Identity provider

 There are two identity provider :

1) Synchronized identity : User management occurs on-premises. Azure AD authenticates employees by using  on-prem passwords.

Azure AD Domain Services for hybrid organization

Organizations with a hybrid IT infrastructure consume a mix of cloud resources and on-premises resources. Such organisations synchronize identity information from their on-premises directory to their Azure AD tenant. As hybrid organisations look to migrate more of their on-premises applications to the cloud, especially legacy directory-aware applications, Azure AD Domain Services can be useful to them.

example: kitware corporation has deployed Azure AD Connect, to synchronize identity information from their on-premises directory to their Azure AD tenant. The identity information that is synchronized includes user accounts, their credential hashes for authentication  ( password hash sync ) and group memberships.

User accounts, group memberships and credentials from kitware on-premises directory are synchronized to Azure AD via Azure AD Connect. These user accounts, group memberships and credentials are automatically available within managed domain.

2) Federated identity: User management occurs on-premises. The on-premises domain controller authenticates employee credentials.

You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization. This sign-in method ensures that all user authentication occur on-premises.