Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud based directory and identity management service which provides an affordable, easy to use solution to give employees and business partners single sign-on (SSO) access to cloud SaaS Applications. It includes a full suite of identity management capabilities and can be integrated with an existing Windows Server Active Directory.
Hybrid Scenarios
Choosing the correct authentication method is the first concern for organizations wanting to move their on-premises applications to the cloud.
Here is a fragment of comparison of different hybrid authentication methods.
| Consideration | Password hash synchronization | Pass-through Authentication | Federation with AD FS |
|---|---|---|---|
| Where does authentication happen? | In the cloud | In the cloud, after a secure password verification exchange with the on-premises authentication agent | On-premises |
| What are the on-premises server requirements beyond the provisioning system: Azure AD Connect? | None | One server for each additional authentication agent | Two or more AD FS servers Two or more WAP servers in the perimeter/DMZ network |
| What are the requirements for on-premises Internet and networking beyond the provisioning system? | None | Outbound Internet access from the servers running authentication agents | Inbound Internet access to WAP servers in the perimeter Inbound network access to AD FS servers from WAP servers in the perimeter Network load balancing |
| Is there a TLS/SSL certificate requirement? | No | No | Yes |
| Is there a health monitoring solution? | Not required | Agent status provided by Azure portal | Azure AD Connect Health |
| Do users get single sign-on to cloud resources from domain-joined devices within the company network? | Yes with Azure AD joined devices (AADJ), Hybrid Azure AD joined devices (HAADJ), the Microsoft Enterprise SSO plug-in for Apple devices, or Seamless SSO | Yes with Azure AD joined devices (AADJ), Hybrid Azure AD joined devices (HAADJ), the Microsoft Enterprise SSO plug-in for Apple devices, or Seamless SSO | Yes |
| What sign-in types are supported? | UserPrincipalName + password Windows-Integrated Authentication by using Seamless SSO Alternate login ID Azure AD Joined Devices Hybrid Azure AD joined devices (HAADJ) Certificate and smart card authentication | UserPrincipalName + password Windows-Integrated Authentication by using Seamless SSO Alternate login ID Azure AD Joined Devices Hybrid Azure AD joined devices (HAADJ) Certificate and smart card authentication | UserPrincipalName + password sAMAccountName + password Windows-Integrated Authentication Certificate and smart card authentication Alternate login ID |
| Is Windows Hello for Business supported? | Key trust model Hybrid Cloud Trust | Key trust model Hybrid Cloud Trust Both require Windows Server 2016 Domain functional level | Key trust model Hybrid Cloud Trust Certificate trust model |
Additional information:
Business Excellence 