Azure AD Connect – Getting Corporate Identities in Azure AD
- Azure AD Connect sync component, which is a tool that is installed on a separate server inside your on-premises environment, and
- Azure AD Connect sync service, which is part of Azure AD.
Note: The sync component can sync data from Active Directory and SQL Server to Azure.
What is AD Connect Health?
To monitor the on-premises identity infrastructure and the different Azure AD components, you can use a tool named Azure AD Connect Health.
Azure AD Connect architecture
Azure Active Directory password hash synchronization
- Most organizations only have a requirement to enable user sign-in to Office 365, SaaS applications, and other Azure AD-based resources. The password hash synchronization method is well suitable for those scenario's.
- Using this method, hashes of the user's password are synced between the on-premises Active Directory and Azure Active Directory. When there are any changes to the user's password, the password is synced immediately, so users can always log in with the same credentials on-premises as well as in Azure.
- This authentication method also provides Azure AD Seamless Single Sign-On (SSO). This way, users are automatically signed in when they are using a domain-joined device on the corporate network. Users only have to enter their username when using Seamless SSO. To use Seamless SSO, you don't have to install additional software or components on the on-premises network. You can push this capability to your users using group policies.
Azure Active Directory pass-through authentication
- Azure Active Directory pass-through authentication offers the same capability, such as Azure AD password hash synchronization. Users can log in to their Azure resources as well as on-premises resources using the same credentials. The difference is that passwords aren't synced with Azure AD using pass-through authentication. The passwords are validated using the on-premises Active Directory and are not stored in the Azure Active Directory at all.
- This method is suitable for organizations that have security and compliance restrictions and aren't allowed to send usernames and passwords outside the on-premises network.
- Pass-through authentication requires an agent to be installed on a domain-joined Windows Server that resides inside the on-premises environment. This agent then listens for password validation requests and only makes an outbound connection from within your network. It also offers support for MFA and Azure AD Conditional Access policies.
Summary
This post is a quick overview of syncing identities from your corporate AD to Azure AD.
Need an experienced Cloud Networking or a Cloud Data Protection Expert? Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.
Leave a Reply