Azure Active Directory (Azure AD) Pass-Through Authentication is now in preview and makes providing Single Sign-On (SSO) capabilities in the cloud super easy. It also keeps passwords on-premises without having to deploy Active Directory Federation Services (ADFS).
Organizations that want to use Azure AD to manage access to cloud apps, but also want to centralize account management in on-premises Active Directory (AD), currently have several options. Only ADFS provides true SSO capabilities and the security that organizations demand. This is changing with a new lightweight solution built into Azure Active Directory Connect (Azure AD Connect).
Azure Active Directory Cloud — Synchronized and Federated Identities
Before describing the new features in Azure AD Connect, it is worth understanding the existing types of Azure AD identities and the different authentication features provided by each one.
Cloud-only identities are useful when there is no on-premises Windows Server Active Directory (WSAD) but require usernames and passwords to be managed separately. This leads to increasing administration costs. Azure AD Connect can be used to create synchronized identities in Azure AD from on-premises AD accounts. This does not provide real SSO capability. Users must provide their credentials again after they have signed into Windows to access cloud services.
ADFS provides federated identities with true SSO and it is compatible with multifactor authentication. Password hashes are never synchronized to the cloud. Other AD features, such as account login restrictions, also work with Azure AD. ADFS is complicated to set up and most organizations will require a high-availability on-premises infrastructure.
Active Directory Connect Pass-Through Authentication
Recently added to Azure AD Connect, Pass-Through Authentication provides many of the benefits of ADFS, but without the hefty on-premises infrastructure and management requirements. Pass-Through Authentication uses a lightweight connector or authentication agent. It is installed on-premises and allows Azure AD to validate AD usernames and passwords. Passwords are never stored in Azure AD.
The connector can be deployed on one or more on-premises servers, including on AD domain controllers. It uses secure outbound communications, so it does not need to be placed in a DMZ. If you install two or more connectors, they automatically load balance with each other. You do not need to worry about providing additional high-availability infrastructure. Finally, the connector integrates with self-service password reset (SSPR). If a user resets their password via Azure AD, the updated password is synchronized back to on-premises AD without ever being stored in the cloud.
Seamless Single Sign-On
Azure AD Connect includes a new capability. It allows synchronized identities to log into tenant Office 365 resources without having to enter domain credentials when logged into Windows from a domain-joined device. And unlike Azure AD Connect Pass-Through Authentication, Seamless SSO does not require any additional infrastructure to work.
In this article, I outlined two new features of Azure AD Connect, Seamless SSO and Pass-Through Authentication.