Hybrid Identity
- Hybrid Identity refers to identity that integrates traditional/on-prem Active Directory with Azure AD.
- Azure AD Connect is the service that integrates on-prem AD with Azure AD.
- Keep in mind the difference between authentication and authorization.
Hybrid Identity Authentication
- There are three options for hybrid authentication
- password hash sync
- pass-thru authentication
- federated authentication
Azure AD Authentication Features
- Password hash synchronization. A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.
- Pass-through authentication. A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn't require the additional infrastructure of a federated environment.
- Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method.
- When a user authenticates against AAD it passes the request to on-prem AD via the auth agent to complete the authentication.
- PTA uses a lightweight on-premises agent that listens for and responds to password validation requests.
- Federation integration. Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
- You can setup password sync also for use as a backup in case the ADFS goes down.
- Synchronization. Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
- Health Monitoring. Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
- Password writeback is an option with AAD that will sync password changes made in AAD back to the on-prem AD.
- This does not require any inbound firewall rules; it works over the Azure Service Bus relay on the outbound connection of port 443.
Choosing an authentication method
Use Cases
- Do you need on-premises Active Directory integration? If the answer is No, then you would use Cloud-Only authentication.
- If you do need on-premises Active Directory integration, then do you need to use cloud authentication, password protection, and your authentication requirements are natively supported by Azure AD? If the answer is Yes, Then you would use Password Hash Sync + Seamless SSO
- If you do need on-premises Active Directory integration, but you do not need to use cloud authentication, password protection, and your authentication requirements are natively supported by Azure AD, then you would use Pass-through Authentication Seamless SSO.
- If you need on-premises Active Directory integration, have an existing federation provider and your authentication requirements are NOT natively supported by Azure AD, then you would use Federation authentication.
Azure AD Join
- Azure AD Join allows a Windows 10/11 desktop to be joined to Azure AD for the purposes of controlling access to resources and enforcing requirements on devices.
- For example, an AAD joined BYOD phone could be Intune managed and be required to not be rooted or jail broken to access company resources.
AD Connect
- Permissions needed to install AD Connect