Choose the right sign-in option to connect to Azure AD & Office 365

Choose the right sign-in option to connect to Azure AD & Office 365

Azure AD connects organizations of all sizes to Office 365 and other SaaS applications in a seamless and secure manner. A good deal of our customers synchronizes their identities from an on-premises Active Directory. For these customers, signing in with their existing work credentials is the recommended and most common approach. In this case, Azure AD provides multiple ways to sign-in to meet the broad needs of our customers. These are broadly classified as

  1. Password # Sync (P#S): With this option, password hashes (actually a derivative with ‘salt’) are synced to Azure AD allowing users to sign-in with the same password as they used with their on-premises Active Directory. Do note that the hashes stored in Active Directory cannot be used to login to your on-premises environment. This is the simplest option with the least infrastructure footprint. You can learn more about password hash synchronization here
  2. Active Directory Federation Service (ADFS): Federating your sign-in with ADFS allows the sign-in to be delegated to an on-premises server that validates your credential and sends a security assertion back to Azure AD. In this model, Azure AD never sees any credential associated with their on-premises Active Directory. Additionally, ADFS provides desktop SSO for your corporate domain-joined devices. You can learn more about ADFS here and integration with Azure AD Connect here. For those of you concerned with on-premises data center outages, we recommend that you keep a site available in Azure that you can swap your DNS to or also password # sync at the same time and use that if your on-premises data center goes down. ADFS is the #1 federation provider for Azure AD and accounts for nearly 45% of all Azure AD logins (as of May ’17).
  3. 3rd party Federation Service: This is similar to the model for ADFS where a customer uses 3rd party federation products or services to perform the sign-in. Examples of 3rd party federation services are Ping Federate and Shibboleth. If the 3rd party federation uses WS-* (recommended) to perform the sign-in the product and the version must be certified to be used. The certified list is available here. Protocol requirements for SAML protocol vendors connecting to Azure AD are listed here.
  4. Pass-Through Authentication (PTA): PTA allows you to enter your credentials on the Azure AD sign-in page which is then tunneled securely to an on-premises connector to validate against your Active Directory. While the credential is entered on an Azure AD page, it is never stored or saved in any form. You can learn more about PTA here.

Additionally, Azure AD Seamless SSO is a configuration step (no agent involved) via Azure AD Connect that can be combined with Password Sync or Pass-Through Authentication. This allows you to seamlessly sign-in from your domain-joined devices inside your network. You can learn more about this here.

Recent Articles

How to configure restriction for Users from creation of Office 365 groups, Plans & Microsoft teams.

Connect-AzureAD Create new Security Group "AllowedtoCreateGroups" Get-AzureADGroup -SearchString "AllowedtoCreateGroups" $GroupName = "<SecurityGroupName>" $AllowGroupCreation = "False" Connect-AzureAD $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id if(!$settingsObjectID) { $template = Get-AzureADDirectorySettingTemplate | Where-object...

Attack Simulator for Office 365

Microsoft has released Attack Simulator (currently in Preview) to allow Office 365 Global Administrators to simulate phishing campaigns and other attack simulations. Prerequisites ·       Your organization’s email...

What is Advanced Threat Analytics?

Advanced Threat Analytics (ATA) is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyber-attacks and insider threats. How ATA...

How to remove Office 365 Groups permanently ?

  Hi Guys, Here is process how to remove office 365 groups or soft deleted groups from your office 365 tenant. Step-1 you need to connect with Azure...

How to solve the issue of guest users access in Office 365 when you applied restriction on office 365 groups creation tenant wide?

Connect-AzureAD via powerShell Run the following command: $template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified"} See if you already have an AzureADDirectorySetting object,...

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox