This document provides an overview and comparison of different authentication options for connecting an on-premises Active Directory to Azure Active Directory including Password Hash Sync (PHS), Pass-through Authentication (PTA), and Federation with AD FS. It covers considerations like infrastructure requirements, supported sign-in types, multifactor authentication options, conditional access policies, and advanced scenarios. The document also includes links to deployment plans and guidance on migrating between the different authentication options.
17. Consideration
Password hash synchronization + Seamless
SSO Pass-through Authentication + Seamless SSO Federation with AD FS
Place of authentication? In the cloud In the cloud after a secure password verification exchange
with the on-premises authentication agent
On-premises
No of additional on-prem servers (except Azure AD
Connect)?
None One server for each additional authentication agent Two or more AD FS servers
Two or more WAP servers in DMZ
What are the requirements for on-premises Internet and
networking beyond the provisioning system?
None Outbound Internet access from the servers running
authentication agents
- Inbound Internet access to WAP servers in the perimeter
- Inbound network access to AD FS servers from WAP servers in
the perimeter
- NLB
Is there an SSL certificate requirement? No No Yes
Is there a health monitoring solution? Not required Agent status provided by Azure Active Directory admin
center
Azure AD Connect Health
SSO to cloud resources from domain-joined devices
within the company network?
Yes with Seamless SSO Yes with Seamless SSO Yes
What sign-in types are supported? - UserPrincipalName + password
- Windows Integrated Authentication by
using Seamless SSO
- Alternate login ID
- UserPrincipalName + password
- Windows Integrated Authentication by using Seamless
SSO
- Alternate login ID
- UserPrincipalName + password
- sAMAccountName + password
- Windows Integrated Authentication
- Certificate and smart card authentication
- Alternate login ID
Is Windows Hello for Business supported? Key trust model Key trust model (Requires W2016 Domain functional level) - Key trust model
- Certificate trust model
What are the multifactor authentication options? - Azure MFA
- Custom Controls with conditional access*
- Azure MFA
- Custom Controls with conditional access*
- Azure MFA
- Azure MFA server
- Third-party MFA
- Custom Controls with conditional access*
What user account states are supported? Disabled accounts
(up to 30-minute delay)
- Disabled accounts
- Account locked out
- Account expired
- Password expired
- Sign-in hours
- Disabled accounts
- Account locked out
- Account expired
- Password expired
- Sign-in hours
What are the conditional access options? Azure AD conditional access, with Azure
AD Premium
Azure AD conditional access, with Azure AD Premium - Azure AD conditional access, with Azure AD Premium
- AD FS claim rules
Is blocking legacy protocols supported? Yes Yes Yes
Can you customize the logo, image, and description on
the sign-in pages?
Yes, with Azure AD Premium Yes, with Azure AD Premium Yes
What advanced scenarios are supported? - Smart password lockout
- Leaked credentials reports, with Azure
AD Premium P2
Smart password lockout - Multisite low-latency authentication system
- AD FS extranet lockout
- Integration with third-party identity systems
18. Medium or simple org?
aka.ms/deploymentplans
Cutover migration to PHS?
aka.ms/deploymentplans
Cutover migration to PTA?
aka.ms/deploymentplans
19.
20.
21. Azure AD password protection with global
banned password list
Azure AD password protection with custom banned
password list
Cloud-only users Azure AD Free Azure AD Premium P1 or P2
Users synchronized from on-premises Windows Server Active
Directory
Azure AD Premium P1 or P2 Azure AD Premium P1 or P2
Full Details
23. Full details
When using pass-through authentication, you need to make sure that:
• The Azure AD lockout threshold is less than the Active Directory account lockout threshold. Set the values so that the Active Directory account
lockout threshold is at least two or three times longer than the Azure AD lockout threshold.
• The Azure AD lockout duration in seconds is longer than the Active Directory reset account lockout counter after duration minutes.
32. Advanced Queries with Log Analytics
Run ADEQL queries for
investigations, statistics, and root
cause + trend analyses
Log Analytics advanced query
experience now in Azure Portal
Utilize ML algorithms for clustering
and anomaly detection
Central Analytics Platform across
Monitoring, Management, Security
Setup custom alerts and actions
Dashboard views
33. Power BI can be configured
to automatically import log
data from Azure Monitor to
take advantage of these
additional visualizations.