Azure Identity And Access Management Part 37 – Azure Active Directory – Plan Authentication With Azure AD

Hello Friends,
Hope you all are doing good !!!
In our previous articles we have discussed about Application Management in Azure AD. Today in this article, we will discuss on how to plan the authentication of our cloud based application with Azure AD.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Part 1 – Azure Active Directory – Overview
Part 2 – Azure Active Directory – Enterprise Users
Part 3 – Azure Active Directory – Create Custom Directory Role & Assign Role using Power-Shell
- *
- *
- *
Part 25 – Azure Active Directory – Identity Governance
Part 26 – Azure Active Directory – Domain Service ( Azure AD-DS) 1 – Overview
Part 32 – Azure Active Directory – Application Management 1 – Overview
Part 33 – Azure Active Directory – Application Management 2 – Integrate SaaS Application
Part 34 – Azure Active Directory – Application Management 3 – SSO Configuration For SaaS Application
Part 35 – Azure Active Directory – Application Management 4 – User Provisioning For SaaS Application
Part 36 – Azure Active Directory – Application Management 5 – Self-Service Application Access
Next Article : Part 38 – Azure Active Directory – Password Protection And Smart Lockout
Azure Active Directory Authentication :
Azure Active Directory (Azure AD) is Microsoft’s enterprise cloud-based identity and access management (IAM) solution. Azure AD is the backbone of the Office 365 system, and it can sync with on-premise Active Directory and provide Authentication to other cloud-based systems via OAuth. As an Identity Platform one of the it’s main feature is to verify, or authenticate, credentials when a user signs in to a device, application, or service. We have very good articles on Azure authentication and it can be found here.
Authentication Methods :
As we know, now a days, organizations are moving towards cloud. They are slowly migrating their on-premise applications to cloud. The first action/concern is to choose the correct authentication method, before they migrate the apps to cloud. Azure AD provides different authentication methods to support different infrastructure’s requirement. It is very important to plan authentication methods of Azure AD, because of the following reasons.
- The authentication method is a critical part of an organization in the cloud. Because authentication and authorization controls the access to all cloud data and resources.
- Authentication method is the foundation of all the other advanced security and user experience features in Azure AD.
In the following figure we can see all type of authentication methods supported by Azure AD.

As we can see in the above figure the all the supported methods are logically divided in following two groups.
- Cloud Only Authentication
- Hybrid Authentication
Cloud Only Authentication :
In Cloud Only Authentication, there is 0% dependency on op-premise infrastructure. Organization’s, adopting this method has no on-premise infrastructure. All their data and resource are deployed in cloud only.
Cloud Only
This authentication method is for the born in cloud only organization, with no on-premises infrastructures. Here we can establish user identity directly in the cloud and the authentication procedure is handled by Azure AD itself. Azure AD provides all the services, to support those scenarios. Other than Cloud Only option, rest of the options required On-Premise AD. Then we called it Hybrid Identity.
Hybrid Authentication :
Hybrid Authentication always has a dependency with on-premise infrastructure. In this method we are dealing with Hybrid identity (On-premise Identity + Cloud Identity). Microsoft’s identity solutions span on-premises and cloud-based capabilities, creating a single user identity for authentication and authorization to all resources, regardless of location. We call this Hybrid Identity.
Password Hash Sync
In Password Hash Sync method/option, users can login to cloud based application using their On-premise user name and password. This option also provide user and password protection. We need following configuration in place to use password hash synchronization in your environment,
- Install Azure AD Connect.
- Configure directory synchronization between your on-premises Active Directory instance and your Azure Active Directory instance.
- Enable password hash synchronization.

How It Works :

First need to install Azure AD Connect, as it is a provisioning tool. Actually it provision/migrate users from on-premise into Azure AD also it enable password hash sync as our sign in option. On-premise AD never store password as in clear text but in hash form. The hash is a value that we get from a one way mathematically
function applied on a clear text password. The azure AD connect to on-premise AD to collect password hashes and copied to Azure AD in every 2 minutes. When user try to sign to azure AD and they put their on-premise credential then password hash sync agent applied the same hashing algorithm, to the password hash and then it compare the user name and password hash value and try to match with the username and the stored hash value in the azure AD. If the match is success, then the user is successfully signed-In. During authentication process there is no direct dependency on on-premise infrastructure because the password hashes already stored into Azure AD in every 2 minutes.
Benefits of Password Hash Sync
- Enables leaked credential detection
- Support smart locked out and seamless SSO
- Improve the productivity of our users.
- Reduce your helpdesk costs.
Not Supported In Password Hash Sync
- Using smartcard or certificate
- Sign-in using on-premise MFA
- Sign-in using 3rd party authentication solution
Pass-Through Authentication
Pass-through Authentication is very similar with the Password Hash Sync option but it mainly used in organizations, where it required custom policies and and the required support for user log in is not supported by azure ad natively.
In this case, we can user Federation authentication but it will leads to invest a huge cost for the infrastructure.

How It Works :
Same as Password Hash Sync option, this method/option also depend on Azure AD Connect. It is also set-up Azure AD connect just like password hash sync but it does not sync password hash to Azure AD instead, it required to install two or more authentication agent on on-premise environment.

we can install more agent to achieve high availability. We can install agent in our domain control. The agent does not required any maintenance and it has auto update capability. The agent actually make persistence out bound connection to the network of Azure AD and listen to authentication request.

When an user try to sign-in to azure AD, and they provide the User Name and Password in the sign-in page, Azure AD service encrypted the password using a public key and puts User Name and encrypted Password in a queue for validation.

One of the agent that have been deployed in our on-premise, pulls-down the User Name and encrypted Password and decrypt the password using a private kay and test the user name and password against the on-premise AD. Now the result of the authentication ( Successful, Fail, Password Expired or User is locked out ) is sent back to Azure AD via the agent. if the result is successful user can login to the application. It also supports seamless SSO. In the following figure we can see, where to check , if the Pass-through Authentication is enabled or not.

Benefits Of Pass-through Authentication
- Great user experience
- Users use the same passwords to sign into both on-premises and cloud-based applications.
- Users spend less time talking to the IT helpdesk resolving password-related issues.
- Users can complete self-service password management tasks in the cloud.
- Easy to deploy & administer
- No need for complex on-premises deployments or network configuration.
- Needs just a lightweight agent to be installed on-premises.
- No management overhead. The agent automatically receives improvements and bug fixes.
- Secure
- On-premises passwords are never stored in the cloud in any form.
- Protects your user accounts by working seamlessly with Azure AD Conditional Access policies, including Multi-Factor Authentication (MFA), blocking legacy authentication and by filtering out brute force password attacks.
- The agent only makes outbound connections from within your network. Therefore, there is no requirement to install the agent in a perimeter network, also known as a DMZ.
- The communication between an agent and Azure AD is secured using certificate-based authentication. These certificates are automatically renewed every few months by Azure AD.
- Highly available
- Additional agents can be installed on multiple on-premises servers to provide high availability of sign-in requests.
Not Supported In Pass-through authentication
- Password protection like leak credential report.
Up Coming Features For Pass-through authentication
Microsoft now looking ahead to make things more easier to configure pass-through authentication by providing following services.
- provide support to configure agent and passthrough through portal instate on azure ad connect
- Provide admin rich sign-in reports.
- Get health information about agent deployed on-premise.
Federated Authentication :
Federated Authentication comes in to the picture, I if the organization, that have advance features that not currently supported by Azure AD features including, Multi Site Low Latency Authentication infrastructure. Those services are not natively supported in Azure AD .
Federation required more set up like it required two server in our internal network to accept authentication request. More than one server required for high availability. Two more server required in Perimeter network to accept request from the internet and relay the authentication request to your internal AD FS server as shown in the following figure.

We can optionally set up password hash synchronization as a backup in case our federation authentication infrastructure fails. When user sign-in to the Azure AD the Azure AD hand up the authentication request to the trusted federation system that we have configured. The Federation authentication is for following providers.
- ADFS
- Third party federation Provider
References :

With the above information, we are concluding this article on authentication with Azure AD. I hope this is informative to you. As I am exploring the Azure Identity and Access Management (IAM) in a detail level specially with Azure Active Directory . Please let me know if I missed anything important or if my understanding is not up to the mark.
Next Article : Part 38 – Azure Active Directory – Password Protection And Smart Lockout
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂
2 Responses
[…] our previous articles we have discussed about Authentication Methods With Azure AD. Today in this article, we will discuss on Password Protection and Password Smart Lockout service […]
[…] Chapter 37 – Azure Active Directory – Plan Authentication With Azure AD […]
You must log in to post a comment.