Identity and Hybrid Scenarios

Documentation > Identity > Identity and Hybrid Scenarios

This document explores common identity and hybrid scenarios encountered when integrating Microsoft cloud services with on-premises infrastructures. Understanding these patterns is crucial for designing secure, scalable, and efficient identity solutions.

Core Concepts

Before diving into specific scenarios, let's recap key concepts:

• Azure Active Directory (Azure AD): Microsoft's cloud-based identity and access management service.
• Active Directory Domain Services (AD DS): Microsoft's on-premises directory service.
• Azure AD Connect: The tool used to synchronize on-premises Active Directory identities to Azure AD.
• Hybrid Identity: A model where identity management spans both on-premises and cloud environments.
• Single Sign-On (SSO): Allowing users to sign in once and access multiple applications.

Common Hybrid Scenarios

Scenario 1: Password Hash Synchronization (PHS)

Description: In this scenario, a hash of the user's on-premises password is synchronized from AD DS to Azure AD. Users authenticate directly against Azure AD using their synchronized credentials. This is the simplest and most common hybrid identity setup.

Benefits:

• Simplified administration.
• High availability for authentication.
• No need for on-premises federation infrastructure.

Considerations:

• Users may have different passwords on-premises and in the cloud if not managed carefully.
• Password policies are enforced by Azure AD, not AD DS directly for cloud authentication.

Learn More: Azure AD Connect Password Hash Synchronization

Scenario 2: Pass-through Authentication (PTA)

Description: With PTA, users authenticate directly against on-premises AD DS for both cloud and on-premises resources. A lightweight agent on-premises validates the user's password with AD DS. This avoids synchronizing password hashes to the cloud.

Benefits:

• Users use the same password on-premises and in the cloud.
• Authentication is always against on-premises AD DS.
• No password hashes are stored in Azure AD.

Considerations:

• Requires on-premises agents to be available and running for cloud authentication.
• On-premises AD DS must be highly available.

Learn More: Azure AD Pass-through Authentication

Scenario 3: Federation with AD FS

Description: This is a more complex setup where authentication requests are redirected from Azure AD to an on-premises Active Directory Federation Services (AD FS) farm. AD FS then authenticates the user against AD DS and issues security tokens that Azure AD trusts.

Benefits:

• Full control over the authentication process.
• Supports advanced authentication methods like smart cards.
• Can be used for integrating with third-party identity providers.

Considerations:

• Requires managing and maintaining an on-premises AD FS infrastructure.
• More complex to set up and troubleshoot.

Learn More: AD FS Federated Identity

Scenario 4: Seamless Single Sign-On (SSO) with Azure AD Connect

Description: Seamless SSO works with PHS or PTA to provide users with automatic sign-in when they are on their corporate devices connected to their corporate network. It uses the Kerberos ticket to allow Azure AD to authenticate the user.

Benefits:

• Significantly improves the user experience by reducing sign-in prompts.
• Works seamlessly with Azure AD joined and hybrid Azure AD joined devices.

Considerations:

• Requires proper configuration of devices and network.
• Not all browsers or devices may support it out-of-the-box.

Learn More: Azure AD Seamless Single Sign-On

Advanced Topics

• Device Identity Management: Strategies for managing devices in a hybrid environment (Azure AD Join, Hybrid Azure AD Join, Azure AD Registered).
• Conditional Access: Implementing fine-grained access control based on user, device, location, and application.
• B2B Collaboration: Extending identity management to external partners and guests.
• Identity Governance: Managing user lifecycles, access reviews, and entitlement management.

Implementation Guidance

When planning your hybrid identity strategy, consider the following:

1. Assess your current infrastructure: Understand your existing AD DS environment and network topology.
2. Define your requirements: What level of security, user experience, and compliance do you need?
3. Choose the right synchronization method: PHS, PTA, or Federation.
4. Plan for high availability and disaster recovery: Ensure your identity services are always available.
5. Implement a phased rollout: Test thoroughly before deploying to all users.

For detailed architectural guidance and deployment steps, refer to the official Microsoft identity documentation.