Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Active Directory|Cloud Computing|Security

Azure Active Directory Connect Makes Cloud Single Sign-On Easy

Azure Active Directory (Azure AD) Pass-Through Authentication is now in preview and makes providing Single Sign-On (SSO) capabilities in the cloud super easy. It also keeps passwords on-premises without having to deploy Active Directory Federation Services (ADFS).



Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Organizations that want to use Azure AD to manage access to cloud apps, but also want to centralize account management in on-premises Active Directory (AD), currently have several options. Only ADFS provides true SSO capabilities and the security that organizations demand. This is changing with a new lightweight solution built into Azure Active Directory Connect (Azure AD Connect).

Azure Active Directory Cloud — Synchronized and Federated Identities

Before describing the new features in Azure AD Connect, it is worth understanding the existing types of Azure AD identities and the different authentication features provided by each one.

Cloud-only identities are useful when there is no on-premises Windows Server Active Directory (WSAD) but require usernames and passwords to be managed separately. This leads to increasing administration costs. Azure AD Connect can be used to create synchronized identities in Azure AD from on-premises AD accounts. This does not provide real SSO capability. Users must provide their credentials again after they have signed into Windows to access cloud services.

ADFS provides federated identities with true SSO and it is compatible with multifactor authentication. Password hashes are never synchronized to the cloud. Other AD features, such as account login restrictions, also work with Azure AD. ADFS is complicated to set up and most organizations will require a high-availability on-premises infrastructure.

Active Directory Connect Pass-Through Authentication

Recently added to Azure AD Connect, Pass-Through Authentication provides many of the benefits of ADFS, but without the hefty on-premises infrastructure and management requirements. Pass-Through Authentication uses a lightweight connector or authentication agent. It is installed on-premises and allows Azure AD to validate AD usernames and passwords. Passwords are never stored in Azure AD.

Azure AD Connect pass-through authentication and seamless sign-on (Image Credit: Microsoft)
Azure AD Connect Pass-Through Authentication and Seamless Sign-On (Image Credit: Microsoft)

The connector can be deployed on one or more on-premises servers, including on AD domain controllers. It uses secure outbound communications, so it does not need to be placed in a DMZ. If you install two or more connectors, they automatically load balance with each other. You do not need to worry about providing additional high-availability infrastructure. Finally, the connector integrates with self-service password reset (SSPR). If a user resets their password via Azure AD, the updated password is synchronized back to on-premises AD without ever being stored in the cloud.

Seamless Single Sign-On

Azure AD Connect includes a new capability. It allows synchronized identities to log into tenant Office 365 resources without having to enter domain credentials when logged into Windows from a domain-joined device. And unlike Azure AD Connect Pass-Through Authentication, Seamless SSO does not require any additional infrastructure to work.

In this article, I outlined two new features of Azure AD Connect, Seamless SSO and Pass-Through Authentication.


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By