# Architecture * FSProtect works completely on-premise. * FSProtect is installed only one Microsoft Windows server, it doesn't require any agent deployment to servers, clients or domain controllers. * FSProtect works with unprivileged user to scan entire Active Directory. * In **hybrid environments**, identities are synchronized from **on-premise Active Directory to Microsoft Entra ID (Azure)**. * Azure/Entra ID integration is **optional** and does not require direct scanning or agent deployment in the cloud.