Microsoft Releases Azure AD Pass-Through Authentication and Seamless Single Sign-on

One of the most important aspects of moving to a cloud solution like Office 365 is to provide a way for users to authenticate to their cloud resources. Organizations typically want to reduce administrative overhead and user confusion by managing only one directory, be it the on-premises directory (AD) or the cloud directory (Azure AD).

Unless your greenfield organization was born in the cloud, you'll probably be starting with a hybrid configuration where existing Active Directory objects (and possibly passwords) on-premises sync to Azure AD using Azure AD Connect. If you're using one of the older directory synchronization products, DirSync or AAD Sync, you really need to upgrade to AAD Connect because this is where all the new features and investments are being made.

Once AAD Connect is installed, you can configure the authentication methods for your organization. These options include:

• Authenticating directly to Office 365 – With this method there are two ways to manage passwords.
  
  
  • The first option is to manage passwords separately, on-prem and in the cloud. This causes a lot of user confusion because the passwords can (and will) get out of sync, leading to frustration for both your users and helpdesk.
    
    
  • The second option is to use AAD Connect with password sync. Password sync is really a bit of a misnomer because the passwords don't really sync with AAD – it's a hash of the password hash that syncs. Azure AD never really has your password, but users can still authenticate to Office 365 using the same domain password used on-prem. In this option, passwords are always managed on-prem and changes sync to the cloud within two minutes.
    
    
• Authenticate using AD FS – Active Directory Federation Services (AD FS) is an on-prem claims-based authentication process that authenticates with on-prem AD. Cloud services like Office 365 redirect the authentication requests to the on-prem AD FS servers. Because all authentication to your cloud services will rely on these AD FS servers, you will usually want to make them highly available. This adds to your on-prem IT footprint, which might be one of the reasons you chose to move to the cloud in the first place. A typical AD FS deployment includes two load balanced Windows Application Proxy (WAP) servers and two load balanced AD FS servers. That's four servers and one or two load balancers just for authentication. There are also SSL certificate, DNS and Internet-facing endpoint requirements. Still, AD FS may be the right fit for your organization, especially if you use other cloud services. Keep reading to learn more.
  
  
• Authenticate using AAD Premium or a third-party claims-based solution – AAD Premium, Okta, Ping Identity, and other claims-based authentication services are cloud-based authentication services you can subscribe to. These solutions replace the on-prem AD FS infrastructure with a cloud-based service. AAD Premium uses AAD Connect for user synchronization and third-party solutions use their own sync application (in addition to AAD Connect). They typically offer a web portal that allows users to authenticate once, and then click a tile to launch the cloud applications using SSO. The real advantages here are that you don't need to maintain any on-prem infrastructure, it's relatively easy to set up and it works with most cloud applications and services.
  
  
• Authenticate using Azure Pass-Through Authentication – Azure pass-through authentication (PTA) is a new authentication method introduced in Azure AD Connect build 1.1.371.0. It is currently in public preview. PTA aims to provide the following features:
  
  
  • SSO capabilities with passwords that are managed on-premises
  • Does not increase the on-prem IT footprint like AD FS does
  • Eliminates requirements for un-authenticated end points on the Internet
  • Super simple to implement

What is Pass-Through Authentication and How Does It Work?

Azure pass-through authentication routes authentication requests from Office 365 through a simple connector deployed on-premises to your on-prem Active Directory. The connector uses only secure outbound communications, so no DMZ or Internet-facing endpoint is required. The connector operates similar to Exchange ActiveSync, in that it creates long-running outbound requests to Azure AD to service any authentication requests as they are created. This outbound connection is encrypted via SSL certificates in Azure AD. And because the connector only communicates outbound, there are no certificate or DNS requirements for you to worry about.

Pass-through Authentication uses Kerberos authentication between the on-prem connector and AD, so it offers a true SSO experience for users on domain-joined computers. For example, those users can go directly to portal.office.com or outlook.office365.com using their signed-on domain credentials without having to reauthenticate. Users on workgroup computers will only need to authenticate once per browser session using their on-prem credentials.

PTA is deployed as part of Azure AD Connect build 1.1.371.0 or later. You install it by simply enabling the "Pass-through authentication" radio button when installing and configuring ADD Connect. SSO can be enabled by clicking the "Enable single sign on" check box. If you're upgrading from a previous version of AAD Connect, simply run Azure AD Connect and select "Change user sign-in" to change the authentication type.

Configuring Pass-Through Authentication in AAD Connect

You should understand that if PTA is configured in AAD Connect, users will be unable to authenticate if the on-prem connector(s) cannot contact Azure AD. For this reason, you will probably want to deploy additional connectors in your environment. It is recommended to use a cloud-only admin account when configuring the PTA connectors so you can manage the configuration of your tenant should your on-premises services fail or become unavailable.

PTA load balances authentication requests between connectors installed in your environment without requiring additional infrastructure. The connector is super lightweight and can be installed on any domain server, even your domain controllers. The installer is located at C:\Program Files\Microsoft Azure Active Directory Connect\SetupFiles\AADApplicationProxyConnectorInstaller.exe on the same server where AAD Connect is installed.

Installing the Pass-Through Authentication Connector

Simply run the AADApplicationProxyConnectorInstaller and it will prompt you for credentials. Here, you enter the credentials of your onmicrosoft.com tenant account. It even works with MFA. When the installer finishes, you will have the option to run the Connector Troubleshooter. If you run it, it will download the most current version of the Connector Troubleshooter from Office 365, run diagnostics and display any issues the connector may have.

When Is PTA a Good Fit?

Azure pass-through authentication is ideal for those customers who want to manage authentication and passwords for Office 365 from their on-prem Active Directory without needing to deploy a full AD FS infrastructure.

AD FS is still a better fit for organizations that require claims-based rules, since PTA relies on Kerberos authentication rather than claims. For example, if you need to prevent access to email from outside the corporate network, that requires a claims-based rule.

Also, know that PTA only works with Office 365. If your organization requires an authentication solution that also works with other claims-based cloud applications like Salesforce or Workday, you'll need to use a claims-based solution like AD FS.

What If You Already Have AD FS or Password Synchronization?

If you currently have AD FS in place you probably have reasons to use it, as mentioned above. However, if you still want to use pass-through authentication instead, you'll need to reconfigure your tenant from a federated domain to a standard domain using the Convert-MsolDomainToStandard cmdlet. See TechNet for details. Once that's complete and all users have been converted to standard cloud users, you can configure Azure pass-through authentication, test it and then decommission your AD FS infrastructure. Be aware that this process can take some time.

PTA does not rely on or perform password synchronization with Azure AD. If your organization previously used password sync with AAD Connect, the synced password hashes still exist in Office 365, but will no longer be used or updated while pass-through authentication is configured.

How to Upgrade AAD Connect and Enable Pass-Through Authentication

Upgrading AAD Connect and enabling PTA is simple. Download the latest version of Azure AD Connect from http://aka.ms/aadconnect and run it on your existing AAD Connect server. Click "Configure" on the welcome screen, enter your Azure AD credentials (and verify MFA, if required) then click Next.

The upgrade should only take a minute or so. Next, you'll need to configure Azure pass-through authentication. Run the Azure AD Connect application, click Configure on the welcome screen, select "Change user sign-in" then click Next.

Enter your Azure AD credentials, making sure to use a dedicated cloud admin account for your tenant (i.e., admin@contoso.onmicrosoft.com). Verify MFA if necessary. Now select the "Pass-through authentication radio button" and check the "Enable single sign on" checkbox if desired. Then click Next. If you enable SSO, the next screen will prompt you for your on-prem domain admin credentials. Review the settings and click Configure.

Review the New AAD Configuration and Perform a Sync

If you enabled SSO, AAD Connect will create a new computer account in the on-prem AD Computers container called AZUREADSSOACC. This computer account is used as an alternate service account (ASA) credential for Kerberos authentication. AAD Connect will also register several SPNs for this account in AD. If you decide to disable SSO later, you will need to manually delete this computer account and its SPNs.

When the authentication reconfiguration is complete, AAD Connect will run a delta synchronization with Azure AD, and the pass-through authentication and SSO configuration is complete.

Summary

Azure pass-through authentication provides businesses of all sizes a safe easy way to provide authentication and true single sign-on for Office 365, without all the infrastructure required by AD FS. It's ideal for Office 365 customers who want to manage and keep their passwords on premises. If you need to provide SSO for other cloud services, you're probably still going to need another solution like AD FS, AAD Premium or a third-party claims-based authentication solution.