Petri Newsletter Sign-up
Tech Tuesday

Subscribe to Tech Tuesday, the latest insights from Petri.com for IT Pros.

    See All Petri Newsletters

    Azure Active Directory Connect Makes Cloud Single Sign-On Easy

    Posted on by Russell Smith in Active Directory, Cloud Computing, and Security

    Azure Active Directory (Azure AD) Pass-Through Authentication is now in preview and makes providing Single Sign-On (SSO) capabilities in the cloud super easy. It also keeps passwords on-premises without having to deploy Active Directory Federation Services (ADFS).

     

     

    Organizations that want to use Azure AD to manage access to cloud apps, but also want to centralize account management in on-premises Active Directory (AD), currently have several options. Only ADFS provides true SSO capabilities and the security that organizations demand. This is changing with a new lightweight solution built into Azure Active Directory Connect (Azure AD Connect).

    Azure Active Directory Cloud — Synchronized and Federated Identities

    Before describing the new features in Azure AD Connect, it is worth understanding the existing types of Azure AD identities and the different authentication features provided by each one.

    Cloud-only identities are useful when there is no on-premises Windows Server Active Directory (WSAD) but require usernames and passwords to be managed separately. This leads to increasing administration costs. Azure AD Connect can be used to create synchronized identities in Azure AD from on-premises AD accounts. This does not provide real SSO capability. Users must provide their credentials again after they have signed into Windows to access cloud services.

    ADFS provides federated identities with true SSO and it is compatible with multifactor authentication. Password hashes are never synchronized to the cloud. Other AD features, such as account login restrictions, also work with Azure AD. ADFS is complicated to set up and most organizations will require a high-availability on-premises infrastructure.

    Active Directory Connect Pass-Through Authentication

    Recently added to Azure AD Connect, Pass-Through Authentication provides many of the benefits of ADFS, but without the hefty on-premises infrastructure and management requirements. Pass-Through Authentication uses a lightweight connector or authentication agent. It is installed on-premises and allows Azure AD to validate AD usernames and passwords. Passwords are never stored in Azure AD.

    Azure AD Connect pass-through authentication and seamless sign-on (Image Credit: Microsoft)
    Azure AD Connect Pass-Through Authentication and Seamless Sign-On (Image Credit: Microsoft)

    The connector can be deployed on one or more on-premises servers, including on AD domain controllers. It uses secure outbound communications, so it does not need to be placed in a DMZ. If you install two or more connectors, they automatically load balance with each other. You do not need to worry about providing additional high-availability infrastructure. Finally, the connector integrates with self-service password reset (SSPR). If a user resets their password via Azure AD, the updated password is synchronized back to on-premises AD without ever being stored in the cloud.

    Seamless Single Sign-On

    Azure AD Connect includes a new capability. It allows synchronized identities to log into tenant Office 365 resources without having to enter domain credentials when logged into Windows from a domain-joined device. And unlike Azure AD Connect Pass-Through Authentication, Seamless SSO does not require any additional infrastructure to work.

    In this article, I outlined two new features of Azure AD Connect, Seamless SSO and Pass-Through Authentication.

    BECOME A PETRI MEMBER:

    Don't have a login but want to join the conversation? Sign up for a Petri Account

    Register

    Register for this Petri Webinar!

    Want to Make Your Backup Storage Unlimited & Ready for the Cloud? – Free Thurrott Premium Account with Webinar Registration!

    Tuesday, August 27, 2019 @ 1:00 pm EDT

    A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

    Register Now

    Sponsored By