Mastering Identity and Access Management with Microsoft Azure

上QQ阅读APP看书，第一时间看更新

Identity and password-hash synchronization including SSO options

By synchronizing identities and the associated password hashes from the on-premises AD to the Azure AD, we can build a basic scenario for smaller companies that don’t want to invest in an ADFS infrastructure. Also, there's no SSO required. With this scenario, the same password can be used to authenticate the user either in the cloud or on-premises, depending on what resource is being accessed. Furthermore, the Password Reset and Account Unlock features are available with an Azure AD Premium license. A requirement is Azure AD Connect with password-hash synchronization enabled. Optional password write-back is enabled.

For this process, a rehashing functionality is in place, which allows the user to have two different hash values in the local AD and the Azure AD. Additionally, multi-forest synchronization is also supported.

The following diagram shows the identity and password-hash synchronization scenario:

Azure AD Connect password-hash synchronization scenario

To add SSO to the solution, you can enable Pass-through authentication and the seamless SSO feature in the Azure AD Connect tool. This is the most commonly recommended option from Microsoft to reduce complexity and put Azure AD in the role of the central system to provide authentication to your SaaS and on-premises Kerberos/Claims-based applications:

PTA and seamless SSO enablement

It's highly recommended you enable password-hash synchronization, so in case of an on-premises service interrupt, your users can still use cloud services. For now, you can read about this feature at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta .