Azure AD Hybrid Identity

 


Azure AD Connect

It can integrate your on-premises directories with Azure Active Directory. Azure AD Connect provides the following features:

  • Password Hash Synchronization- It is a sign-in method that synchronizes a hash of the users on-premises AD password with Azure AD.

  • Pass-through Authentication- This sign-in method allows users to use the same password on-premises and in the cloud, but it doesn't require the additional infrastructure of a federated environment.

  • Federation integration- Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure.

  • Synchronization- It is responsible for creating users, group, and other objects as well as making sure that identity information for your on-premises users and groups is matching the cloud while including password hashes.

  • Health Monitoring- It can provide robust monitoring and a central location in the Azure portal to view this activity. 

When you integrate your on-premises directories with Azure AD, your users are more productive because there is a common identity to access both cloud and on-premises resources. With the help of Azure AD Connect the key data you need is easily accessible and you can view and act on alerts, setup email notifications for critical alerts, and view performance data.

Authentication Options

You can choose cloud authentication with Azure AD password hash synchronization and Azure AD Pass-through Authentication or federated authentication in which Azure AD hands off the authentication process to a separate trusted authentication system to validate the user's password.

Choosing an Azure AD Authentication method is an important task as it is one of the first important decisions when moving to the cloud as it will be the foundation of your cloud environment and it will be difficult to change it at a later date.

Password Hash Synchronization

Password Hash Synchronization or PHS is a feature used to synchronize user passwords from an on-premises Active Directory instance to a cloud-based Azure AD instance. You can sign-in to your selected service by using the same password you always use to sign-in to your on-premises Active Directory instance. PHS helps you to improve the productivity of your users as well as reduce your helpdesk costs.

How does this work?

When a user signs-in to an Azure service, the sign-in challenge dialog box generates a hash of the user's password and passes that hash back to Azure; which in turn compares the hash with the one in that user's account. If the two hashes match, then the two passwords also match and the user receives access to the resource. The dialog box also provides the facility to save the credentials so that whenever the user accesses the Azure resource the next time, he/she will not be prompted.

This solution offers a simple alternative to an AD FS implementation.

Pass-through Authentication (PTA)

PTA is an alternative to Azure AD PHS and the same benefit of cloud authentication to organizations.

Feature Benefits

  • It supports user sign-in into all web browser-based applications and  Microsoft Office client applications that use modern authentication.
  • Sign-in user names can be either the on-premises default username or another attribute configured in Azure AD Connect.
  • It works seamlessly with conditional access features such as Multi-Factor Authentication to help secure your users.
  • It is integrated with cloud-based self-service password management, including password writeback to on-premises AD and password protection by banning commonly used passwords.
  • Multi-forest environments are supported if there are forest trust between your AD forests and name suffix routing is also correctly configured.
  • PTA is a free feature, and you don't need any paid editions of Azure AD to use it.
  • PTA can be enabled via Azure AD Connect.
  • PTA uses a lightweight on-premises agent that listens for and respond to password validation requests.
  • Installing multiple agents provides high availability of sign-in requests.
  • PTA protects your on-premises accounts against brute force password attack in the cloud.      

This feature can be configured without using a federation service so that any organization, regardless of size, can implement a hybrid identity solution.

Federation with Azure AD

Federation is a collection domains that have established trust. A typical federation might include a number of organizations that have established trust for shared access to a set of resources. You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization. This method allows administrators to implement more rigorous levels of access control.

Password Writeback

Password writeback is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time. It offers following services:

  • Enforcement of on-premises AD domain services password policies- when the users resets their password it is checked to ensure that it meets your on-premises AD Domain Services policies before committing it to the directory.

  • Zero-delay feedback- Password Writeback is a synchronous operation and your users are notified immediately if their password do not meet the policy or could not be reset or changed for any reason.

  • Supports password changes from the access panel and Microsoft 365- When the federated or password hash synchronized users come to change their expired or non-expired passwords, those passwords are written back to your local AD Domain Services environment.

  • Supports password writeback when an admin resets them from the Azure portal- Whenever an admin resets a user's password in the Azure portal, and that user is federated or password hash synchronized, the password is written back to on-premises.

  • Doesn't require any inbound firewall rules- Password writeback uses an Azure Service Bus relay as an underlying communication channel. All communication is outbound over port 443. 

Azure active Directory external Identities Decision Tree

Different types of azure AD that allows you to work with "external identities" are:

  • Azure AD or Azure AD B2E (Business to Enterprise)- while writing applications for Azure AD, you can target users of a single organization or any other organization that already has an Azure AD tenant.

  • Azure AD B2B (Business to Business)- In this one, you can invite external users into your own tenant as "guest" users then you can assign permissions for authorization while still allowing them to keep using their existing credentials inside their own organization.

  • Azure AD B2C (Business to Consumer, Customer, or Citizen)- This is a separate directory service which enables you to customize and control how customers can signup, sign-in, and manage their profiles while using your applications.

To choose the appropriate Azure AD flavor project, there are a number of decision factors that come into play.


















Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)