In all cases you want or are required to synchronize your on-premises Active Directory objects (users, contacts and groups) to Microsoft cloud services Azure Active Directory to be precise which all of those services use. Follow up posts will cover:įor those who don't work regularly with Office 365 or other Microsoft cloud services (like Azure, Exchange Online Protection), it can be a complex myriad of information to work through in order to find out what you exactly need. You will learn more about this in Chapter 5, “Implement and manage federated identities for single sign on.This post is a first in a series about Azure Active Directory Synchronization, covering part 1 of the introduction. It also requires the deployment of an Active Directory Federation Services infrastructure. This allows users to authenticate to Azure AD resources using on-premises credentials. With single sign-on, enabled users only need to enter a username to help them securely access cloud resources. In addition, you can also enable single sign-on for users on domain-joined machines that are on the corporate network. It doesn’t require any inbound ports to be open to the Internet. This agent listens for password validation requests.
Pass-through authentication uses a simple agent on a Windows Server 2012 R2 domain-joined machine in the on-premises environment. This allows for on-premises policies, such as sign-in hour restrictions, to be evaluated during authentication to cloud services. The password doesn’t need to be present in Azure AD in any form. With pass-through authentication, the user’s password is validated against the on-premises Active Directory controller. Pass-through authentication also allows single sign-on for users of domain joined machines. Pass-though authentication requires that Azure AD Connect have an agent on a computer joined to the domain that hosts the Active Directory instance that contains the relevant user accounts. Pass-through authentication allows for on-premises password policies to apply. Passwords and password hashes are not present in Azure AD. When authenticating to Azure AD, the user’s password is validated against an on-premises Active Directory domain controller. Password synchronization also allows you to enable password write-back for self-service password reset functionality through Azure AD. Allows for single sign-on for users of computers that are joined to an Active Directory domain that synchronizes to Azure AD. Actual passwords are never sent to Azure AD and are not stored in Azure AD. Hashes of on-premises Active Directory user passwords synchronize to Azure AD and changed password synchronize to Azure AD immediately. FIGURE 4-12 User sign-in Password synchronization
0 kommentar(er)
