LDAP is way to go that is why it is called light directory, rad fast, write slow ...it is subset of X.500. University of Michigan has best and brightest on this subject as they contributed to protocol. If I would do any authentication and authorization in corporate world, I would never use crap like AD. And yes I would separate trees from corporate to cloud and work with sachems and pipelines to make sure that off boarding, on boarding and syncing OU's and so forth is done correctly and easy...