Comparing Single Sign-On Options with Azure AD Connect

Back to Blog
12Oct2017

Comparing Single Sign-On Options with Azure AD Connect

Azure AD Connect offers customers a number of ways to enable a “Single Sign-On” (or SSO) experience for users. I think it is important to understand the differences in these options, so that when you deploy Azure AD Connect into customer environments, you can pick the right solution to suit the business needs.

But before we go there, I want to distinguish between a couple of things first. It seems that everywhere I turn lately, people incorrectly reference SSO–for example they may say that they have “single sign on” simply because they have password synchronization enabled (sometimes via Azure AD Connect, and other times via the Windows Server Essentials / Azure AD integration features). NOTE: this statement is not accurate, properly speaking.

Single Sign-On is an experience, wherein a single logon event (like logging into your local workstation) will automatically qualify you for login to other, disparate systems (e.g. Office 365)–in other words, you have all the tokens, exchanges and mechanisms in place that are needed just from your primary logon event. From the user’s perspective: after signing into the local Active Directory network on their workstation using a corporate email address, they might then open a web browser, point it at https://mail.office365.com, and automatically be signed into their Office 365 mailbox, without having to provide credentials a second time. This is (so to speak) a “true” SSO experience.

When you are merely synchronizing passwords between the on-premises AD and Azure AD, then you really have “same sign-on,” not “single sign-on.” It just means you can use the same password on-premises as you do in the cloud, to access your corporate resources.

There are three primary methods we can use to achieve “true” SSO:

  1. Password Hash Synchronization with Seamless Single Sign-On enabled
  2. Pass-Through Authentication with Seamless Single Sign-On enabled
  3. Active Directory Federated Services

I am actually going to start with this last option, which was in fact, the original. Many early adopters of the 365 platform ended up with this type of configuration.

Active Directory Federated Services (AD FS)

With AD FS, you need to deploy an on-premises service called Active Directory Federated Services, and it’s best if you make this service highly available. In this configuration, passwords never leave the on-premises Active Directory.  When someone attempts to sign-in to the Azure AD application, there is a configuration bit in the tenant that says “I’m not in charge of authentication, I have to go check in with <insert corporate AD FS web address here>.” This is super cool for security and compliance, because all authentication attempts are still logged against the local Active Directory.

But it is super uncool for many small businesses, because it requires setup and installation of AD FS, which also means that the cloud-based applications are dependent on the local Active Directory. So, if the corporate internet connection is down, so is your email. Wait a minute… why did we move our email to the cloud again? To prevent this scenario, our design would need to include:

  1. Properly configured AD FS infrastructure with SSL Certificates
  2. At least 2x AD FS web servers on separate links/ISP’s for HA
  3. Planned recovery from total loss of this site/infrastructure

Not a popular option for these reasons (complexity + dependency).

Pass-Through Authentication with Seamless SSO

Pass Through Authentication or PTA is the simplified cousin of AD FS. It works both very similarly, AND very differently from the above solution.

Similar to AD FS, it means that all logins rely on the local Active Directory for authentication and sign-in–we still have that same annoying dependency. However, because the cloud authentication takes place via the local Azure AD Connect service, and does not require a complex AD FS server infrastructure or SSL certificates, it might be preferred in some scenarios. You would still want the redundant ISP links, but there are no additional requirements. Therefore, if you are faced with the challenge of keeping passwords and authentication events on-premises, and the customer also wants to keep the complexity down with a lighter on-premises footprint, then PTA is your best option (be sure to also enable SSO in the AAD Connect configuration wizard when choosing this option).

Password Hash Sync with Seamless SSO

This last configuration is the one I recommend for most small businesses that do not have special compliance requirements. In this model, there is no on-premises dependency–you have authentication taking place on-premises, AND in Azure AD. Via password hash synchronization, the local AD passwords are salted, hashed and synchronized to Azure AD. Additionally, you can enable the Seamless Single Sign-On option, and corporate desktop users (Windows 7+) will have the same SSO benefits (there will not be further credential prompts to use Outlook, OWA, other apps, etc.). The best part? If your local on-premises systems or internet connection is down, users can continue working in their cloud apps, without noticing.

If you already have PHS, but haven’t enabled Seamless Single-Sign On, then you will not have the “true” SSO experience. However, it is very easy to get this up and running, see here for how to do this, step-by-step. Oh yeah, you can optionally configure password write-back for self-service password resets.

Other considerations

There are a couple of other considerations that might come into play. Most notably, the only solution here that supports the on-premises Multifactor Authentication Server is (unfortunately) AD FS. It is still possible to enable MFA for cloud-based applications using Azure AD MFA provider with the other options, but you do not have the ability to bring MFA to your network locally, without AD FS. Just something to be aware of.  On the flip side, it is worth noting that Azure Identity Protection (which requires additional licensing, e.g. P2) is not compatible with AD FS (because the authentication attempts must happen against Azure AD for Azure ID Protection reports to work).

Another consideration that applies only to PHS w/ SSO enabled: there may be a delay between, for example, disabling an account on-premises, and having that change updated in the cloud (because AAD Connect only synchronizes every 30 minutes by default). Furthermore, users who have passwords synchronized to Azure AD will technically have their cloud passwords set to never expire, and the password policies that apply on-premises will control when they need to update their password–but it is enforced on-premises only. Therefore it is possible, for example, to sign-in to cloud-based resources, even if the password on-premises has expired, because until the user changes the on-premises password, the old value will not be overwritten in the cloud.

There may be other small differences, but these are the noticeable ones that matter most to small businesses. I have summarized all of these points into this table for ease of reference:

 

 

 

Technical , , 5 Comments
Share:

Comments (5)

  • Chris Claessens Reply

    Again an excellent article Alex, well done!

    October 12, 2017 at 8:23 am
  • Lawrence Simpson Reply

    Great content and very well illustrated. Do you know of any way to implement MFA on-premise and cloud with Essentials 2016?

    October 31, 2017 at 4:43 pm
    • Alex Reply

      Microsoft’s own MFA server requires AD FS unfortunately. However, third party solutions may work. Check this one out.

      November 1, 2017 at 9:30 pm
  • Eric Reply

    Thank you, finally a concise comparison.

    January 8, 2019 at 10:01 am
  • Mark Reply

    This is one of the best articles I’ve read on this subject.

    March 28, 2019 at 2:58 pm

Leave a Reply

Back to Blog

Related Posts

24Jul

How to manage and secure service accounts in Microsoft Office 365 (without MFA)

Okay, so hopefully everyone knows by now that MFA is not an "optional" thing that you can decide to turn on, or not, depending on your "feelings." It isn't a choice, and your feelings about it don't matter. You need to turn it on. ... read more
07Jan

Protect messages and documents in Microsoft 365 Business with AIP, part 1: Email encryption

In this series, I am going to show off some of the functionality and customization that you can make in Microsoft 365 Business, which includes Azure Information Protection (AIP). There is a growing user base for this SKU, and a lot of admins out there... read more
18May

5 Tips to Help Tighten your Security Using BIOS/UEFI

In the olden days of PC's, BIOS or "Basic Input-Output System" was something only the nerdy computer geeks were aware of, and the typical user never really went in there, or ran any kind of updates for it, unless explicitly instructed to by a support... read more
07Sep

Tutorial: How-to Setup Azure Site Recovery using Windows Server Essentials, Part 2: Configuration

Windows Server Essentials (or the Essentials Experience role) can be leveraged to quickly provision a full Disaster Recovery site in the cloud, and replicate Virtual Machines from your on-premises Hyper-V server(s) to Azure. The built-in integrations that make this possible are Azure Virtual Network and... read more
07Jul

Migrate Printer Shares from SBS to Windows Server 2016

If you have printer shares on the source server, you will want to export them, then import and publish them on the new server. Whether you are coming from Windows SBS 2008, 2011 or Windows Server 2008 or 2008 R2, the following steps will work for you. Step... read more
Adopting the Traffic Light Protocol with Sensitivity Labels
07Sep

Adopting the Traffic Light Protocol (TLP) with Microsoft 365’s Sensitivity Labels

I have previously written about Sensitivity labels, along with a template of the core labels that I like to use when introducing Small Businesses to the concept of data classification. Recently, I decided to update this standard to align more closely with the Traffic Light... read more
01Feb

How (and why) to leverage Microsoft 365 Business to manage third-party applications

One capability of Azure Active Directory which is included in your Microsoft 365 Business subscription (but which hardly anyone is taking advantage of in the SMB space) is the ability to bring third-party SaaS applications under management, and assign them to end-users--publishing them centrally via... read more
11Apr

How to Replicate Hyper-V VMs to Azure Site Recovery

We have already seen how to setup an Azure Virtual Network for less than $100.00 USD / month in our previous article. Today we are going to see just how easy it is to turn this network into a fully functional DR site using Azure Site... read more
16Jun

Checklist: Preparing for the Migration from SBS to Office 365 & Windows Server 2016

Before you begin your migration from SBS 2008/2011 to Office 365 and Windows Server 2012 R2 or 2016, it pays to set aside 2-3 hours to review the existing environment, look for pitfalls, and set out your plan of attack. This is a checklist that... read more
28Nov

Three ways to protect your customer’s on-premises data with Azure: Part 2 – Azure Backup Server

In the previous post, we looked at Azure Backup using the MARS agent, which can only do file, folder & system state data, and must be configured on the local machine. As you may already be aware, there are no local backup copies in that... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me