Frequently asked questions on Azure Hybrid Identities

Azure Hybrid Identity is one of the most discussed topics in recent days and there are many frequently asked questions in the Azure world for this. Some of the most common questions which was asked and answered in various forums has been captured by me here.

Q1. What is azure tenant?

Ans: An Azure AD tenant is representative of a single organization. It is a dedicated, trusted instance of Azure AD that is automatically created when an organization signs up for a Microsoft cloud service subscription such as Azure, Intune, or Office 365. Tenants can gain access to services in either a dedicated environment (single tenant) or in a shared environment with other organizations (multitenant).

Q2. What is Azure AD directory?

Ans: Each Azure tenant has a dedicated, trusted Azure AD directory that contains the tenant’s users, groups, and applications. It is used to perform identity and access management functions for tenant resources. Because a unique Azure AD directory is automatically provisioned to represent your organization when you sign up for a Microsoft cloud service like Azure, Microsoft Intune, or Office 365, you’ll sometimes see the terms tenantAzure AD, and Azure AD directory used interchangeably.

Q3. What is Azure AD?

Ans: Azure AD is a multi-customer public directory service, which means that within Azure AD you can create a tenant for your cloud servers and applications such as Office 365. Users and groups are created in a flat structure without OUs or GPOs. Authentication is performed through protocols such as SAML, WS-Federation, and OAuth. It’s possible to query Azure AD, but instead of using LDAP you must use a REST API called AD Graph API. These all work over HTTP and HTTPS.

Q4. What are various Microsoft Hybrid Identity Solutions?

Microsoft Azure Active Directory (Azure AD) hybrid identity solutions enable you to synchronize on-premises directory objects with Azure AD while still managing your users on-premises.

There are several options available for configuring hybrid identity

  1. Synchronized identity

Synchronized identity is the simplest way to synchronize on-premises directory objects (users and groups) with Azure AD.

While synchronized identity is the easiest and quickest method, your users still need to maintain a separate password for cloud-based resources. To avoid this, you can also (optionally) synchronize a hash of user passwords to your Azure AD directory. Synchronizing password hashes enables users to log in to cloud-based organizational resources with the same user name and password that they use on-premises. Azure AD Connect periodically checks your on-premises directory for changes and keeps your Azure AD directory synchronized. When a user attribute or password is changed on-premises Active Directory, it is automatically updated in Azure AD.

For most organizations who only need to enable their users to sign in to Office 365, SaaS applications, and other Azure AD-based resources, the default password synchronization option is recommended. If that doesn’t work for you, you’ll need to decide between pass-through authentication and AD FS.

  1. Pass-through authentication

Azure AD pass-through authentication provides a simple password validation solution for Azure AD-based services using your on-premises Active Directory. If security and compliance policies for your organization do not permit sending users’ passwords, even in a hashed form, and you only need to support desktop SSO for domain joined devices, it is recommended that you evaluate using pass-through authentication. Pass-through authentication does not require any deployment in the DMZ, which simplifies the deployment infrastructure when compared with AD FS. When users sign in using Azure AD, this authentication method validates users’ passwords directly against your on-premises Active Directory.

With pass-through authentication, there’s no need for a complex network infrastructure, and you don’t need to store on-premises passwords in the cloud. Combined with single sign-on, pass-through authentication provides a truly integrated experience when signing in to Azure AD or other cloud services.

Pass-through authentication is configured with Azure AD Connect, which uses a simple on-premises agent that listens for password validation requests. The agent can be easily deployed to multiple machines to provide high availability and load balancing. Since all communications are outbound only, there is no requirement for the connector to be installed in a DMZ. The server computer requirements for the connector are as follows:

  • Windows Server 2012 R2 or higher
  • Joined to a domain in the forest through which users are validated
  1. Federated identity (AD FS)

For more control over how users access Office 365 and other cloud services, you can set up directory synchronization with single sign-on (SSO) using Active Directory Federation Services (AD FS). Federating your user’s sign-ins with AD FS delegates authentication to an on-premises server that validates user credentials. In this model, on-premises Active Directory credentials are never passed to Azure AD.

Common scenarios and recommendations

Here are some common hybrid identity and access management scenarios with recommendations as to which hybrid identity option (or options) might be appropriate for each.

I need to: PWS and SSO1 PTA and SSO2 AD FS3
Sync new user, contact, and group accounts created in my on-premises Active Directory to the cloud automatically.
Set up my tenant for Office 365 hybrid scenarios
Enable my users to sign in and access cloud services using their on-premises password
Implement single sign-on using corporate credentials
Ensure no password hashes are stored in the cloud
Enable on-premises multi-factor authentication solutions
Support smartcard authentication for my users4
Display password expiry notifications in the Office Portal and on the Windows 10 desktop

Password synchronization with single sign-on.

2 Pass-through authentication and single sign-on.

3 Federated single sign-on with AD FS.

4 AD FS can be integrated with your enterprise PKI to allow sign-in using certificates.

Q5) What ADFS and common terminology used in ADFS?

Ans: AD FS is an identity access solution that provides client computers (internal or external to your network) with seamless SSO access to protected Internet-facing applications or services, even when the user accounts and applications are located in completely different networks or organizations.+

When an application or service is in one network and a user account is in another network, typically the user is prompted for secondary credentials when he or she attempts to access the application or service. These secondary credentials represent the user’s identity in the realm where the application or service resides. They are usually required by the Web server that hosts the application or service so that it can make the most appropriate authorization decision.

With AD FS, organizations can bypass requests for secondary credentials by providing trust relationships (federation trusts) that these organizations can use to project a user’s digital identity and access rights to trusted partners. In this federated environment, each organization continues to manage its own identities, but each organization can also securely project and accept identities from other organizations.

Here are the lists of common terminology used in the ADFS server.

AD FS term Definition
Account partner organization A federation partner organization that is represented by a claims provider trust in the Federation Service. The account partner organization contains the users that will access Web-based applications in the resource partner.
Account federation server The federation server in the account partner organization. The account federation server issues security tokens to users based on user authentication. The server authenticates the user, extracts the relevant attributes and group membership information out of the attribute store, packages this information into claims, and generates and signs a security token (which contains the claims) to return to the user—either to be used in its own organization or to be sent to a partner organization.
AD FS configuration database A database used to store all configuration data that represents a single AD FS instance or Federation Service. This configuration data can be stored in either a SQL Server database or using the Windows Internal Database feature included with Windows Server 2016, Windows Server 2012 and 2012 R2, and Windows Server 2008 and 2008 R2.
You can create the AD FS configuration database for SQL Server using the Fsconfig.exe command-line tool and for Windows Internal Database using the AD FS Federation Server Configuration Wizard.
Claims provider The organization that provides claims to its users. See account partner organization.
Claims provider trust In the AD FS Management snap-in, claims provider trusts are trust objects typically created in resource partner organizations to represent the organization in the trust relationship whose accounts will be accessing resources in the resource partner organization. A claims provider trust object consists of a variety of identifiers, names, and rules that identify this partner to the local Federation Service.
Local Claims Provider Trust A trust object that represents AD LDS or third-party LDAP-based directories in an AD FS farm. A local claims provider trust object consists of a variety of identifiers, names, and rules that identify this LDAP-based directory to the local Federation Service.
Federation metadata The data format for communicating configuration information between a claims provider and a relying party to facilitate proper configuration of claims provider trusts and relying party trusts. The data format is defined in Security Assertion Markup Language (SAML) 2.0, and it is extended in WS-Federation.
Federation server A Windows Server that has been configured using the AD FS Federation Server Configuration Wizard to act in the federation server role. A federation server issues tokens and serves as part of a Federation Service.
Federation server proxy A Windows Server that has been configured using the AD FS Federation Server Proxy Configuration Wizard to act as an intermediary proxy service between an Internet client and a Federation Service that is located behind a firewall on a corporate network.
Primary federation server A Windows Server that has been configured in the federation server role using the AD FS Federation Server Configuration Wizard and has a read\/write copy of the AD FS configuration database.
The primary federation server is created when you use the AD FS Federation Server Configuration Wizard and select the option to create a new Federation Service and make that computer the first federation server in the farm. All other federation servers in this farm must replicate changes made on the primary federation server to a read-only copy of the AD FS configuration database that is stored locally. The term “primary federation server” does not apply when the AD FS configuration database is stored in an SQL database as all federation servers can equally read and write to a configuration database stored on a SQL Server.
Relying party The organization that receives and processes claims. See resource partner organization.
Relying party trust In the AD FS Management snap-in, relying party trusts are trust objects typically created in:

– Account partner organizations to represent the organization in the trust relationship whose accounts will be accessing resources in the resource partner organization.
– Resource partner organizations to represent the trust between the Federation Service and a single web-based application.

A relying party trust object consists of a variety of identifiers, names, and rules that identify this partner or web-application to the local Federation Service.

Resource federation server The federation server in the resource partner organization. The resource federation server typically issues security tokens to users based on a security token that is issued by an account federation server. The server receives the security token, verifies the signature, applies claim rule logic to the unpackaged claims to produce the desired outgoing claims, generates a new security token (with the outgoing claims) based on information in the incoming security token, and signs the new token to return to the user and ultimately to the Web application.
Resource partner organization A federation partner that is represented by a relying party trust in the Federation Service. The resource partner issues claims-based security tokens that contains published Web-based applications that users in the account partner can access.

That’s all for today, I will write more on ADFS Server 2016 deployment and connectivity next week.

One Comment