Hybrid Identities
Azure Hybrid Identities allow organizations to extend their on-premises Active Directory (AD) to the cloud (Azure AD). This setup provides flexibility to manage identities in both on-premises and cloud environments, while maintaining security and access control.
Hybrid Identities (On-Premises + Azure AD):
Created on On-Premises AD: User accounts are created in on-premises Active Directory (AD).
Synchronized with Azure AD: These accounts are synced to Azure Active Directory (Azure AD) to provide seamless access to cloud resources, such as Office 365 and other Azure services.
Cloud-Only Accounts:
Created in Azure AD: User accounts are created directly in Azure AD, without any dependency on on-premises AD.
Managed in Azure AD: These accounts are entirely managed within Azure AD, with no synchronization from on-premises AD.
Authentication Mechanisms for Hybrid Identities
Azure AD provides several ways to authenticate users based on hybrid identity configurations. Below are the main authentication mechanisms:
Password Hash Sync (PHS)
Description: Password Hash Sync synchronizes the password hash from on-premises Active Directory to Azure AD.
How It Works:
On-premises AD stores user passwords.
The password hashes (not plain-text passwords) are synchronized to Azure AD.
When users sign in, Azure AD verifies the password hash locally without needing to communicate with on-premises AD.
Use Case: This is the most common and simplest method, providing seamless single sign-on (SSO) without requiring a direct connection to the on-premises AD during authentication.
Benefits:
Minimal infrastructure required.
Fast and reliable authentication.
No dependency on on-premises connectivity for authentication.
Description: Pass-through Authentication enables users to authenticate directly against the on-premises Active Directory, without storing password hashes in Azure AD.
How It Works:
When a user attempts to sign in, Azure AD forwards the authentication request to an on-premises agent.
The agent then communicates with the on-premises AD to validate the user’s credentials.
If the authentication is successful, the user is granted access to cloud resources.
Use Case: Suitable for organizations that don’t want to sync password hashes to Azure AD but still want to use cloud services with their on-premises AD.
Benefits:
Users authenticate against on-premises AD.
No need to store password hashes in Azure AD.
Simple setup and seamless integration with on-premises AD.
Description: Federation-based authentication uses an Active Directory Federation Services (ADFS) server to authenticate users.
How It Works:
When a user attempts to sign in, Azure AD redirects the user to the on-premises ADFS server for authentication.
The ADFS server validates the user’s credentials against on-premises AD and then issues a token to Azure AD for access.
ADFS manages all user authentication, including multi-factor authentication (MFA) and other custom authentication policies.
Use Case: Best suited for organizations with complex authentication requirements, such as custom authentication flows or integration with legacy systems.
Benefits:
Offers advanced authentication features, such as MFA, custom authentication policies, and integrated SSO.
Ideal for organizations with existing ADFS infrastructure or custom authentication needs.
Complete control over the authentication process, including custom rules and policies.
Last updated