Who wants to achieve Hybrid Identity with Azure Active Directory? This girl! And I hope you do too.
Let’s make it happen with some good ole fashion Cloud Computer learning below:
To achieve Hybrid Identity with Azure AD one of the follow three authentication methods can be used:
- Password Hash Synchronization (PHS)
- PHS synchronizes a hash of a users on premise password to Azure AD
- With AD Connect (PHS) can be configure so all cloud user authentication occurs in Azure AD
- PHS can optionally be configured as a backup for ADFS
Note: AD Connect express install defaults to deploying PHS
Benefits:
- Sync users, contacts, and group accounts between On-premise network and Azure-AD
- Supports Office 365 Hybrid Identity
Considerations:
- PHS offers the least features
- MFA is only possible with Azure AD MFA
- Some organizations restrict passwords being stored in the cloud.
- Pass-through Authentication (PTA)
- Same SSO experience as PHS but with additional security features
Benefits:
- Sync of users, contacts and group accounts between on-prem andAzure AD
- Supports Office 365 hybrid identity
- Users can sign in and access cloud based services\apps using on-prem credentials
- No Passwords hashes stored in the cloud.
- Only outbound connecticity from on-prem authentication agents required
- All on-prem account policies are enforced when users sign in (e.g., expiry, hours, etc.)
Considerations:
- On-Prem MFA is not supported
- Not integrated with AD Connect Health
- Leaked credentials detection is not available
- Seamless SSO
- Federated
Note: A federated identity management system provides single access to multiple systems across different enterprises.
Federation is a collection of Domains that have established trust. (e.g., On-Premise domain connected to Azure AD)
- Provides Authentication
- Provides Authorization
- All user authentication occurs on-premise.
Benefits:
- Supports an array of third-party MFA solutions
- Supports Smart Card (CAC) Authentication
- Allows display of Password Expiry notification in the Office Portal and WIN 10 Desktop
- Supports all on-prem account policies
Considerations:
- Requires more infrastructure
- More complex to configure and maintain
- Does not support Seamless SSO
Extra Info:
Multi-Factor Authentication – logging into a source using more than one type of authentication
- Provides additional security
- Made up of Something you are, have, or know.
- Delivers strong authentication
Note: MFA can be bypassed on the configuration of the product.
Tyes of MFA:
- Azure Cloud MFA
- MFA Server (On-Prem to Azure MFA)
- RADIUS Integration: RDS server and VPNs
- Global Administration
Note: All MFA needs to be licensed!
That’s it for today my fellow Devs. Stay tuned, I have a new IPPSec write-up just around the corner.
#dontcodealone