Administrators may confuse the difference between Azure AD federation and Active Directory account synchronization,...
but not knowing the difference can result in wasted efforts.
As organizations move more services into the Microsoft Azure public cloud, users can benefit from single sign-on (SSO) authentication. Without SSO, users must juggle multiple credential sets to connect to different SaaS apps, such as Office 365.
Users might find it easier to create insecure -- but easy to remember -- passwords. With SSO, the user only signs in once and lets Active Directory (AD) handle the other authentication work. The convenience of a strong single credential set, namely AD domain credentials, used in SSO can help administrators boost security across the enterprise.
Azure AD Connect unlocks single sign-on functionality
Administrators will use the Azure AD Connect utility to extend on-premises Active Directory Domain Services (AD DS) into the Azure AD tenant in Microsoft's cloud. The tool can be run multiple times as needs change.
Azure AD Connect offers several methods to support SSO for hybrid cloud identity.
- Password hash synchronization: The simplest approach and the most popular for small-to-medium sized businesses.
- Pass-through authentication: A newer authentication method. User passwords never leave the local network boundary.
- Federation with AD FS: Federated identity using AD Federation Services (AD FS).
With either password hash synchronization or pass-through authentication, administrators can use Azure AD Seamless SSO, in which Azure AD Connect passes Kerberos authentication tickets between on-premises AD and Azure AD.
This tutorial explains password hash synchronization and AD FS methods.
Password hash synchronization uses password write-back
The password hash synchronization method uses Azure AD Connect to create new Azure AD user accounts that share a password hash with their on-premises counterparts. Users can sign into Azure AD-backed applications with their existing Active Directory credentials.
The Express Settings option in the Azure AD Connect wizard eases the configuration of password hash synchronization as the directory connect method. Administrators who want more granular control should choose a custom setup.
The figure below shows how to select certain AD DS organizational units and containers for account replication. This practice prevents security blunders, such as synchronizing AD DS service accounts into the Azure AD tenant.
Configuration caveats for administrators
Administrators have two important things to consider when setting up SSO with password hash synchronization:
- It requires binding a custom domain name system domain to the Azure AD tenant.
- It might require adding a new user principal name suffix to the domain and attaching the suffix to synchronized user accounts.
How Azure AD federation works
AD FS can overwhelm administrators due to complications associated with its deployment and administration.
The basic function of AD FS is to use tokens from Security Assertion Markup Language or OpenID to represent AD DS user identities. The Azure AD tenant -- alternatively known as the relying party -- trusts the tokens it receives from the on-premises security token service identity provider, namely the AD FS and AD DS infrastructure, and performs no additional authentication.
With Azure AD federation, the application side performs no authentication. The user goes to the cloud-based web application that uses Azure AD authentication and Azure AD redirects the authentication request to the on-premises AD FS farm. The user enters AD DS credentials at the AD FS logon dialog. If AD FS and AD DS verify the validity of the user and password, then AD FS creates an authentication token for the user and presents it to Azure AD. Azure AD trusts the token and grants the user access to the web application.
Azure AD Connect can orchestrate most of the setup if it is used with domain administrator credentials.
The password hash synchronization goes one way, from on-premises AD DS to cloud-based Azure AD, unless the organization uses a premium version of Azure AD for the password write-back feature. This allows users to change their password from the Azure AD-backed application, which Azure AD Connect replicates to the source of authority, the on-premises AD DS domain.
Password hash authentication invites some risk, as the password hashes transfer back and forth between on-premises and the Azure cloud. To mitigate potential security problems, administrators can create a virtual private network or ExpressRoute connection to Azure or implement the pass-through authentication method.
An organization that doesn't have the resources or the need for token-based identity federation should consider password hash synchronization between AD DS and Azure AD. If your business and application requirements mandate true SSO, then deploy AD FS with Azure AD Connect.
There is another option. The Azure AD library offers turnkey SSO integrations with thousands of popular SaaS apps, such as Salesforce, Concur, Google G Suite and Dropbox. With these enterprise app integrations, Azure AD abstracts all the token passing. For instance, administrators can configure password hash synchronization from on-premises AD DS to Azure AD and then do true federated SSO between Azure AD and the partner SaaS apps.