Azure AD Connect Pass-Through Authentication

Have you ever wanted a simple Single Sign-On (SSO) solution for Office 365 without having to manage and maintain SSL certificates or ADFS? Microsoft has deployed a preview version of their “pass-through authentication” to the latest version of the Azure AD Connect (AAD Connect) tool.

What this means is a simple, but effective SSO solution for the end user on a corporate domain joined machine. Another benefit of the pass-through authentication provided by the Azure AD Connect tool is the integration with self-service password reset (SSPR) functionality that enables the end user to reset their password without the need of helpdesk support. From a high level, the authentication process is depicted by the diagram below.

Many security related questions arise whenever a new SSO solution is presented. Microsoft has confirmed all usernames and passwords are passed to the on-premises connector, then passed back to Azure AD over an encrypted HTTPS connection. Meaning, there are no passwords being stored in Microsoft cloud, an appealing feature for companies with strict network security.

Currently, the pass-through authentication feature is in the preview stages, and as such, does not have the same level of SLA support, and the features are provided as is. However, this is an excellent step forward in simplifying the Office 365 single sign-on solution by removing the need for ADFS. Microsoft has also added an additional layer of public and private key encryption to the service while in the preview stages.

Prerequisites:

• Windows Server 2012 R2 to run the AAD Connect tool. This server must be a member of the forest that contains the users being validated by AAD Connect.
  • If you have more than one forest containing users, there must be a trust between them.
• A second Windows Server 2012 R2 to run a second connector for high availability and load balancing.
• Firewall exceptions to ensure the connector can communicate with the following URLs and the Azure data center IP ranges
  • *.msappproxy.net
  • *.servicebus.windows.net
• The following ports are used for HTTPS (TCP) requests to Azure AD
  • 80
  • 443
  • 8080/443
  • 9090
  • 9091
  • 9352
  • 5671
  • 9350
  • 10100-10120

To summarize, when using AAD Connect you have three options for SSO, and each has its advantages and disadvantages. The three options are password synchronization, ADFS, and pass through authentication. ADFS is considered the most complex as it requires additional infrastructure to deploy, certificate management, and adds another point of failure in the physical infrastructure.

Password synchronization is considered the simplest approach when using AAD Connect as it simply reads and applies the on-premise Active Directory object password to the respective Azure Active Directory object in Office 365. Pass-through authentication offers the same user experience as ADFS, in that the user does not need to enter their password when accessing Office 365, but without the additional infrastructure and management that ADFS requires.

In closing, Pass-Through Authentication is a great step forward in the already robust Office 365 cloud offerings, and adds more value to the adoption of Office 365 when migrating from an on-premise solution.

If you would like to learn more about Pass-Through Authentication or any of Office 365’s offerings, please get in contact with us by filling out the contact form below.