Today, businesses, and corporations are becoming more and more a mixture of on-premises and cloud applications. Users require access to those applications both on-premises and in the cloud. Managing users both on-premises and in the cloud poses challenging scenarios.
Microsoft’s identity solutions span on-premises and cloud-based capabilities. These solutions create a common user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity.
With hybrid identity to Azure AD and hybrid identity management these scenarios become possible.
To achieve hybrid identity with Azure AD, one of three authentication methods can be used, depending on your scenarios. The three methods are:
These authentication methods also provide single-sign on capabilities. Single-sign on automatically signs your users in when they are on their corporate devices, connected to your corporate network.
For additional information, see Choose the right authentication method for your Azure Active Directory hybrid identity solution.
Common scenarios and recommendations
Here are some common hybrid identity and access management scenarios with recommendations as to which hybrid identity option (or options) might be appropriate for each.
|I need to:||PHS and SSO1||PTA and SSO2||AD FS3|
|Sync new user, contact, and group accounts created in my on-premises Active Directory to the cloud automatically.|
|Set up my tenant for Office 365 hybrid scenarios.|
|Enable my users to sign in and access cloud services using their on-premises password.|
|Implement single sign-on using corporate credentials.|
|Ensure no password hashes are stored in the cloud.|
|Enable cloud-based multi-factor authentication solutions.|
|Enable on-premises multi-factor authentication solutions.|
|Support smartcard authentication for my users.4|
|Display password expiry notifications in the Office Portal and on the Windows 10 desktop.|
1 Password hash synchronization with single sign-on.
2 Pass-through authentication and single sign-on.
3 Federated single sign-on with AD FS.
4 AD FS can be integrated with your enterprise PKI to allow sign-in using certificates. These certificates can be soft-certificates deployed via trusted provisioning channels such as MDM or GPO or smartcard certificates (including PIV/CAC cards) or Hello for Business (cert-trust). For more information about smartcard authentication support, see this blog.
License requirements for using Azure AD Connect
Using this feature is free and included in your Azure subscription.
- What is Azure AD Connect and Connect Health?
- What is password hash synchronization (PHS)?
- What is pass-through authentication (PTA)?
- What is federation?
- What is single-sign on?