Choosing an Azure Hybrid Identity Single Sign-On solution

When planning Hybrid Azure Authentication, choosing the correct authentication method is the first concern for organizations, no matter how small or large.  Your choice will affect your entire deployment, and it is complicated to change authentication methods. Consider the following when choosing:

  • It’s the first and most crucial decision for an organization.
  • The authentication method controls access to all cloud data and resources.
  • It’s the foundation of all the other security and user experience features in Azure Active Directory.

Organizations that don’t have an existing on-premises Microsoft Active Directory Deployment typically create identities only in the Cloud using just Azure AD alone or in conjunction with Azure AD Domain Services. This is referred to as “Cloud only.” We won’t be discussing Azure AD Domain Services in this article.  It would get confusing when talking about Azure Hybrid authentication methods. We will save Azure AD Domain Services for another article.

Decision Tree

This is an Azure AD decision tree from a video authored by Swaroop Kristhnamuarthy and Martian Coetzer. These two gentlemen are Azure AD Program Managers for Microsoft. Refer to this decision tree when you finish this article. It may help you decide which authentication method to use once you read this post.

Azure AD decision tree

Authentication Scenarios

For now, let’s stay with Hybrid identity authentication scenarios, of which there are three.

Password Hash

Azure AD password hash synchronization with seamless Single Sign-On (SSO). This is the most used configuration because it is the simplest method to enable authentication between Hybrid Azure Authentication services and on-premises active directory services. Users can use the same username and password that they use on-premises. Hashes of the user password are stored in the Cloud. Storing password hashes in the Cloud may be an issue for specific organizations due to policy requirements. The password hash synchronization is highly secure. Here are a few key points.

  • The sync process does not send the password hash stored in Active Directory but the SHA256 hash of the original MD4 hash.
  • The SHA256 hash that is synchronized cannot be decrypted.
  • The per-user hash being sent to AAD undergoes 1000 iterations of the HMAC-SHA256 hashing algorithm every two minutes.
  • Azure AD Smart Lockout assists in blocking brute-force password attempts.
  • Password hash synchronization unlocks Azure AD Identity Protection leaked credentials feature: this is particularly relevant as it monitors public web sites and the dark web in collaboration with researchers, law enforcement and Microsoft Security teams plus other trusted sources.

The diagram below represents Password Hash Sync actions. It is relatively easy to follow the user sign-in operation. The key to this authentication method is the installation of Azure AD Connect on an on-premises server. Azure AD Connect synchronizes AD objects between the on-premises AD and Azure AD.  I find this is easy to test by replicating an on-premises environment using Azure Infrastructure-as-a-Service. For example, build an Azure Windows 2019 Virtual Server in the same Tenant, install Windows AD and install the Azure AD Connect application. You can test all functions of AD Connect.

Password Hash Azure AD
Azure AD password hash synchronization with seamless Single Sign-On

AD Passthrough

Azure AD Pass-through Authentication with seamless Single Sign-on. Provides password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, ensuring that the password validation doesn’t happen in the Cloud. Additionally, no password hashes are stored in the Cloud. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and other account-related security options use this authentication method.

Pass thru Azure AD
Azure AD Pass-through Authentication with Seamless Single Sign-on


Federation authentication. To validate the user’s password, this authentication method hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS) or an F5 system. In addition, this authentication system can provide additional advanced authentication requirements such as smartcard-based authentication or third-party multifactor authentication.

Federation authentication

Proper authentication has a large impact on Azure Virtual Desktop also. I hope you found this overview useful. Please continue your evaluation by reading the official Microsoft documentation.

Leave a Reply

%d bloggers like this: