Azure AD connects organizations of all sizes to Office 365 and other SaaS applications in a seamless and secure manner. A good deal of our customers synchronizes their identities from an on-premises Active Directory. For these customers, signing in with their existing work credentials is the recommended and most common approach. In this case, Azure AD provides multiple ways to sign-in to meet the broad needs of our customers. These are broadly classified as
- Password # Sync (P#S): With this option, password hashes (actually a derivative with ‘salt’) are synced to Azure AD allowing users to sign-in with the same password as they used with their on-premises Active Directory. Do note that the hashes stored in Active Directory cannot be used to login to your on-premises environment. This is the simplest option with the least infrastructure footprint. You can learn more about password hash synchronization here
- Active Directory Federation Service (ADFS): Federating your sign-in with ADFS allows the sign-in to be delegated to an on-premises server that validates your credential and sends a security assertion back to Azure AD. In this model, Azure AD never sees any credential associated with their on-premises Active Directory. Additionally, ADFS provides desktop SSO for your corporate domain-joined devices. You can learn more about ADFS here and integration with Azure AD Connect here. For those of you concerned with on-premises data center outages, we recommend that you keep a site available in Azure that you can swap your DNS to or also password # sync at the same time and use that if your on-premises data center goes down. ADFS is the #1 federation provider for Azure AD and accounts for nearly 45% of all Azure AD logins (as of May ’17).
- 3rd party Federation Service: This is similar to the model for ADFS where a customer uses 3rd party federation products or services to perform the sign-in. Examples of 3rd party federation services are Ping Federate and Shibboleth. If the 3rd party federation uses WS-* (recommended) to perform the sign-in the product and the version must be certified to be used. The certified list is available here. Protocol requirements for SAML protocol vendors connecting to Azure AD are listed here.
- Pass-Through Authentication (PTA): PTA allows you to enter your credentials on the Azure AD sign-in page which is then tunneled securely to an on-premises connector to validate against your Active Directory. While the credential is entered on an Azure AD page, it is never stored or saved in any form. You can learn more about PTA here.
Additionally, Azure AD Seamless SSO is a configuration step (no agent involved) via Azure AD Connect that can be combined with Password Sync or Pass-Through Authentication. This allows you to seamlessly sign-in from your domain-joined devices inside your network. You can learn more about this here.