Skill 4.1: Prepare on-premises Active Directory for Azure AD Connect

  • 11/7/2017

Azure AD Connect Sign-on options

Azure AD Connect supports a variety of sign in options. You configure which one you want to use when setting up Azure AD Connect as shown in Figure 4-12. The default method, Password Synchronization, is appropriate for the majority of organizations who will use Azure AD Connect to synchronize identities to the cloud.


FIGURE 4-12 User sign-in

Password synchronization

Hashes of on-premises Active Directory user passwords synchronize to Azure AD and changed password synchronize to Azure AD immediately. Actual passwords are never sent to Azure AD and are not stored in Azure AD. Allows for single sign-on for users of computers that are joined to an Active Directory domain that synchronizes to Azure AD. Password synchronization also allows you to enable password write-back for self-service password reset functionality through Azure AD.

Pass-through authentication

When authenticating to Azure AD, the user’s password is validated against an on-premises Active Directory domain controller. Passwords and password hashes are not present in Azure AD. Pass-through authentication allows for on-premises password policies to apply. Pass-though authentication requires that Azure AD Connect have an agent on a computer joined to the domain that hosts the Active Directory instance that contains the relevant user accounts. Pass-through authentication also allows single sign-on for users of domain joined machines.

With pass-through authentication, the user’s password is validated against the on-premises Active Directory controller. The password doesn’t need to be present in Azure AD in any form. This allows for on-premises policies, such as sign-in hour restrictions, to be evaluated during authentication to cloud services.

Pass-through authentication uses a simple agent on a Windows Server 2012 R2 domain-joined machine in the on-premises environment. This agent listens for password validation requests. It doesn’t require any inbound ports to be open to the Internet.

In addition, you can also enable single sign-on for users on domain-joined machines that are on the corporate network. With single sign-on, enabled users only need to enter a username to help them securely access cloud resources.

Active Directory Federation

This allows users to authenticate to Azure AD resources using on-premises credentials. It also requires the deployment of an Active Directory Federation Services infrastructure. You will learn more about this in Chapter 5, “Implement and manage federated identities for single sign on.”