Many organizations moving to the cloud & already
managing identities on-premises. To utilizes the cloud resources, you need identities
as well and to fulfill the task Azure provides the Azure AD.
Now this situation leads to Hybrid identities where
on-premises and cloud both has identities and you need to manage both, and it
depends on you how you want to manage your authentication and authorization.
Azure provides wonderful service to manage the Hybrid
identities called Azure AD Connect. With Azure AD Connect you can extend your identities
to the cloud and allow users to access cloud applications with existing
credentials. Now to accomplish this task we have various options like ADFS, PHS
& PTA.
In this post we would talk about briefly about all the 3
options and then will compare these.
Azure AD Connect: -
AD Connect is the underlying Microsoft tool used to deploy,
configure, manage and monitor hybrid identities between On-prem AD and Azure AD.
AD Connect supports Server 2012 R2 and above.
AD Connect provides the ability to configure and deploy the
following hybrid identity solutions
è
Password hash synchronization (PHS)
è
Pass-through authentication (PTA)
è
Federation integration including AD Federation
Services
AD Connect synchronizes users, groups and other objects
between on-prem and Azure AD.
You can not install multiple AD Connect for HA that’s why
for DR you install AD-Connect in staging mode on secondary server.
AD Connect comes with health monitoring and provides
monitoring data which is visible in Azure Portal.
To check the status of the sync service use, Get-ADSyncSheduler
Sync Operation can be triggered with Start-ADsyncsyncCycle
We will be discussing AD Connect in next post in detail.
Lets compare the above mentioned 3 methods for Hybrid Identities :
| ADFS | PTA | PHS |
| Using AD Connect , we can configure federation with ADFS & with federated identity, all user authentication occurs on-prem | PTA configure in AD Connect configuration & all PTA user authentication occurs on-prem but though an outbound-only connection from an on-prem authentication agent | AD Connect deployed with either PTA or PHS. With PHS password hash get synchronized and authentication happens in cloud |
| ADFS enables users to sign-in & access cloud services/apps using on-prem credentials (SSO) | ADFS enables users to sign-in & access cloud services/apps using on-prem credentials (SSO) | PHS enables seamless SSO , a feature intended to improve the user sign-in experience. |
| Does not require to store password hash in the cloud | Does not require to store password hash in the cloud | Password Hash stored in the cloud |
| Supports On-prem MFA | On-prem MFA NOT supported by PTA | On-prem MFA NOT supported by PTA |
| Supports all on-prem policies like expiry, hours logged in etc as on-prem sign in occurs | All on-prem account policies enforced at the time of sign in like expiry, login hours etc | |
| Requires more infrastructure & complex to configure and maintain | Only require outbound connectivity from on-prem Authentication agents | No infrastructure needed |
| Does not support Seamless SSO | PTA provides the same seamless SSO experience as PHS but offers additional security benefits | Its Same sign-on as authentication happens in cloud not in on-prem ad but user enters same password |
Well i did try to include as much as possible but if something is missing or you guys think should be added here , Please mention in the comments.
Next we will be discussing above topics in details for sure.
Great..!!
ReplyDeleteThis is an important Points which is you mention as interview point of View..