Security

Understanding what Azure AD federation really means

Administrators may confuse the difference between Azure AD federation and Active Directory account synchronization, but not knowing the difference can result in wasted efforts.

As organizations move more services into the Microsoft Azure public cloud, users can benefit from single sign-on (SSO) authentication. Without SSO, users must juggle multiple credential sets to connect to different SaaS apps, such as Office 365.

Users might find it easier to create insecure — but easy to remember — passwords. With SSO, the user only signs in once and lets Active Directory (AD) handle the other authentication work. The convenience of a strong single credential set, namely AD domain credentials, used in SSO can help administrators boost security across the enterprise.

Azure AD Connect unlocks single sign-on functionality

Administrators will use the Azure AD Connect utility to extend on-premises Active Directory Domain Services (AD DS) into the Azure AD tenant in Microsoft’s cloud. The tool can be run multiple times as needs change.

Azure AD Connect wizard
The Azure Active Directory Connect wizard sets up the desired SSO method.

Azure AD Connect offers several methods to support SSO for hybrid cloud identity.

  • Password hash synchronization: The simplest approach and the most popular for small-to-medium sized businesses.
  • Pass-through authentication: A newer authentication method. User passwords never leave the local network boundary.
  • Federation with AD FS: Federated identity using AD Federation Services (AD FS).

With either password hash synchronization or pass-through authentication, administrators can use Azure AD Seamless SSO, in which Azure AD Connect passes Kerberos authentication tickets between on-premises AD and Azure AD.

With either password hash synchronization or pass-through authentication, administrators can use Azure AD Seamless SSO, in which Azure AD Connect passes Kerberos authentication tickets between on-premises AD and Azure AD.

This tutorial explains password hash synchronization and AD FS methods.

Password hash synchronization uses password write-back

The password hash synchronization method uses Azure AD Connect to create new Azure AD user accounts that share a password hash with their on-premises counterparts. Users can sign into Azure AD-backed applications with their existing Active Directory credentials.

The Express Settings option in the Azure AD Connect wizard eases the configuration of password hash synchronization as the directory connect method. Administrators who want more granular control should choose a custom setup.

The figure below shows how to select certain AD DS organizational units and containers for account replication. This practice prevents security blunders, such as synchronizing AD DS service accounts into the Azure AD tenant.

Account synchronization configuration
Administrators can select certain AD DS organizational units and domains to synchronize.

Configuration caveats for administrators

Administrators have two important things to consider when setting up SSO with password hash synchronization:

  • It requires binding a custom domain name system domain to the Azure AD tenant.
  • It might require adding a new user principal name suffix to the domain and attaching the suffix to synchronized user accounts.

The password hash synchronization goes one way, from on-premises AD DS to cloud-based Azure AD, unless the organization uses a premium version of Azure AD for the password write-back feature. This allows users to change their password from the Azure AD-backed application, which Azure AD Connect replicates to the source of authority, the on-premises AD DS domain.

Password hash authentication invites some risk, as the password hashes transfer back and forth between on-premises and the Azure cloud. To mitigate potential security problems, administrators can create a virtual private network or ExpressRoute connection to Azure or implement the pass-through authentication method.

Configuring Active Directory Federation Services
Administrators configure AD Federation Services by using the AD FS management console.

An organization that doesn’t have the resources or the need for token-based identity federation should consider password hash synchronization between AD DS and Azure AD. If your business and application requirements mandate true SSO, then deploy AD FS with Azure AD Connect.

There is another option. The Azure AD library offers turnkey SSO integrations with thousands of popular SaaS apps, such as Salesforce, Concur, Google G Suite and Dropbox. With these enterprise app integrations, Azure AD abstracts all the token passing. For instance, administrators can configure password hash synchronization from on-premises AD DS to Azure AD and then do true federated SSO between Azure AD and the partner SaaS apps.


Source link

Tags

About the author

GG

Add Comment

Click here to post a comment

Your email address will not be published. Required fields are marked *

Do NOT follow this link or you will be banned from the site!