← daniellepel.com
Capability Profile
Capability Profile
Hybrid Cloud Infrastructure
Connecting on-premises and cloud without breaking either
Hybrid cloud infrastructure is the architecture and operational layer that lets on-premises environments and Azure work together deliberately, covering identity synchronization, network connectivity, device management, and server governance across both sides of the boundary.
Overview
My Experience
Key Work
Related
What It Is
Hybrid cloud infrastructure covers the work of making on-premises and cloud environments function as a coherent platform rather than two separate systems that happen to share an identity directory. The core components are hybrid identity, network connectivity, endpoint management, and server governance. Each area has its own decision points, and the decisions interact. An organization that gets hybrid identity wrong will have problems in endpoint management. An organization that handles device join policy incorrectly will have problems with conditional access. The architecture has to be thought through as a whole.
Why It Matters
Most organizations do not migrate everything to the cloud in a single project. They move workloads incrementally, and during that transition they operate in a hybrid state that may last years. The question is whether that hybrid state is architected deliberately or accumulated reactively. Organizations that plan the hybrid layer carefully end up with a clean migration path and a governed environment throughout the transition. Organizations that treat hybrid as a temporary problem to ignore end up with accumulated technical debt that makes every subsequent migration harder.
Architecture Scope
  • Hybrid identity - Entra Connect Sync, Password Hash Sync vs Pass-Through Authentication decisions, ADFS to cloud auth migration, Seamless SSO
  • Application access - Azure AD Application Proxy for publishing on-premises applications to cloud-authenticated users
  • Device join strategy - Entra ID Join vs Hybrid Entra ID Join decisions based on job function and workload requirements
  • Endpoint management transition - Group Policy to Intune migration, co-management configuration, policy parity analysis
  • Network connectivity - Site-to-site VPN configuration, ExpressRoute provisioning, routing and DNS architecture across boundaries
  • Server governance - Azure Arc onboarding for on-premises servers, policy enforcement, monitoring, and management from the Azure portal
In Practice

My on-premises foundation is 13 years at MetLife managing Windows server infrastructure at 64,000-user scale, including VMware ESX environments. The hybrid work at Latham Pool Products included Entra Connect Sync configuration, Azure Arc deployment across 40 on-premises servers, and device join strategy decisions based on job function. At NBT, ADFS-to-cloud authentication migrations were a recurring engagement across the client portfolio.

My background starts on-premises. Before cloud platforms existed in their current form, I spent 13 years managing Windows server infrastructure for 64,000 users at MetLife through Atos/Siemens. That foundation matters in hybrid work because understanding what on-premises infrastructure actually does, and what depends on it, is what separates a hybrid architecture that works from one that looks right on paper and breaks in production.
At NBT, hybrid infrastructure was a consistent part of the work across the client portfolio. Most clients were not starting from scratch in the cloud. They had existing Active Directory environments, on-premises servers, and a mix of legacy and modern applications. My job was to architect the connection layer between what they had and where they were going, while keeping both sides functional throughout the transition.
Device join strategy was one of the more nuanced decisions I worked through repeatedly. The default assumption that everything should be Hybrid Entra ID Joined is not always correct. I evaluated each client environment against job function criteria: users whose work was entirely cloud-based and who did not depend on on-premises resources were candidates for full Entra ID Join, which produces a cleaner Intune-managed state without the complexity of maintaining a hybrid join pipeline. For users with genuine dependencies on on-premises resources, Hybrid Entra ID Join was the right answer. Getting this distinction right reduces Intune policy conflicts and simplifies the eventual full migration.
Azure Arc was a significant part of my work at Latham Pool Products through cb20. I fully managed 40 on-premises servers through the Arc portal, applied Azure Policy to enforce configuration baselines, and used Arc as the unified management plane across both cloud and on-premises resources. That gave Latham consistent governance and monitoring across their entire environment without requiring those servers to move to the cloud. I began extending Arc usage at NBT as well, so the experience spans both a deep single-client deployment and the early stages of applying it at MSP scale.
  • Entra ID Join vs Hybrid Join decisions Evaluated client environments at NBT against job function criteria to determine which users and devices were candidates for full Entra ID Join versus Hybrid Entra ID Join. This reduced Intune policy complexity and produced cleaner managed device states for users without on-premises resource dependencies.
  • Group Policy to Intune migration Replaced Group Policy with Intune policy sets across NBT client environments, including policy parity analysis to confirm that configuration baselines were maintained during the transition. Co-management was used as the transition state where needed.
  • Azure Arc server management at Latham Pool Products Fully managed 40 on-premises servers through Azure Arc at Latham Pool Products, applying Azure Policy for configuration baseline enforcement and using the Arc portal as a unified management plane across cloud and on-premises infrastructure. Began extending Arc usage at NBT across the MSP client portfolio.
  • Site-to-site VPN and ExpressRoute configuration Configured site-to-site VPN connections between on-premises environments and Azure, and provisioned ExpressRoute circuits where clients required dedicated private connectivity. Designed routing and DNS architecture to support hybrid workloads across both connections.
  • ADFS to cloud authentication migration Migrated client environments from ADFS to cloud-managed authentication using Password Hash Sync with Seamless SSO. Evaluated PHS vs Pass-Through Authentication for each environment based on security requirements and operational overhead.
  • Azure AD Application Proxy deployment Published on-premises applications to cloud-authenticated users using Azure AD Application Proxy, eliminating the need for VPN access for specific application scenarios and extending Conditional Access policy enforcement to on-premises application access.
  • MetLife Windows server infrastructure (Atos/Siemens) Managed Windows server infrastructure supporting 64,000 users globally across 13 years. This on-premises foundation informs every hybrid architecture decision, particularly around what workloads can safely move and what dependencies require careful transition planning.
← Azure Platform Design Migration Strategy →