Field Guide

Stabilize hybrid sign-in by validating PHS, PTA agents, federation paths, and sync assumptions.

Use this guide when cloud sign-in reliability depends on on-prem connectivity, connectors, agents, or certificate paths that were never meant to be invisible during outages.

Search Hybrid IdentityOpen Cloud Domain
Situation

Hybrid sign-in choices change outage behavior more than most teams expect.

Password hash sync, pass-through authentication, and federation do not fail the same way. Stabilizing sign-in requires knowing which components remain mandatory during on-prem disruption and which model actually fits the organization’s reliability needs.

What To Verify

Map the active auth path before changing anything.

  • Identify whether the tenant relies on PHS, PTA, federation, or a combination with fallback behavior.
  • Check sync health, connector state, and whether user objects are current in cloud identity.
  • Verify PTA agent health and network reachability if live on-prem validation is still required.
  • Review federation certificates, endpoints, and dependency on on-prem infrastructure.
  • Determine which auth path should survive an on-prem outage by design.
Working Sequence

Stabilize first, optimize second.

  • Restore the auth path with the fewest external dependencies first.
  • Confirm successful sign-in for pilot users across internal and external paths.
  • Validate sync freshness and user impact after connector or network recovery.
  • Document whether the current auth model matches business outage expectations.
  • If it does not, use the incident as justification for a more resilient identity model.