cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Support Tip: A Quick Look at Azure AD Connect and Hybrid Identity
By
J.C. Hornbeck
Published Jun 24 2019 08:04 AM 7,745 Views
J.C. Hornbeck
Microsoft
‎Jun 24 2019 08:04 AM

Support Tip: A Quick Look at Azure AD Connect and Hybrid Identity

‎Jun 24 2019 08:04 AM

Hi everyone, today we have a post by Intune Support Engineer Saurabh Sarkar where he talks about some of the options available when setting up Azure AD Connect to enable hybrid identify for the Azure cloud services used in your environment. If you have any feedback for Saurabh be sure to leave it in the comments section below.

 

Please note that Azure AD Connect is supported by our Azure Active Directory team, however some Intune scenarios rely on it so we thought it would be worth a mention here.

 

=====

 

When helping customers deploy Intune as their MDM solution, a question I often get goes something like this:

 

“How can we integrate our on-premises users with the cloud so they can use the same credentials to access on-prem as well as cloud resources?”

 

The answer is Azure AD Connect, a lightweight tool that enables hybrid identity so that your users can have one set of credentials that works for both on-premises as well as cloud resources. With Azure AD Connect, users have one less password to remember, and it helps reduce IT helpdesk costs because users are less likely to need assistance and training getting signed in to their cloud-based resources and services. While there’s no question that Azure AD Connect is easy to setup and use, there are a few options available during the setup that you should be knowledgeable about so you can make the best decisions for your environment. In this post I briefly review some of these options, explaining what they do and how they might impact how you use Intune.

 

Before I begin, I want to preface this by saying that I won’t go into all the details of Azure AD Connect and how it works to deliver a hybrid identify solution. If you need to brush up on this, I’d suggest you start by reading our overview here:

 

What is Azure AD Connect?

 

Decisions to be made when installing Azure AD Connect

As I mentioned, I won’t go into all the details and options available when setting up Azure AD Connect, however I do want to talk about the ones below as they’re the ones that come up the most often and they’re the ones that are most likely to effect Intune.

 

  • What’s the difference between Pass-Through Authentication and Password Hash Synchronization?
  • What is device writeback?
  • What is password writeback?
  • What is Hybrid Azure AD join?

 

Pass-Through Authentication

Pass-Through Authentication allows users to sign in to both on-premises and cloud-based applications using the same password, and is used mostly by organizations that want to enforce their on-premises Active Directory security and password policies. The authentication in this case is done by the on-prem domain controller, thus the user's account is subjected to all the password policies created by the on-prem domain administrator. Pass-Through Authentication can be integrated seamlessly with Azure AD conditional access and multi-factor authentication. What’s unique about Pass-Through Authentication is that the passwords are never stored in the cloud in any form, offering protection for on-premises accounts against brute force password attacks in the cloud.

 

For complete details on Pass-Through Authentication, including the benefits, limitations and details on how it all works, see the following:

 

What is Azure Active Directory Pass-through Authentication?

 

Password Hash Synchronization

With Password Hash Synchronization, when a user logs into a computer, the password is subjected to a 1-way hashing process and an RSA key is generated. The main difference in this scenario compared to Pass-Through Authentication is that Azure AD Connect synchronizes a hash of the hash of a user’s password from an on-premises Active Directory instance to Azure AD. The SHA256 password data stored in Azure AD--a hash of the original MD4 hash--is more secure than what is stored in Active Directory. Further, because this SHA256 hash cannot be decrypted, it cannot be brought back to the organization's Active Directory environment and presented as a valid user password in a pass-the-hash attack. Using this is secure because the plain-text version of the password is not exposed.

 

This is typically used to sign into services like Office 365. In this scenario, the Azure AD instance authenticates users in the cloud, and in contrast to Pass-Through Authentication, the authentication request is not sent to the on-premises DC. When you install Azure AD Connect using the Express Settings option, Password Hash Synchronization is enabled by default.

 

For complete details on Password Hash Synchronization, see the following:

 

What is password hash synchronization with Azure AD?

 

Choosing a cloud authentication method

Determining which method is best for your environment can involve many variables and organizational preferences so you’ll want to examine all requirements before making a final choice. With that said, here’s a quick look at the main differences between the two:

 

Pass-Through Authentication provides password validation using a software agent that runs on one or more of your on-prem servers. This agent validates the users directly with your on-premises Active Directory which ensures that the password validation does not happen in the cloud. Companies with a security requirement to immediately enforce on-premises user account states, password policies and sign-in hours might want to use this authentication method.

 

Password Hash Synchronization is the simplest way to enable authentication for on-premises directory objects in Azure AD because it doesn’t require the deployment of any additional infrastructure. Also, some premium features of Azure AD like Identity Protection and Azure AD Domain Services require Password Hash Synchronization.

 

For more information on these authentication methods and the considerations when choosing which to employ, see the following:

 

Choose the right authentication method for your Azure Active Directory hybrid identity solution

 

Device writeback

Device writeback is used to enable device-based conditional access for ADFS-protected devices. This provides additional security as well as assurance that access to applications is granted only to trusted devices. Device writeback enables this by synchronizing all devices registered in Azure back to the on-premises Active Directory. When configured during setup, the following operations are performed to prepare the AD forest:

 

  • If they do not exist already, creates and configures new containers and objects under CN=Device Registration Configuration,CN=Services,CN=Configuration,[forest-dn].
  • If they do not exist already, creates and configures new containers and objects under CN=RegisteredDevices,[domain-dn]. Device objects will be created in this container.
  • Sets necessary permissions on the Azure AD Connector account, to manage devices on your Active Directory.

Note that this only needs to be run on one forest even if Azure AD Connect is being installed in multiple forests.

 

For more details on Device writeback, see the following:

 

Azure AD Connect: Enabling device writeback

 

Password writeback

Password writeback is a feature that allows password changes in the cloud to be securely written back to your existing on-premises Active Directory. When a user resets their cloud password, it also gets checked to ensure it meets your on-premises policy before committing it to the local AD. This is optional during the Azure AD Connect setup process and you can find more information here:

 

How-to: Configure password writeback

 

Hybrid Azure AD Join

Hybrid Azure AD joined devices are joined to the on-prem domain as well as to Azure AD. When configured, Azure AD Connect will add a Service Connection Point (SCP) to your on-premises Active Directory which is used to discover your Azure AD tenant information. With that information, a device can then register in Azure AD automatically. This is a great option if your environment has an on-premises AD footprint and you also want the benefits of Azure AD. This is optional and can be enabled during Azure AD Connect setup. You can find more details about configuring hybrid Azure AD join here:

 

Tutorial: Configure hybrid Azure Active Directory join for managed domains

 

Conclusion

Azure AD Connect has a variety of options that allows it to be customized to the exact requirements of your organization and environment. The ones mentioned here do not represent a comprehensive list of all the capabilities, however it will give you a jump start on some of things that should be considered when developing your own implementation plan. For more information on all the capabilities of Azure AD Connect and how to use it to accomplish your hybrid identity goals, see our product docs beginning here:

 

What is Azure AD Connect?

 

Saurabh Sarkar

Support Engineer

Microsoft Intune Support Team

0 Likes
Like
3 Comments
wroot
Silver Contributor
‎Jun 24 2019 08:43 AM
‎Jun 24 2019 08:43 AM

Worth mentioning that with PTA (Pass through auth) your servers with PTA agents have to be online 24/7 or your users will lose connectivity to online services like Skype, Exchange, etc. And PTA also requires some inbound ports to be opened. Password writeback (probably device writeback also) requires Azure AD Premium licenses.

 

PTA and PHS are authentication methods, but even if you select PTA, there is also a separate setting in AD Connect wizard - Customize synchronization options called Password synchronization. Which at least in the past had to be enabled for first login in Skype to work, even if PTA is used for authentication. I wish MS would make this less confusing with similarly named settings in various parts of a wizard..

0 Likes
Like
Jairo Cadena
Microsoft
‎Jun 26 2019 02:03 PM
‎Jun 26 2019 02:03 PM

@wrootthanks for your comments on this article. And thanks for the feedback about Password Hash Sync being both a synchronization option and an authentication method. We are aware of it and have some ideas on how to make it more clear.

 

A couple of comments:

 

  1. For Pass-through Authentication (PTA) to work there are no inbound ports that need to be opened.
  2. For Skype for Business to work with PTA, there is no need of enabling synchronization of password hashes.

 

Cheers!

 

Jairo Cadena

Microsoft Identity Division

wroot
Silver Contributor
‎Jun 26 2019 02:43 PM
‎Jun 26 2019 02:43 PM

Yes, sorry, it should be outbound ports. Which is less problematic. But we still had to allow them in our firewalls for Single sign on setting to be accessible (probably for the whole PTA as well). At that time the ports were 80, 443, 8080, 5671, 9090, 9091, 9352, 9350, 10100–10120. Maybe something changed since then (it was more than a year ago).

 

Again, i haven't tested this for a while and don't have a way to do this now, so maybe Skype thing also changed/has been fixed. Btw, it wasn't affecting existing users. They could use SfB while in PTA mode just fine. But a new user wasn't able to login for the first time until we have enabled Password synchronization. So we kept this setting on. Until PTA broke for some reason one day (i guess after Windows Server updates) and we had to switch back to PHS. PTA was still in preview then i believe (2018 August). We tried to escalate this to MS with partners, but it was taking too long (all employees without email and Skype), so switched to PHS and it worked fine since.

0 Likes
Like
Version history
Last update:
‎Jun 25 2019 08:17 AM
Updated by: