You are designing an identity solution for a multinational organization with on-premises Active Directory and cloud applications. Users need single sign-on across hybrid environments while maintaining security posture. Which authentication architecture should you implement?

Correct answer: Azure AD Connect with pass-through authentication and seamless SSO

Option D is correct because Azure AD Connect with pass-through authentication (PTA) lets users authenticate directly against on-premises Active Directory in real time without storing password hashes in the cloud, and seamless SSO uses Kerberos ticket-based trust to silently sign users into cloud apps from domain-joined machines, satisfying both hybrid SSO and security requirements. Option A is wrong because Azure AD B2C is designed for external consumer-facing identity scenarios and federated external partners, not for synchronizing an organization's internal on-premises Active Directory workforce identities. Option B is wrong because keeping authentication solely in local Active Directory with connectors does not provide the native Azure AD Conditional Access, MFA, and cloud app integration needed for a modern security posture. Option C is wrong because password hash synchronization (PHS) alone copies hashed credentials to Azure AD and cannot enforce real-time on-premises account status checks such as disabled accounts or locked-out states, which pass-through authentication provides.