We saw the Azure AD sign-in options in the last post and here we will see the difference between Federation Authentication, Password Hash Sync Authentication and Pass-through authentication.


 

Federation

Password Hash Sync

Pass-Through

ADFS Requirement

ADFS & WAP servers are required

Not Required

Not Required

AD Connect Requirement

Yes

Yes

Yes

AuthN Agent

No

No

Yes. Installed on AD Connect server or member server

How it works

Azure AD redirects you to ADFS as the authentication domain configured as federated domain. ADFS server authenticate the user with AD and return a security token to authenticate with Azure AD

AD Connect sync the Hash of the Password Hash in Azure AD and Azure AD accepts both the user name and password validate it with the synced hash.

Azure AD accepts the user name and password and send it On-Premise AuthN agent server which will authenticate with AD and return the successful authentication to Azure AD

Single Sing On (SSO)

Yes, via On-Premise AD credential

No

Requires seamless SSO enabled

Seamless SSO

Yes, when device connected to AD

Yes, when device connected to AD

Yes, when device connected to AD

Password Remains

In On-Premise

Azure AD

In On-Premise

MFA Support

On-Premise ADFS or through Azure AD

Azure AD

Azure AD

Conditional Access

On-Premise ADFS or through Azure AD

Azure AD

Azure AD

HA for Authentication

Depends on the ADFS infrastructure

Available in azure AD

Depends on AuthN agent deployments

Account lockout in On-Premise

Immediate effect

Still be active in the cloud

Immediate effect

Disable On-Premise AD Account

Reflect when sign-in occurs

Reflect to Azure AD on the next sync cycle

Reflect when sign-in occurs

Authenticates to Azure AD

Security Token from ADFS

User Name & Password

Kerberos Token

Advantages

  • Password maintained in On-Premise
  • On-Premise MFA
  • On-Premise Conditional Access Support
  • Seamless SSO.
  • Cost effective & Easy to deploy
  • Cloud Authentication & scalability
  • Identity Protection
  • User to remember one password
  • Ability to login cloud service even if AD down.
  • No need of ADFS deployment
  • Cloud Authentication
  • Seamless SSO.
  • Simple deployment of AuthN agent.
  • HA for AuthN agent.
  • Automatic certification roll over

Disadvantages

  • Doesn’t provide cloud authentication scalability.
  • Identity Protection required P2 License.
  • SSL requirement.
  • Authentication prompt when switching applications.
  • No granular logon restrictions.
  • Azure AD Premium license required for self-service password reset.
  • HA to be setup On-Premise
  • Password gathered at Azure AD

Above are the difference between the Azure AD authentication options. Hope this is informative. Learn more about the sign-in options

In this post, we are going to discuss the Azure AD sign in option available to access the claims aware application like Office 365. Below are the four sign-in options available when accessing a Microsoft cloud application or any claims aware application integrated with Azure AD. We will see how the sign-in options work in short on this post and a detailed explanation for each authentication in separate post.

  • Federation Authentication
  • Password Hash Synchronization Authentication
  • Pass-through Authentication
  • Seamless SSO (enabled when choosing PHS or PTA)

On the Azure portal under AD Connect, you can see the authentication options.

Federation Authentication:

Most of the Companies preferred to use federated authentication. When the federation sign in option enabled, the domain used for authentication will be configured as federated domain in Azure AD. Below shows the authentication flow for federation sign-in

How it works?

To explain the Federation Sign-in flow, when you access any claims aware application that trusts Azure AD as the STS, the application will redirect you to authenticate with Azure AD, Azure AD prompts you to login with the user name option only and when you enter the user name, the domain validated whether it is a federated domain. Since it is a federated domain, you are redirected to On-Premise ADFS infrastructure, (to WAP server if you are in Internet and to ADFS server if you sign-in from Intranet). ADFS prompts you to enter the user name and password passed and it authenticates with Active Directory. On successful authentication with AD, ADFS send a Security token to User that will be send back to Azure AD for successful authentication.

Note: You need to maintain a ADFS infrastructure to have this federation sign-in option and it is having additional benefits like you use On-Premise MFA server for multifactor authentication.

You can look for below authentication options which won’t cost you much and AD connect server will help you to meet your requirement.

Password Hash Synchronization Authentication:

No need to confuse about the Password Synchronization option, we are not directly synchronizing the password from On-Premise to Azure AD. Only the Hash of the Password hash synchronized with Azure AD using Azure AD connect.

How it works?

When Password Hash Synchronization authentication enabled for the tenant, Hash of the password hash is available in Azure AD after Synchronization. If a user access a Azure Integrated application, user redirected to authenticate with Azure AD, Azure AD prompt the user to enter the credential, both user name and the password will be entered in Azure AD authentication dialogue window and it will be validated against the hash Synced in Azure. If successful, user will be provided security token to the authenticate the service\application. Switching from one application to other, prompts the user to validate the credential when this sign-in option used.

Pass-through Authentication:

If we use the Pass-through authentication, user name the password will be gathered in Azure AD but Passwords validated in On-Premise AD. AuthN Agent configured in AD Connect or any member server supports this Pass through Authentication. Below shows the pass-through authentication flow.

How it works?

When user access any office 365 application, it will redirect the user to Azure AD for authentication, Azure AD prompt the user to enter both the user and password and it will be sent to AuthN agent server in On-Premise using a securing tunnel established when configuring the AuthN agent. AuthN agent component validate the user name and password with Active Directory using a Win32 API call to Active Directory and the successful authentication will be sent back to Azure AD. Azure AD authentication successful and send a security token to access the application, the user will gain access to Application.

Seamless Single Sign-On Authentication:

Seamless SSO works with Password Hash Synchronization and Pass-through authentication. For the seamless SSO to work, the machine has to be domain joined and should have access to AD. Machine authenticates with Azure AD using Kerberos token.

How it works?

When Seamless SSO enabled, new computer object created in AD that holds 2 SPN for authentication with Azure AD. Let us take User access a claims aware application, user will be redirected to Azure AD for authentication, Azure AD instructs the client to do a authentication test to find the client is SSO capable and it will send a unauthorized response and to get a token a token from AD. Client requests a Kerberos token ticket from AD and the same will be send it to Azure AD, Azure AD returns a security token which will sent to application and the authentication will be successful.

If Seamless SSO fails, the other enabled option PTA or PHS will be used for authentication.

I hope this post is informative to you.