MS-100 Manage Authentication

May 31st, 2019 | Posted by admin in Exchange

Manage Authentication

To manage the authentication options, we need to know the Authentication Methods available and how that works.

Understanding Authentication Methods:


Below are the authentication options or Sign-In options available for Office 365 / Azure AD.

  • Federation Authentication
  • Password Hash Synchronization Authentication
  • Pass-through Authentication
  • Seamless SSO (enabled when choosing PHS or PTA)

Federated Authentication

Most of the Companies preferred to use federated authentication. When the federation sign in option enabled, the domain used for authentication will be configured as federated domain in Azure AD. Below shows the authentication flow for federation sign-in

How it works

To explain the Federation Sign-in flow, when you access any claims aware application that trusts Azure AD as the STS, the application will redirect you to authenticate with Azure AD, Azure AD prompts you to login with the user name option only and when you enter the user name, the domain validated whether it is a federated domain. Since it is a federated domain, you are redirected to On-Premise ADFS infrastructure with a Token Request from On-Premise AD, (to WAP server if you are in Internet and to ADFS server if you sign-in from Intranet). ADFS receive the SAML request and prompts you to enter the user name and password passed and it authenticates with Active Directory. On successful authentication with AD, ADFS send a Security token with claims to User that will be send back to Azure AD. Azure AD evaluates the token response and if valid response, Azure AD confirms the successful authentication and user will be allowed to access the application.

Note: You need to maintain a ADFS infrastructure to have this federation sign-in option and it is having additional benefits like you use On-Premise MFA server for multifactor authentication.

Password Hash Synchronization Authentication

No need to confuse about the Password Synchronization option, we are not directly synchronizing the password from On-Premise to Azure AD. Only the Hash of the Password hash synchronized with Azure AD using Azure AD connect.

How it works

When Password Hash Synchronization authentication enabled for the tenant, Hash of the password hash is available in Azure AD after Synchronization. If a user access a Azure Integrated application, user redirected to authenticate with Azure AD, Azure AD prompt the user to enter the credential, both user name and the password will be entered in Azure AD authentication dialogue window and it will be validated against the hash Synced in Azure. If successful, user provided with security token to authenticate the service\application. Switching from one application to other prompts the user to validate the credential when this sign-in option used.

Pass-through Authentication

If we use the Pass-through authentication, user name the password gathered in Azure AD but Passwords validated in On-Premise AD. AuthN Agent configured in AD Connect or any member server supports this Pass through Authentication. Below shows the pass-through authentication flow.

How it works

When user access any office 365 application, it will redirect the user to Azure AD for authentication, Azure AD prompt the user to enter both the user and password and it will be sent to AuthN agent server in On-Premise using a securing tunnel established when configuring the AuthN agent. AuthN agent component validate the user name and password with Active Directory using a Win32 API call to Active Directory and the successful authentication will be sent back to Azure AD. Azure AD authentication successful and send a security token to access the application, the user will gain access to Application.

Seamless Single Sign-On Authentication

Seamless SSO works with Password Hash Synchronization and Pass-through authentication. For the seamless SSO to work, the machine has to be domain joined and should have access to AD. Machine authenticates with Azure AD using Kerberos token.

How it works

When Seamless SSO enabled, new computer object created in AD that holds 2 SPN for authentication with Azure AD. Let us take User access a claims aware application, user will be redirected to Azure AD for authentication, Azure AD instructs the client to do an authentication test to find the client is SSO capable and it will send an unauthorized response and to get a token a token from AD. Client requests a Kerberos token ticket from AD and the same will be send it to Azure AD, Azure AD returns a security token which will sent to application and the authentication will be successful.

If Seamless SSO fails, the other enabled option PTA or PHS used for authentication.

Design Authentication Method:

You can choose from below Authentication methods and design your Azure Authentication

  • Cloud Authentication.
  • Federated Authentication
  • Federated Authentication with Password Hash Sync
  • Federated Authentication with Pass-Through Authentication
  • Seamless SSO with Password Hash Sync
  • Seamless SSO with Pass-Through Authentication

Configure Authentication

Enterprise Customers will deploy ADFS for authentication and we will see how to configure Microsoft 365 Authentication using ADFS

ADFS configuration requires

  • Domain Admin Account
  • Publically Trusted Certificate for SSL server authentication
  • ADFS Prerequisites like ADFS Service Name, Service Account, and SQL Database etc.
  • DNS A records for ADFS Service Name in Internal and External DNS
  • Domain going to be federated to added and verified in Azure

Once any of the above authentication method selected, we have the option to Configure Multi factor Authentication for end users.

MFA can be enabled at the account level or it can be enabled per application by using Conditional Access.

ADFS Supports certificate based authentication (smart card certificates)

Implement Authentication Method

Below are the two options available for configuring authentication for Office 365.

Configuring Office 365 / Azure AD Authentication via ADFS

Once the ADFS infrastructure deployed, we need to convert the required domain as federated domain using the below 2 commands

Set-MsolADFSContext -Computer ADFS_Server_FQDN

Convert-MsolDomainToFederated –DomainName SuperHybridCloud.com

Above command will convert the domain as federated domain and it will create a relying party trust for Office 365 services with default claims required for Authentication.

To covert a domain to standard (Managed) or federated, we can use any of the below PowerShell Commands

  • Set-MsolDomainAuthentication
  • Convert-MsolDomainToStandard or Convert-MsolDomainToFederated

Configuring Office 365 / Azure AD Authentication via Azure AD Connect

While configuring the AD Connect, we will have an option to select the sign in option also the ADFS configuration which will convert the domain and create the relying party trust during the Azure AD Connect configuration.

Make a note, Password Hash Sync and Pass through authentication can be done only from Azure AD Connect.

Manage Authentication

To change the authentication method,

On the AD Connect Configuration Wizard -> Configure -> Configure Sign in Options and select the authentication method required for your organization.

To view the configured authentication method,

MFA can be enabled or disabled from the properties of the User Account or via Conditional Access Policy.

Monitor authentication

Azure AD Sign-In Logs are available for 30 days for review; we can navigate to Azure AD portal to view the Sign-In logs. It requires Azure AD P1 or P2

To view the Sign-In logs: Azure AD -> Sign-Ins

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Leave a Reply