Although it has been around for a while, single sign-on allows users access to a company’s web properties with only one set of credentials.
This helps to eliminate password fatigue, it helps to improve the user experience and simplifies password management.
Now, Azure AD Connect offers customers a seamless single sign-on experience. It hit general availability in June 2015 and now more and more large enterprises are now using it. So what is Azure AD Passthrough Authentication and Single Sign-On? Continue reading to learn more.
In this article
What is Azure AD Passthrough Authentication?
Some of the early adopters of the Microsoft Office 365 platform would deploy an on-premise service called Active Directory Federated Services (AD FS) to ensure that passwords never leave the on-premises Active Directory. This also required the IT department to set up and install AD FS.
Furthermore, it meant that cloud-based applications had to be dependent on the local Active Directory. What was the result? Well, if the Internet was down, so was your email server. In terms of Azure AD passthrough authentication vs ADFS: the complexity of configuring the AD FS infrastructure with separate links and ISPs, SSL Certificates and more was burdensome at best.
Azure AD premium offers single sign-on (SSO) via password sync or federation with Active Directory Federation Services. The good news is you can now use pass-through authentication with seamless SSO.
While it does require that all logins rely on the local Active Directory for authentication; it does not require as much complexity as the AD FS server infrastructure or SSL certificates. Instead, it uses a lightweight connector, is installed on-premises and lets Azure AD validate all AD passwords and usernames. Nonetheless, the passwords are never stored in Azure AD, and you get seamless single sign-on.
Plus, since the connector uses secure outbound communications, it does not need to be placed in a demilitarized zone (DMZ). Even if you install more than one connector, they will load balance the other so you won’t need to implement additional infrastructure. This is pass through authentication at its finest.
New Capabilities
Consider how you access and configure access for Templafy and other office applications with AD connect via Microsoft Azure. Users can now log into tenant Office 365 resources without having to login in again when using a Windows-based and domain-connected device. Here are just a few of the many highlights of SSO:
- Can be managed via Group Policy
- Works with both password hash synchronization and pass-through authentication
- No additional components are needed
- Can be enabled through Azure AD Connect
- It is a free feature
- Supported on browsers and platforms that can use Kerberos authentication
- If the system fails, the user can simply enter their password manually on the sign-in page
- Users are automatically signed into cloud-based applications and on-premise applications
Managing Azure AD Connect via group policy is ideal since you can easily implement company-wide policies for access and web restrictions for particular sites with highly-sensitive data. Not to mention, all businesses must prioritize network security.
The last thing any company wants is the bad press associated with a security breach when a user is found having a weak password. Plus, group policy ensures efficient management when there are over 100 employees, who all need access to company-wide apps.
Group Policy can install, update and upgrade Azure AD Passthrough Authentication access and user settings on every machine, simultaneously. According to Microsoft, Group Policy can be thought of as, “touch once, configure many.”
What Do You Need?
Since Azure AD Connect is not as complex as AD FS, all you need is the key port TCP443 to communicate with ADDS on-premises and Azure AD in the cloud. Also, Azure AD should be updated to the most recent version. Other required components include:
- Windows Server 2012 R2 or higher
- Several new ports to allow communication with the Azure Application proxy
- New firewall rules to permit traffic to wildcard subdomains.
Here is another reason why this option is so convenient and seamless: if you want to use your own infrastructure, in addition to third-party solutions, you can do that with Azure AD.
Final Thoughts
Azure AD Connect treads into a highly positive direction in the single sign-on world from Microsoft. It can streamline identity deployments while saving on the complexities of instance and infrastructure cost associated with AD FS.
With reduced overhead, companies can now maintain a higher level of security which is a boost, especially with government regulations such as the GDPR now in place. Furthermore, there isn’t any question that Azure AD will cause many users to rejoice at its simplicity. Because as we all know, password management can be a headache for large enterprises.
More relevant articles:
Read an article written by our CTO: Why migrate your business to office 365
See how Templafy can help your company to achieve maximum office productivity
Learn how to add Templafy to your current SSO in your Azure AD