Azure AD Connect allows you to connect on-premises identity infrastructure to Azure Active Directory (Azure AD). It lets you manage identities across a hybrid infrastructure consisting of public cloud and on-premises resources. Once your on-premises directories are integrated with Azure AD, you can leverage this service’s features to simplify identity management and provide on-premise users with easier access to cloud-based resources.
Related content: Read our guide to Azure AD SSO
Password hash synchronization is a sign-in method that supports hybrid identity. Azure AD Connect synchronizes a hash of the user’s password from an on-premises Active Directory instance to a hash of the user’s password in a cloud-based Azure AD instance.
Azure AD Connect sync implements password hash synchronization as an extension of the directory synchronization feature. It allows on-premise users to sign in to Azure AD services like Microsoft 365, using the same password as they do for the on-premises Active Directory.
Password hash synchronization also enables leaked credential detection for hybrid accounts. Microsoft works with law enforcement agencies and dark web researchers to find publicly available username and password pairs. If credentials belonging to your users match credentials available on the dark web, the associated account is moved to high risk.
Pass-through authentication is another way to let users access both on-premises and cloud-based applications with the same password. Passwords are validated directly against your on-premises Active Directory.
Pass-through authentication is an alternative to password hash synchronization. The difference is that this option allows organizations to enforce their on-premises Active Directory security and password policies in the cloud.
Pass-through authentication can be combined with the seamless Single Sign-On (SSO) feature. These features combined allow users to access cloud applications from their corporate workstations, inside the corporate network, without typing in their password.
A federation is a collection of domains with established trust for sharing access and resources. You can federate your on-premises environment with Azure AD for authentication and authorization. Using this sign-in method ensures all user authentication occurs on-premises and allows administrators to implement rigorous access control.
The Azure AD Connect synchronization component handles all operations related to synchronizing identity data between your on-premises environment and Azure AD.
This component creates users, groups, and other objects in Azure AD. It verifies that identity information for your on-premises users and groups matches the information in the cloud. This component also supports password hashes.
Azure Active Directory Connect Health is used to monitor your on-premises identity infrastructure to ensure you maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This feature provides monitoring capabilities for your key identity components and makes the key data points about these components easily accessible.
You can use this feature to view alerts, monitor performance, and analyze usage to keep track of the health of key identity components.
The following diagram shows the architecture of Azure AD Connect and how it integrates between Azure AD and an on-premise Active Directory forest (the largest unit of organization inside Active Directory, organizing multiple Active Directory trees).
The provisioning engine connects to each Active Directory forest, and on the other end, to Azure AD. The process of reading information from each directory is called an import. An export creates updates in the provisioning engine. A sync operation evaluates rules on how objects flow through the provisioning engine.
Azure AD Connect uses the following staging areas, rules, and processes to enable synchronization from Active Directory to Azure AD.
Here are a few best practices that can help you use Azure AD Connect more effectively.
Related content: Read our guide to Azure AD Identity Protection
Pathlock is the leader in Access Governance for business-critical applications. Staying compliant with Sarbanes-Oxley is a critical business requirement, and Pathlock Control helps to automate the compliance process. As a MISA member, Pathlock can bring these capabilities to users of Azure Active Directory, with tight integration between the solutions.
Customers rely on Pathlock to streamline critical processes like fine-grained provisioning, separation of duties, and detailed user access reviews. With Pathlock’s out-of-the-box integration to Azure Active Directory, customers can enjoy the best of both worlds, including:
Interested to learn more about the winning combination of Pathlock and Azure Active Directory? Request a demo today to see the solution in action!
Share