Hi there my name is
Swaroop Krishnamurthy and I'm a program manager on
the Azure AD Engineering team. Hi there, my name is Martin Coetzer
I'm also a program manager on the Azure AD Engineering team. Today we're going to look at choosing
the right authentication method for your Azure AD solution,
for your organization. So why is choosing the right
authentication method so important, first it is the first decision that you
make on your journey to the cloud. When you're trying to deploy apps such as Office 365,
cloud applications or even line of business applications. You need to decide how your
users will actually sign in and access the application. Second it is the foundation of your
modern IT infrastructure on top of which you will
build your security identity and access management
solution using Azure AD. Third once you actually choose
your authentication method, it is hard to change because
it will likely disrupt your users sign-in experience. Azure AD supports many authentication
options to meet the requirements of all types of organizations. The first option is Cloud-only this is for
Born-in cloud organizations with no on-premises infrastructure. Here you can establish user
identities directly in the cloud and Azure AD handles
all of the authentications completely in the cloud. Now all the other options required
an on-premises active directory We call this hybrid identity. Now the
second option is Password Hash Sync in this case users can actually sign in to cloud-based applications
using the same usernames and passwords that they use with their
on-premises Active Directory. In addition password hash sync also
provides user and password protection. Seamless single sign-on is a
complimentary feature we'll talk about that a little bit later on in this video. Pass-through authentication is the
third option, it is very similar to password hash sync,
but it's for organizations where their security policies
or something that they would like to reuse in the cloud. The next two options are federated
authentication, it can be either using Microsoft's AD FS or Third party
compatible Federation providers. In this case Azure AD actually
hands-off the authentication to a trusted authentication system to
handle all of the authentication. Federated authentication is the best fit for organization
which need advanced requirements that are not
natively supported in Azure AD. This decision tree will make it
easier for you to choose the right authentication
method for your organization. You can use it to determine what is the best method by
answering a few simple questions. Let's explore a few examples\
with this decision tree. Let's take Wing Tip Toys,
Wing Tip Toys is a online retailer for toys they manufacture. Today
they use a simple email system from the internet provider and they want to use Microsoft Teams to
collaborate around new projects. Since they don't have an
on-premises footprint cloud only is the right option for them. They will create and manage new users
and passwords in Azure AD directly. This will allow them to
use Microsoft Teams and extend their applications to other Office 365 apps
and even other cloud apps that is available. So next up is
Fabrikam they're widget manufacturing company and have been making
widgets over the last 30 years. There are more than 7000 factory
workers who sign-in to Active Directory every
day to do their jobs. Now Fabrikam has decided to deploy workday a HR cloud-based application
to let factory workers handle their payroll online and also to migrate to
Office 365, so that these factory workers can actually receive their
work schedules over email. It is important that the Fabrikam
factory workers use the same usernames and passwords that they use today with Active Directory
also to sign into workday and Office 365. It lets them say it productive
and also Fabrikam helped us cause I just kept under control. In addition Fabrikam doesn't have a
large IT department so they need the simplest solution possible which
actually means the lowest on-prem footprint
and also low operating costs. Password hash sync seems to be
the right solution for them here's how password Hash Sync works, first you install Azure AD connect
our provisioning tool to actually provision users from on-premises
Active Directory into Azure AD and you also enable password hash sync
as your sign-in option. Now on-premises Active Directory
never stores passwords in clear-text but in hash form. A hash is the value that you get from
a one-way mathematical function applied on a clear text password there is no method to reverse a hash to
get back the clear text password. Now Azure AD connects to the
on-premises Active Directory and reads these password hashes, hashes them thousand times over
and then copies them over to Azure AD and it does this process
every two minutes. Now when the user is actually trying to
sign in to Azure AD they plug in their username
and password into Azure AD, we applied the same hash sync
algorithms as I described before and then we compared the
username and the hashed value and try to match it with the username
and the stored hash value in Azure AD if there is a match that the
user is successfully signed in. As you can see during authentication there is no dependency on
the on-premises infrastructure. Password hash sync also provides
a couple of key security benefits, first among them is this report that
we call leaked credential reports the way that works is Microsoft scans the internet
especially the dark web for usernames and passwords lists
that have been leaked to the wild it then if it finds any matches to
users to your users accounts it'll actually alert your administrators
through a leaked credential reports or it will automatically
block users for signing in or maybe even allowing them to reset
their password the next time they actually sign in. This feature is only possible if you
use password hash sync second a feature called smart
lockout is also applicable here this actually protects
brute force part password attacks in the cloud and prevents genuine users from
being locked out of their applications. Now you should combine
Password Hash Sync with this complimentary feature called
seamless single sign-on. Seamless SSO allows users to automatically sign in to Azure AD If they're on their corporate devices
connected on their corporate network. When enabled they don't need to
actually even type in their passwords to get into Azure AD so it actually makes the user experience a whole lot better this features also set up
using Azure AD connect. Now some organizations may require, an authentication
feature not currently supported by Azure AD for example signing it with smart card
authentication or using an on -premises MFA server in this case
organizations may choose to use Federation keep in
mind that Azure AD was pretty quickly and we
add features all the time so make sure to check
the latest documentation, and before you make your decision. My next example is Woodgrove Bank Woodrow Bank is a trusted
financial institution that has strong regulatory requirements. They require strong password policies
for their bank tellers and they also require
that they don't log on after hours they're planning to move to office 365
use some cloud applications and even some on-premises applications and make them available to tellers
and corporate employees. Clearly Woodgrove bank
cannot use password Hash Sync because their password policies are
different from Azure AD default policy and they require support for user logon hours that are not supported
by Azure AD natively going with Federation could help solve these requirements
but they would lead to they could lead to higher
operational cost in terms of managing server certificates
and network configuration. Woodgrove Bank should actually use the modern cloud first approach
of Pass-through authentication. let me explain how pass-through
authentication actually works pass-through authentication is also
set up using Azure AD Connect just like password Hash Sync but instead of
synchronizing password hashes to Azure AD you start by
installing two or more for authentication agents on premises you need two or more
for high availability. So when I use these agents, actually make persistent outbound
connections to Azure AD and listen for
Authentication requests. So when user signs into Azure AD and they plug in their
user names and Passwords Azure AD actually
encrypts the password using a public key and the
username and encrypted password is placed on a queue that cloud. One of the agents that have been
deployed on Prem actually, pulls down this username
and encrypted password decrypt's password field
using its private key and test the username
and password against on-premises Active Directory. Now the result of this authentication should be successful failed password
expired, or user is locked out is relayed back to Azure AD via the agent. Now this if this
authentication is successful then the user can actually
access the application. Now pass through authentication
also supports smart lockout but doesn't provide
password protection which is the leak credential report
that I just talked about before now pass through authentication
should also be combined with seamless SSO for the
best possible user experience. Now past authentication is the
right option for Woodgrove bank only if they don't need one of the
advanced features listed here. Federation is recommended
as an Authentication method for organizations that have advanced features
not currently supported in Azure AD including multi-site low latency
authentication infrastructure Federation requires a bit more setup first you will need two servers
in your internal network to accept authentication requests more than one server is
required for high availability next you will need two or more servers
in your parameter network to accept requests from
the internet and then relay those
authentication requests to your internal AD FS servers. When a user signs into Azure AD Azure AD will hand off this
authentication request to this trusted Federation system that you have configured this basic topology supports other scenarios such as on-premises MFA servers or
smart card authentication Federated Authentication is not just Microsoft AD FS but also is for compatible trusted
third-party providers. To conclude this video we want you to consider our top recommendation always enable password Hash Sync if you use password Hash Sync and use that for sign in you
don't need to worry about high availability it will be on us if anything goes wrong with
your on -premises service your authentication
will continue to work but if you choose pass-through
authentication or Federation you can
still use password Hash Sync because you can then use that as
a backup authentication method. For example if your
on premises service goes down you can manually failover
to password Hash Sync and still allow your users
to sign into cloud apps. In a blink password
Hash Sync also gives you identity protection through
the leak credentials reports. This ends our video
on choosing the right authentication method for Azure AD in your organization to learn more please use these resources on the web. Thank you.
