
close
close
Azure Active Directory (Azure AD) Pass-Through Authentication is now in preview and makes providing Single Sign-On (SSO) capabilities in the cloud super easy. It also keeps passwords on-premises without having to deploy Active Directory Federation Services (ADFS).
advertisment
Organizations that want to use Azure AD to manage access to cloud apps, but also want to centralize account management in on-premises Active Directory (AD), currently have several options. Only ADFS provides true SSO capabilities and the security that organizations demand. This is changing with a new lightweight solution built into Azure Active Directory Connect (Azure AD Connect).
Before describing the new features in Azure AD Connect, it is worth understanding the existing types of Azure AD identities and the different authentication features provided by each one.
advertisment
Cloud-only identities are useful when there is no on-premises Windows Server Active Directory (WSAD) but require usernames and passwords to be managed separately. This leads to increasing administration costs. Azure AD Connect can be used to create synchronized identities in Azure AD from on-premises AD accounts. This does not provide real SSO capability. Users must provide their credentials again after they have signed into Windows to access cloud services.
ADFS provides federated identities with true SSO and it is compatible with multifactor authentication. Password hashes are never synchronized to the cloud. Other AD features, such as account login restrictions, also work with Azure AD. ADFS is complicated to set up and most organizations will require a high-availability on-premises infrastructure.
Recently added to Azure AD Connect, Pass-Through Authentication provides many of the benefits of ADFS, but without the hefty on-premises infrastructure and management requirements. Pass-Through Authentication uses a lightweight connector or authentication agent. It is installed on-premises and allows Azure AD to validate AD usernames and passwords. Passwords are never stored in Azure AD.
Azure AD Connect Pass-Through Authentication and Seamless Sign-On (Image Credit: Microsoft)
The connector can be deployed on one or more on-premises servers, including on AD domain controllers. It uses secure outbound communications, so it does not need to be placed in a DMZ. If you install two or more connectors, they automatically load balance with each other. You do not need to worry about providing additional high-availability infrastructure. Finally, the connector integrates with self-service password reset (SSPR). If a user resets their password via Azure AD, the updated password is synchronized back to on-premises AD without ever being stored in the cloud.
advertisment
Azure AD Connect includes a new capability. It allows synchronized identities to log into tenant Office 365 resources without having to enter domain credentials when logged into Windows from a domain-joined device. And unlike Azure AD Connect Pass-Through Authentication, Seamless SSO does not require any additional infrastructure to work.
In this article, I outlined two new features of Azure AD Connect, Seamless SSO and Pass-Through Authentication.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Security
Microsoft Defender for Office 365 to Get Preset Security Policy Improvements In June
May 23, 2022 | Rabia Noureen
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft's New Security Experts Service Protects Businesses Against Ransomware Attacks
May 9, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group