Identity management gets complicated when your organization has both cloud and on-premises applications and data. If employees have separate authentication for each one, they need to log in to both. However, using cloud and local software together may be difficult. Microsoft provides a solution to this problem with Azure AD Connect. Users can have a single Active Directory identity for on-premises and Azure cloud resources such as Office 365. They can use and connect their local and cloud applications with little trouble.
Azure AD Connect is Microsoft’s latest tool for identity management across cloud and on-premises environments. It replaces earlier tools, such as DirSync and Azure AD Sync, and offers more capabilities than its predecessors. Further, Azure comes with AD Connect at no extra cost. It supports hybrid identity with five main features:
- Password hash synchronization
- Pass-through authentication
- Federation integration
- Synchronization services
- Lastly, health monitoring (premium)
Password Hash Synchronization
Having just one password for all services makes life simpler for users. They only have to remember one, so they’re less likely to forget it and need assistance. With AD Connect, a user has the same password for on-premises Active Directory services and Azure services such as Microsoft 365. To share access securely across environments, AD Connect hash synchronization sends only a hash of the password. The password is never stored or sent as cleartext.
Hash synchronization is the simplest of three ways AD can provide hybrid identity and single sign-on capabilities. Indeed, it’s easy to deploy and use. Multi-factor authentication is available using AD Multi-factor Authentication or Conditional Access custom controls.
There is a short synchronization lag when account status changes. Administrators can run a synchronization cycle to bring Azure accounts back in sync after changes to on-premises accounts.
Another way to implement hybrid identity with AD Connect is with pass-through authentication. This approach uses an on-premises software agent for authentication. The cloud service has no information about the passwords, not even a hash. It receives the password but doesn’t store it. This approach can satisfy organizations with strict requirements for password dissemination. The on-premises authentication agent does all the work and sends an appropriate response to Azure. Azure AD can then perform multi-factor authentication if configured to do that.
Another advantage of pass-through authentication is that it permits the application of user-level Active Directory security policies. These policies can enforce account and password expiration, account lock-out, and sign-in hours. The on-premises agent handles these features.
Support for pass-through authentication requires installing one or more lightweight authentication agents on on-premises servers. Installing agents on multiple servers will maximize the login service’s availability. A federated environment with its additional infrastructure isn’t necessary.
The most powerful and complex of the available hybrid identity approaches is federated integration. It uses a separate trusted authentication system, which can be on-premises or on the Internet. In principle, federated integration can support any kind of authentication, including dongles, smart cards, and multi-factor authentication. Further, an authenticated service may treat some devices as trusted, not requiring their owners to provide credentials.
The degree of complexity depends on the authentication system. Third-party services can be used if they are compatible with AD Connect.
A federated system generally uses a server farm rather than a single server, so that users won’t be locked out by a single point of failure. The server farm uses SSL authentication, so it needs a certificate that will be periodically renewed. Organizations that already have a trusted on-premises authentication service will often find federated integration is a good choice.
The AD Connect sync engine handles the synchronization between on-premises systems and Azure AD. It creates users and groups and makes sure their on-premises identity information matches what is in the cloud. The services consist of two components.
The on-premises side is called Azure AD Connect Sync Engine. The server side is Azure AD Connect Sync Service. The sync engine can get identity information from various sources, such as an SQL database or Active Directory. It uses a staging area so that it can process identity information even if the source is temporarily unavailable.
The synchronization services are the underlying method for password hash synchronization, as well as other services. Password hashes are synchronized every two minutes.
Any identity authentication service needs to be highly available and reliable. An undetected failure to update identity information could lock users out or let disabled accounts keep working. Also, administrators need to know how the authentication system is being used so they can catch intrusion attempts. Azure AD Connect Health is a premium feature that provides monitoring of the on-premises identity infrastructure. The AD Connect Health Portal lets administrators view all alerts and analytics in one place.
Each identity server needs to have an agent installed to let AD Connect Health monitor it. Installing the agents is a simple matter, and they can be set to auto-upgrade.
Reviewing the health monitoring information helps administrators to maintain a high level of security. They can get alerts on critical issues and ongoing usage metrics. Unusual numbers of authentication requests, especially failed ones, can alert them to attempts to gain unauthorized access.
Do you need an Azure AD connection? Businesses that migrate some of their services to Azure but keep a Microsoft-based hybrid environment will find AD Connect useful. It gives users a sense of working in a single environment rather than having to bridge two different ones. They don’t have to authenticate themselves twice, so security measures such as multi-factor authentication are less of a nuisance. The federated option lets an organization keep an authentication service which it uses for on-premises authentication.
Azure AD Connect is included with Azure Active Directory. All Azure and Office 365 subscriptions include it. AD Connect Health requires an Azure AD P1 Premium license. Different versions support different feature sets. For example, a Premium or Office 365 subscription is required for multi-factor authentication.