Don’t Bother Managing Passwords in Azure AD
It’s a simple concept, right? You want people to be able to work from anywhere, while securely authenticating them to resources both internal and in the cloud and not storing passwords in a cloud service. You want to do all of that without creating new headaches for IT. It’s a common goal for many organizations, but the process to accomplish it has not been simple. Enter two new features of Azure AD Connect, Microsoft’s connection tool for Azure AD and on-prem AD.
On December 6, Microsoft announced the public preview of two new Azure Active Directory Connect features: Pass-Through Authentication and seamless Single Sign-on (SSO). You might be thinking, “They sound familiar, why is this important?” Well, the names do sound familiar, but these two new features are a huge step forward in the management and security of Azure AD in conjunction with on-prem Active Directory.
No longer is it a required part of AD architecture to have passwords stored in Azure AD in order to authenticate domain users in Azure. With Pass-Through Authentication, a user makes a request to Azure for a resource, and their password is checked against the on-prem AD. How is this accomplished? Using a simple setup of the Azure AD Connect tool, which handles the account synchronization between Azure and on-prem AD. Now, instead of doing a password sync to Azure, the tool can directly and securely (via https connection) query the on-prem AD to perform the password check and return the result. At no time is the user’s password cached in Azure. The other great benefit to this new authentication model is AD Federation Services are no longer required to sync Azure with on-prem AD. Removing this step greatly simplifies the process of extending AD into Azure and Office 365! Don’t forget that Office 365 uses Azure AD as its authentication database. By adding one small button to the AD Connect tool, using on-prem AD with Office 365 just became simpler.
Single Sign-On has existed in Azure AD for a long time. If you wanted to connect to Salesforce.com, Google, or Facebook, Azure AD could easily tie in, making the end-user experience seamless. But when it came to the largest corporate authentication database in use, Active Directory, this feature didn’t exist. A user in an on-prem AD environment couldn’t access Office 365 without additional prompting for credentials, regardless of the level of account/password synchronization in place. This meant that users of Microsoft’s own products were not getting the same user-friendly experience that was provided to users of third-party systems. Before SSO, the only way to avoid this was to use Azure AD Join, which, while great, is not something every organization is prepared for yet.
Now, Azure SSO for Azure AD Connect simplifies the user experience for single sign-on for Office 365 and Azure-based applications and resources, while also simplifying management and control of the infrastructure. No additional infrastructure is required to provide this service, beyond the simple Azure AD Connect tool. Combine this feature with Pass-Through Authentication and password sync/management in Azure is gone!
Learn more about what’s new in Azure AD
These two new features are another step forward in Microsoft’s security and identity story, which continues to rapidly evolve as the lines between the cloud and on-prem continue to blur. Arraya Solutions can help you with this story, beginning with our Enterprise Mobility + Security Pilot, which includes Azure Active Directory Premium. To discover if EM+S is right for you, reach out to Arraya’s Microsoft team today at firstname.lastname@example.org.