Azure, Office 365, Technology

7. Understanding SSO, PHS, PTA & ADFS SAML Identity Strategies and Concepts

Evaluating Requirements and Solutions – Sync for PHS, PTA and ADFS SAML Federation


Authentication for Hybrid Identity

  1. Managed Authentication: Azure AD will handle the authentication locally by using a locally stored hashed version of the password or sends the credentials to an on-premise software agent to be authenticated on the premise by AD DS
  2. Federated Authentication: Azure AD redirects the client computer requesting authentication to another identity provider


Managed Authentication

  1. Password Hash Sync (PHS): Azure AD performs the authentication itself (recommended option). You manage your users on premise and the accounts and passwords sync to M365

Azure Active Directory Authentication management operations reference guide  | Microsoft Docs

  1. Pass through authentication (PTA): There is an agent on an onsite server and Azure AD passes the requests to the on premise AD DS to perform the authentication. The down site is if your on premise domain goes down you cant authenticate with Azure AD from anywhere.
    you manage your users on premise and the accounts sync to Azure AD. Passwords are NOT synced to Azure AD


Federated Authentication

This is primarily for large enterprise organisations with more complex authentication requirements. Federated authentication can support additional features like

  • Smart card authentication
  • 3rd party authentication

AD DS identities are synced from on premise to Azure AD


Evaluating the Requirements and Solutions for Hybrid Identity Management

– Clean up Active Directory as best you can beforehand (replication errors, DcDIAG, Sync errors etc…). You just need to go back 100 days

– Microsoft recommends you have a good understanding of the issues in your on premise environment before syncing to the cloud

– tools such as IdFix (these can help you clean up AD) and AD Connect Health can generate a lot of false positives


Sync Scope and Object Filtering

Try and clean up AD to remove objects that are no longer required

Removing objects that don’t need to be synced has benefits:

– fewer sources of sync errors

– faster sync cycles

– less garbage to carry forward


Examples of objects to be excluded:

– service accounts that aren’t needed for cloud apps

– groups that are needed for cloud scenarios

– users or contacts from external orgs

– computer accounts where users aren’t meant to access cloud apps. EG: servers

Sync Failover or Disaster Recovery

You can only have one production Azure AD connect server running at a time.

If the server running Azure AD connect goes offline the sync cannot occur.

There are 2 main strategies to resolve this:

– Deploy Azure AAD connect server in Staging Mode. the “staging” server can be promoted to Production in the case of a failure

– Use virtualisation resources to redeploy the VM running Azure AD Connect


Enabling Staging Mode

When going through the Azure AD Connect setup wizard there is a checkbox that allows you to enable staging mode.

Source Anchor

This is an attribute that uniquely identifies an object as being the same object on premise and in Azure AD. This attribute is also called “immutable”. These terms are interchangeable.

This attribute cannot be changed.

The usual attribute used is ms-DS-consistencyguid

Evaluating Requirements and Solutions for Authentication with SSO,PHS, PTA ADFS

To choose an authentication method you need to think of the time, existing infrastructure, complexity and cost of implementing your choice.

Azure AD Password Hash Sync

  • The simplest way to enable authentication for on-premise objects in Azure AD
  • No need for additional infrastructure
  • Some premium features, like Identity Protection and Azure AD Domain Services, require PHS no matter which authentication method you use
  • Doesn’t support 3rd party authentication
  • This is part of Azure AD Connect and runs every 2 mins

Azure AD Pass Through Authentication

  • Uses a software agent that runs on an on premise server(recommended 3)
  • Password validation happens on-premise, not in the cloud
  • Companies with security requirements to immediately enforce on premise user account states, password policies, and sign in hours might use this method
  • Doesn’t support 3rd party authentication
  • If you lose connectivity from outside to your on premise infrastructure you can’t authenticate with the cloud

Federated Authentication

  • Azure AD hands off the authentication process to a separate trusted authentication system such as AD FS to validate users
  • This can be expensive and complex
  • Can you 3rd party non Microsoft solutions for authentication

Leave a Reply

Your email address will not be published. Required fields are marked *