Azure AD Hybrid Identity Solutions

1. Password Hash Synchronization (PHS)

Overview:

• Password hashes from on-premises AD are synchronized to Azure AD.

• Users authenticate directly against Azure AD.

Key Features:

• Authentication Method: Azure AD authenticates users using the synchronized password hash.

• Security: Uses a hashed and salted version of the password (not the plain password itself).

• Reliability: Does not depend on on-premises infrastructure for authentication.

Advantages:

• Simplified architecture: No dependency on on-premises systems during login.

• Works well with Azure AD features like Conditional Access and Identity Protection.

• High availability: Even if on-premises AD is unavailable, authentication to Azure AD works.

Disadvantages:

• Password changes may take a few minutes to synchronize.

• The hash of the password is stored in the cloud, which may be a compliance concern in certain industries.

Use Case:

• Suitable for organizations that want a simple and highly available hybrid identity solution without on-premises dependencies during authentication.

How Password Hash Synchronization Works

1. One-Way Sync:

   • PHS synchronizes the hashed version of the on-premises Active Directory password to Azure AD.

   • The synchronization is one-way: from on-premises AD to Azure AD, not the other way around.

2. Password Changes:

   • If you change your password in on-premises AD, the updated password hash is synchronized to Azure AD during the next sync cycle (typically every 2 minutes).

   • If you change your password in Azure AD, it will not sync back to on-premises AD because PHS is a one-way process.

---

Implications of One-Way Sync

1. Changing Password in Azure AD:

   • The new password will only work for cloud-based services like Microsoft 365 or SaaS applications integrated with Azure AD.

   • On-premises AD credentials will remain unchanged, potentially causing confusion for users.

2. Changing Password in On-Premises AD:

   • The new password is synchronized to Azure AD, ensuring users can log in to both on-prem and Azure AD-integrated services with the same credentials.

---

Why Doesn't Azure AD Sync Passwords Back?

• Security Concerns: Password hashes are stored in Azure AD using a secure, salted, and hashed mechanism. Syncing back from Azure AD would require accessing sensitive information that might not align with enterprise security policies.

• Design Decision: Azure AD relies on on-premises AD as the source of truth for hybrid identity setups using PHS.

2. Pass-Through Authentication (PTA)

Overview:

• Users authenticate against on-premises Active Directory via Azure AD using a lightweight agent installed on the on-premises server.

Key Features:

• Authentication Method: Azure AD forwards authentication requests to the on-premises AD.

• Real-Time Authentication: No passwords are stored in Azure AD.

• Agent Dependency: Requires a pass-through authentication agent installed on at least one on-premises server.

Advantages:

• No password hash is stored in Azure AD, which may address compliance concerns.

• Supports real-time on-premises policies, such as account lockout or password expiry.

Disadvantages:

• Relies on the availability of the on-premises infrastructure; if the PTA agent or AD is unavailable, authentication fails.

• Additional infrastructure setup is required (PTA agents).

Use Case:

• Suitable for organizations with strict compliance or security policies that prohibit password hashes from being stored in the cloud.

Implementing Pass-Through Authentication (PTA)

Steps:

1. Prepare On-Premises Environment:

   • Ensure your AD schema is up-to-date.

   • Open the following firewall ports for Azure AD Connect:

     • Outbound: TCP 443 and 80 for Azure AD communication.

2. Install Azure AD Connect:

   • Download Azure AD Connect.

   • Choose Custom Settings during setup.

3. Select Authentication Method:

   • On the User Sign-In page, select Pass-Through Authentication (PTA).

   • Enable Seamless Single Sign-On (SSO) for user convenience.

4. Install PTA Agents:

   • Install at least two PTA agents on separate domain-joined servers for high availability.

   • These agents will handle user authentication requests from Azure AD.

5. Sync Users to Azure AD:

   • Configure synchronization to filter specific Organizational Units (OUs) if required.

   • Perform an initial sync to populate Azure AD with on-premises users.

6. Test Authentication:

   • Attempt a login to Microsoft 365 or another Azure AD app with an on-premises user account.

   • Confirm the password is verified against the on-prem AD via PTA agents.

Advantages:

• No password hashes stored in the cloud.

• On-premises policies (e.g., lockouts, expiry) apply to cloud logins.

• Simpler setup than federation.

Challenges:

• If PTA agents fail, authentication stops until they are restored.

3. Federation

Overview:

• Users authenticate using an external identity provider (e.g., Active Directory Federation Services - ADFS), which validates the credentials against the on-premises AD.

Key Features:

• Authentication Method: Azure AD redirects users to the federation service (e.g., ADFS) for authentication.

• Token-Based Authentication: Federation servers issue SAML/WS-Fed tokens for Azure AD.

Advantages:

• Fully supports complex authentication requirements like third-party MFA providers.

• Real-time enforcement of on-premises policies, such as IP restrictions or custom authentication rules.

• No password or hash stored in Azure AD.

Disadvantages:

• High infrastructure overhead: Requires maintaining and managing federation servers (e.g., ADFS).

• Single point of failure: Requires high availability for federation servers.

• Increased complexity compared to PHS or PTA.

Use Case:

• Suitable for organizations with advanced authentication needs, custom policies, or integrations with third-party identity providers.

Implementing Federation with ADFS

Steps:

1. Set Up Federation Servers:

   • Deploy at least two ADFS servers for redundancy.

   • Use Windows Server with the ADFS role installed.

2. Set Up WAP (Web Application Proxy):

   • Deploy Web Application Proxy servers to allow external access to ADFS.

3. Configure Azure AD Connect:

   • During setup, choose Federation as the sign-in method.

4. Establish Trust:

   • Configure trust relationships between ADFS and Azure AD.

   • Export the metadata from ADFS and import it into Azure AD.

5. Configure DNS:

   • Set up DNS entries for ADFS (e.g., fs.company.com) and point external DNS to the WAP.

6. Sync Users:

   • Use Azure AD Connect to sync users from AD to Azure AD.

7. Test Authentication:

   • Log in to an Azure AD app. The login request should redirect to ADFS for authentication.

Advantages:

• Fully supports on-premises policies and advanced customizations.

• Offers the most control over the authentication process.

Challenges:

• High setup complexity.

• Requires redundant infrastructure to ensure high availability.

Comparison Table

Image Credit: Microsoft learn :)