How does the new AzureAD Pass-Through Authentication and Seamless Single Sign-on change things?

How does the new AzureAD Pass-Through Authentication and Seamless Single Sign-on change things?

How does the new AzureAD Pass-Through Authentication and Seamless Single Sign-on change things?

Late last week the Azure AD team announced an exciting new feature released to public preview – AzureAD Pass-Through Authentication and Seamless Single Sign-on. How does this actually affect us, and what changes?

So what was announced?

Here is an extract of the recent announcement:

” Howdy folks,
Today’s news might well be our biggest news of the year. Azure AD Pass-Through Authentication and Seamless Single Sign-on are now both in public preview!

When we talk to organizations about how they want to integrate their identity infrastructure to the cloud, we often hear the same set of requirements: “I’ve got to have single sign-on for my users, passwords need to stay on-premises, and I can’t have any un-authenticated end points on the Internet. And make sure it is super easy”.

We heard your feedback, and now the wait is over. I’m excited to announce we have added a set of new capabilities in Azure AD to meet all those requirements: Pass-Through Authentication and Seamless Single Sign-on to Azure AD Connect! These new capabilities allow customers to securely and simply integrate their on-premises identity infrastructure with Azure AD.”

What does this mean for us?

Most of our customers require single sign on experience for their end users – meaning that today they have ADFS infrastructure running in Azure.
This means there are multiple virtual machines, generally in highly available configuration with load balancing and firewalls to secure the environment, similar to below.

This obviously adds to the complexity, and Azure consumption, for our customers. 

This new release promises to change that!

With the new preview release, all you need to do is install and configure AD Connect, and tick the box shown below:

ad-connect-preview

We now have the ability to deploy full High Availability for this as well, and as our proposed diagram below shows it drastically reduces the infrastructure requirements.
Note that we can run the sync from on-premises or in Azure, depending on the architecture requirements. This example shows our recommended deployment of running in Azure.

new-sso

The technical difference

The latest version gives our customers 3 different options for providing seamless single sign on to Azure and Office 365, depending on their security requirements.

  1. Storing the password hash in AzureAD (Password hash and seamless SSO)
  2. Leveraging on premises Active Directory (Pass-through authentication and seamless SSO)
  3. ADFS.

Where customers have deployed ADFS, we recommend evaluating what (if any) other services are using this SSO method before deciding to simplify to the new seamless SSO.
As customer applications are updated, the best practise is to leverage Azure AD for authentication to thousands of other applications, and this new release takes the seamless SSO experience even further for those applications as well.

Next steps

It’s important to note that this product is still in preview, but we look forward to the full release of this solution and working with our customers to evolve their Azure environment, reducing complexity and cost to deliver even more value.
If you want to be notified when this occurs, or learn more just contact us here and one of our team will be happy to show you more!

For more information on how this all works technically, here is a great overview video: https://blogs.technet.microsoft.com/enterprisemobility/2016/12/07/introducing-azuread-pass-through-authentication-and-seamless-single-sign-on/
And here is all the documentation. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnect-sso