Hybrid Identities

Azure Hybrid Identities allow organizations to extend their on-premises Active Directory (AD) to the cloud (Azure AD). This setup provides flexibility to manage identities in both on-premises and cloud environments, while maintaining security and access control.

• Hybrid Identities (On-Premises + Azure AD):

  • Created on On-Premises AD: User accounts are created in on-premises Active Directory (AD).

  • Synchronized with Azure AD: These accounts are synced to Azure Active Directory (Azure AD) to provide seamless access to cloud resources, such as Office 365 and other Azure services.

• Cloud-Only Accounts:

  • Created in Azure AD: User accounts are created directly in Azure AD, without any dependency on on-premises AD.

  • Managed in Azure AD: These accounts are entirely managed within Azure AD, with no synchronization from on-premises AD.

Authentication Mechanisms for Hybrid Identities

Azure AD provides several ways to authenticate users based on hybrid identity configurations. Below are the main authentication mechanisms:

PHS

Password Hash Sync (PHS)

• Description: Password Hash Sync synchronizes the password hash from on-premises Active Directory to Azure AD.

• How It Works:

  • On-premises AD stores user passwords.

  • The password hashes (not plain-text passwords) are synchronized to Azure AD.

  • When users sign in, Azure AD verifies the password hash locally without needing to communicate with on-premises AD.

• Use Case: This is the most common and simplest method, providing seamless single sign-on (SSO) without requiring a direct connection to the on-premises AD during authentication.

• Benefits:

  • Minimal infrastructure required.

  • Fast and reliable authentication.

  • No dependency on on-premises connectivity for authentication.

Pass-Through

• Description: Pass-through Authentication enables users to authenticate directly against the on-premises Active Directory, without storing password hashes in Azure AD.

• How It Works:

  • When a user attempts to sign in, Azure AD forwards the authentication request to an on-premises agent.

  • The agent then communicates with the on-premises AD to validate the user’s credentials.

  • If the authentication is successful, the user is granted access to cloud resources.

• Use Case: Suitable for organizations that don’t want to sync password hashes to Azure AD but still want to use cloud services with their on-premises AD.

• Benefits:

  • Users authenticate against on-premises AD.

  • No need to store password hashes in Azure AD.

  • Simple setup and seamless integration with on-premises AD.

ADFS

• Description: Federation-based authentication uses an Active Directory Federation Services (ADFS) server to authenticate users.

• How It Works:

  • When a user attempts to sign in, Azure AD redirects the user to the on-premises ADFS server for authentication.

  • The ADFS server validates the user’s credentials against on-premises AD and then issues a token to Azure AD for access.

  • ADFS manages all user authentication, including multi-factor authentication (MFA) and other custom authentication policies.

• Use Case: Best suited for organizations with complex authentication requirements, such as custom authentication flows or integration with legacy systems.

• Benefits:

  • Offers advanced authentication features, such as MFA, custom authentication policies, and integrated SSO.

  • Ideal for organizations with existing ADFS infrastructure or custom authentication needs.

  • Complete control over the authentication process, including custom rules and policies.