Microsoft Azure AD and on-premise provide a solution to create a common user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity.
To achieve a hybrid identity, one of three authentication methods can be used, depending on your scenarios. The three methods are:
Password hash synchronization (PHS)
Password hash synchronization is one of the sign-in techniques used to accomplish a hybrid identity.
Azure AD Connect synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance.
Password hash synchronization is an extension to the directory synchronization feature implemented by Azure AD Connect sync. You can use this feature to sign in to Azure AD services like Office 365.
You sign in to the service by using the same password you use to sign in to your on-premises Active Directory instance.
What is Azure AD Connect
Password hash synchronization helps by reducing the number of passwords; your users need to maintain to just one. Password hash synchronization can:
Improve the productivity of your users.
Reduce your helpdesk costs.
Optionally, you can set up password hash synchronization as a backup if you decide to use Federation with Active Directory Federation Services (AD FS) as your sign-in method.
To use password hash synchronization in your environment, you need to:
Install Azure AD Connect.
Configure directory synchronization between your on-premises Active Directory instance and your Azure Active Directory instance.
Enable password hash synchronization.
Pass-through authentication (PTA)
What is Azure Active Directory Pass-through Authentication?
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords.
This feature provides your users with a better experience - one less password to remember and reduces IT helpdesk costs because your users are less likely to forget how to sign in.
When users sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.
This feature is an alternative to Azure AD Password Hash Synchronization, which provides the same benefit of cloud authentication to organizations. However, specific organizations wanting to enforce their on-premises Active Directory security and password policies can choose to use Pass-through Authentication instead.
Review this guide for a comparison of the various Azure AD sign-in methods and how to choose the right sign-in method for your organization.
Federation
Federation is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost always includes authorization. A typical federation might consist of some organizations that have established the trust for shared access to a set of resources.
You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization.
This sign-in method ensures that all user authentication occurs on-premises. This method allows administrators to implement more rigorous levels of access control.
Federation with AD FS and PingFederate is available.
Happy coding,
Thiago Leoncio.
