Public Preview: Azure Active Directory Connect pass-through authentication

Imagine if you could set up single sign-on for your online services with just the check of a box, and allow all of your users to authenticate to services such as Office 365 automatically.  Imagine you could do this without the complexity of ADFS and the many hours of planning and implementation that go along with it.

On Wednesday, Microsoft announced the public preview of Azure Active Directory Connect pass-through authentication.  This new method of authentication allows for a single sign-on (SSO) experience without the need for Active Directory Federation Services (ADFS).

What is Active Directory Federation Services (ADFS)?

If you’re not familiar with it, ADFS allows external services (such as Office 365 or DropBox) to authenticate users by sending the auth request to your organization’s internal Active Directory (AD).  In effect, this provides a single sign-on experience since users never need to login to these external federated services.  In order to accomplish SSO using ADFS in this manner, there are multiple redundancies which are required.  In addition to running multiple domain controllers (as we should all be doing anyways), you will need multiple ADFS servers and multiple internet connections with incoming ADFS traffic load balanced.  Not having all of these redundancies creates a single point of failure which can prevent users from authenticating.

Here is an example of a “simple” ADFS implementation:

As you can see, the simplest ADFS implementation is anything but simple.  While there are a lot of advantages to this technology, it is rarely recommended for small or medium sized businesses.  Luckily now we have another option.

Azure Active Directory Connect pass-through authentication

Azure Active Directory Connect pass-through authentication provides a similar single sign-on experience to users without the complexities of implementing ADFS.  This is accomplished by running the latest version of the Azure Active Directory (AAD) Connect software on a domain joined server.  AAD Connect has been used to synchronize local AD user accounts and passwords with Azure AD (often for the purposes of Office 365).  This allows users to authenticate using the same credentials as they use for their local AD network.  Now, there is a new option in AAD Connect which will allow single sign-on using this software. In effect, the AAD Connect software becomes an agent for Azure AD authentication requests.

Using this new method is much simpler since it does not require all of the redundancies needed for ADFS.  Azure Active Directory Connect pass-through authentication also does not require any systems to be in a DMZ.  This means everything can be behind a firewall where it is nice and secure.

Here is a network diagram showing the SSO authentication process using Azure Active Directory Connect pass-through authentication.  In this diagram, AAD Connect is running on a Windows member server.  The Azure Active Directory Connect software can run on any domain member server running Windows 2012 or newer.

Remember, Azure Active Directory Connect pass-through authentication is in “Preview”, which means it is a beta product and SHOULD NOT be used on critical production systems yet.  For more information, see Microsoft’s announcement about Azure Active Directory Connect pass-through authentication.

Permanent link to this article: https://www.robertborges.us/2016/12/cloud-computing/public-preview-azure-active-directory-connect-pass-through-authentication/