It is one of the authentication method.
when to use this ?
example:
1. subscription is associated to the azure ad ( tenant ) named kaushik.com
2. my network contains an active directory forest named kaushik.com
recommended in this scenario,
1. ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant.
2. minimizes the number of servers required for the solution.
how many kinds of authentication methods are there ?
1. federated identity with active directory federation services ( ADFS )
2. password hash synchronization with seamless single sign-on ( SSO )
3. pass-through authentication with seamless single sign-on ( SSO )
why ?
1. password hash synchronization requires the least effort regarding deployment, maintainence and infrastructure.
2. This level of effort typically applies to organizations that only need their users to sign in to Office 365, SaaS apps and other Azure AD-based resources.
3. when turned on, password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.
other options ( but preferable for above scenario ).
what each authentication methods do for us and when we can use that ?
based on above recommendation, password hash synchronization is the best authentication method and suitable one.
1. A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls outside the control of Azure AD. Its up to make sure its deployed securely and can handle the authentication load.
2. For pass-through authentication, you need one or more ( we recommend three ) lightweight agents installed on existing servers. These agents must have access to your on-premises Active Directory Domain Services, including your on-premises AD domain controllers. They need outbound access to the internet and access to your domain controllers. For this reason, its not supported to deploy the agents in a perimeter network.
Pass-through authentication requires unconstrained network access to domain controllers. All network traffic is encrypted and limited to authentication requests.
references:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
No comments:
Post a Comment