Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| azure:az-500:alt:hybrid_identity [2023/01/24 17:00] – [Hybrid Identity] mmuze | azure:az-500:alt:hybrid_identity [2023/03/03 20:29] (current) – [Hybrid Identity] mmuze | ||
|---|---|---|---|
| Line 8: | Line 8: | ||
| * **Azure AD joined/ | * **Azure AD joined/ | ||
| * **[[https:// | * **[[https:// | ||
| + | * [[https:// | ||
| + | |||
| + | > Azure Active Directory Seamless single sign-on (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. | ||
| === Hybrid Azure AD Use Cases === | === Hybrid Azure AD Use Cases === | ||
| Line 24: | Line 27: | ||
| ===== Azure AD Authentication Features ===== | ===== Azure AD Authentication Features ===== | ||
| - | * **Password hash synchronization.** A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD. | + | * **Password hash synchronization.** A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD. The **Azure AD Connect** service is installed on an on-prem server and it syncs on-prem AD users and password hashes to AAD. |
| * **Pass-through authentication.** A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn' | * **Pass-through authentication.** A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn' | ||
| * Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method. | * Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method. | ||
| * When a user authenticates against AAD it passes the request to on-prem AD via the auth agent to complete the authentication. | * When a user authenticates against AAD it passes the request to on-prem AD via the auth agent to complete the authentication. | ||
| - | * PTA uses a lightweight on-premises agent that listens for and responds to password validation requests. | + | * PTA uses a lightweight on-premises agent that listens for and responds to password validation requests |
| - | * **Federation integration.** Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments. | + | * **Federation integration.** Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments. |
| * You can setup password sync also for use as a backup in case the ADFS goes down. | * You can setup password sync also for use as a backup in case the ADFS goes down. | ||
| + | * One use case is to take advantage of additional advanced authentication requirements, | ||
| + | |||
| * **Synchronization.** Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes. | * **Synchronization.** Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes. | ||
| * **Health Monitoring.** Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity. | * **Health Monitoring.** Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity. | ||
| * **Password writeback** is an option with AAD that will sync password changes made in AAD back to the on-prem AD. | * **Password writeback** is an option with AAD that will sync password changes made in AAD back to the on-prem AD. | ||
| * This does not require any inbound firewall rules; it works over the Azure Service Bus relay on the outbound connection of port 443. | * This does not require any inbound firewall rules; it works over the Azure Service Bus relay on the outbound connection of port 443. | ||
| + | * **// | ||
| === Choosing an authentication method === | === Choosing an authentication method === | ||
| Line 53: | Line 59: | ||
| ====== AD Connect ====== | ====== AD Connect ====== | ||
| * [[https:// | * [[https:// | ||
| + | * **Three** accounts are needed to install AD Connect and **three** other accounts are needed to run AD Connect and synchronize Windows AD to AAD. | ||
| * AD Connect used local MSSQL Server 2012 Express Edition for its datastore | * AD Connect used local MSSQL Server 2012 Express Edition for its datastore | ||