Active Directory / Azure / Office 365 / Security

Azure AD Pass-Through Authentication and Seamless Single Sign-on

Last week Microsoft announced the public preview of Azure Active Directory Pass-Through Authentication (PTA) and Seamless Single Sign-on. These two features are great news for organizations who do not want to use the Azure cloud for handling authentication, but want to use the on-premises Active Directory infrastructure. Microsoft already provides a solution for that with Active Directory Federation Services and so do third-party providers, but this is a more complex solution for on-prem authentication and usually you setup several (dedicated) servers for running ADFS and also need a DMZ. The two new features can be installed on existing servers as part of Azure AD Connect.

Pass-Through Authentication
Azure AD Pass-Through Authentication provides a simple authentication solution for those organizations who do not want to store the passwords outside of their on-premises infrastructure, but want to authenticate against their local Active Directory. When a user enters their credentials into the login fields on, for example, portal.office365.com, the credentials are send to the PTA connector, which validates them against the local Active Directory and the result is returned to Azure AD (and access is allowed or blocked). No passwords are stored at the cloud, no authentication is handled by the cloud.

You can enable Azure AD PTA by running the installation of Azure AD Connect and choose Pass-Through authentication at the User sign-in screen. This will setup a connector on the same server as the Azure AD Connect is installed on. If you want to provide high availability and load balancing, you are able to setup a second connector on a different server. Their is no need to setup servers at an DMZ.

Seamless Single Sign-on
By enabling Seamless Single Sign-on, you provide you corporate users (logged on to domain joined computers on the corporate network) a single sign-on experience. They can authenticate to Azure AD Apps and Office 365 resources, by just entering their username. The users don`t need to enter their password to logon.
Seamless single sign-on comes as part of Azure AD Connect, like PTA, therefor their is no need to deploy new servers to run this software.

Azure AD Pass Through Authentication in combination with Seamless Single Sign-on gives you almost the same user experience as ADFS provides, but it is less complex to deploy. Although ADFS offers a few things that PTA with Seamless SSO does not, like support for smartcard authentication or support for third party MFA providers, for a lot of companies this is a great alternative when authentication needs te be handled by the local Active Directory.

If you want to read the announcement by Microsoft visit this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *