of deletion.