Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Max Fritz
Solutions Architect
SADA Systems
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Azure AD Identity Sync & Auth
Timeline
2017
2015 •msDS-
ConsistencyGuid
•Azure AD Sync as source anchor
2013 becomes Azure •Pass Through
AD Connect Authentication
•Password Hash •Introduces introduced
Sync added to Health engine
AAD Sync •Seamless SSO
2012 introduced
•DirSync
becomes
Azure AD
2009 Sync
•DirSync
introduced
for identity
synchronizat
ion
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Azure AD Authentication
Methods Today
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Azure AD Authentication
Methods Today
Password Hash Pass-through Federated
Synchronization Authentication (ADFS)
• Identities • Identities • Identities
synced to AAD synced to AAD synced to AAD
• Authentication • Authentication • Authentication
handled by handled by handled by
AAD local AD local AD
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Azure AD Authentication
Methods Today
Password Hash Pass-through Federated
Synchronization Authentication (ADFS)
• Identities • Identities • Identities
synced to AAD synced to AAD synced to AAD
• Authentication • Authentication • Authentication
handled by handled by handled by
AAD local AD local AD
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Sidebar: What is
Azure AD Connect?
• Application installed on a Windows machine within
your environment
• Integrates local Active Directory with Azure Active
Directory
• Sync engine based on Microsoft Identity Manager
(shared codebase)
• Uses a local SQL server for sync database (can be
separate SQL server)
• Includes a monitoring component: Azure AD Connect
Health
• Free for all Azure AD customers (so just free ☺)
• Can manage ADFS installations
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Azure AD
Connect is
required for all
authentication
methods we will
cover today
We will not demo installation or basic configuration of AADC today, however AADC will be a part of some demos
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Ease of Implementation
Authentication
Methods: How Security
we will rank
Customization Options
Available Features
Usability
Maintenance & Reliability
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Scoreboard
Password Sync + PTA + Seamless SSO ADFS (2019)
Seamless SSO
Ease of Implementation ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Password Hash
Synchronization
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Password Hash
Synchronization
Involves syncing
hashed Relies on Azure
passwords to AD Connect
Azure AD
Passwords Authentication is
synced every 2 completely
minutes cloud based
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Password Hash Sync Authentication
Identity delta sync every 30 minutes
#
Azure AD
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Password Hash Sync Authentication
Identity delta sync every 30 minutes
# #
Azure AD
On Premises
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Password Hash Sync
Considerations
• Locked out local accounts are not properly reflected in AAD
• Disabled local accounts will not be disabled in AAD until an AADC
sync cycle (can be manually triggered)
• MD4 hashes are notoriously easy to crack, and MD5 is not much
harder
• Extra SHA-2 encryption makes the hash much harder to decrypt
• Extra hashing technically makes this more secure than local AD
credentials
• Allows for leaked credential reports from MS if AAD P1 licensing is
in place
• Remember, Microsoft does not get your passwords. They only
receive a triple hashed password.
• Required for use of Azure AD Domain Services
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Pass-through
Authentication
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Pass-through Authentication
(PTA)
• Relies on Azure AD Connect and PTA (AuthN) Agents
• Agents can be installed on multiple servers for high availability
• First agent is on the Azure AD Connect server
• Additional agents can be deployed via script or manually
• Networking: only requires outbound communication on 80,
443, and 8080 [for reporting status to AAD] (no inbound ports
to open)
• Requires Server 2013 R2 or later
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Pass-through Authentication
Identity delta sync every 30 minutes
1 2
Azure AD
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Pass-through Authentication
Identity delta sync every 30 minutes
Azure AD
1
PTA Agents
On Premises
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Pass-through Authentication
Considerations
• Locked and Disabled local accounts are respected
• Supports alternate login IDs
• Fully supports Azure AD conditional access
• Since sign in request are still process through AAD (as opposed to
redirected)
• Requires Modern Authentication*
• Supports alternate login IDs
• Supports AAD Smart Lockout (prevents brute force attacks)
• Does not support leaked credential reports
• Not available in GCC at this time
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Pass-through
Authentication Demo
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Seamless Single
Sign-on
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Seamless Single Sign-On
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Seamless SSO Authentication
(browser based)
On Premises
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Seamless Single Sign-On
Considerations
• Opportunistic: If Seamless SSO fails, sign-in experience falls back to
regular behavior
• Sign-out supported: Allows users to sign in with other credentials if
desired
• Requires Modern Authentication
• Creates a computer account in the local AD named
AZUREADSSOACC
• Kerberos decryption key of this account, if compromised, could be used
to generate Kerberos tickets for any user in the forest
• Recommendation is to manually rollover key every 30 days (automated
method coming soon)
• Only works when devices are on the local network
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Seamless Single
Sign-on Demo
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Active Directory
Federation Services
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Active Directory Federation
Services (2019)
• Requires Azure AD Connect for identity sync
• Also can help manage the ADFS farm
• Requires a minimum of 2 servers (1 Federation and 1 Proxy),
recommended minimum of 4
• Allows for sign in with more alternative methods
• samAccountName, Certificate, Smart-Card, Windows Hello for Business,
3rd party MFA, etc…
• Supports Extranet lockout & extranet smart lockout policies
• Supports banned IP lists
• Deep login screen customization
• Supports Windows Integrated Authentication
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
ADFS Authentication
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
ADFS Recommended
Deployment using Azure
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
ADFS Considerations
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Active Directory
Federation Services
Demo
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Migrating from ADFS
to PTA
Demo
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Back to the Scoreboard!
Password Sync + PTA + Seamless SSO ADFS (2019)
Seamless SSO
Ease of Implementation ☆☆☆☆☆ ☆☆☆☆☆ ☆☆☆☆☆
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Ease of Implementation
Password Sync +
PTA + Seamless SSO ADFS 2019
Seamless SSO
GPO required for Seamless SSO Manual configuration for many items
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Security
Password Sync +
PTA + Seamless SSO ADFS 2019
Seamless SSO
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Customizations
Password Sync +
PTA + Seamless SSO ADFS 2019
Seamless SSO
Intermediate rule customizations and Intermediate rule customizations and Advanced rule customizations and
transformations transformations transformations
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Features
Password Sync +
PTA + Seamless SSO ADFS 2019
Seamless SSO
Supports all Azure AD features Supports most Azure AD features Limited support for Azure AD features
SSO support for most clients SSO support for most clients SSO support for more clients
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Usability
Password Sync +
PTA + Seamless SSO ADFS 2019
Seamless SSO
Simple end user experience, consistent Simple end user experience, consistent End user experience depends on
with other Azure AD experiences with other Azure AD experiences customizations
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Maintenance & Reliability
Password Sync +
PTA + Seamless SSO ADFS 2019
Seamless SSO
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Scoreboard Results
Password Sync + PTA + Seamless SSO ADFS (2019)
Seamless SSO
Ease of Implementation ★★★★☆ ★★★☆☆ ★☆☆☆☆
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
WINNER!
Pass-through
Authentication!
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Taking a closer look…
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Thank you!
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM