Choose the Best Authentication Method for Integrating Active Directory and Azure AD

B

Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure. This level of effort typically applies to organizations that only need their users to sign in to Office 365, SaaS apps, and other Azure AD-based resources. When turned on, password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.

Incorrect Answers:

A: A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls outside the control of Azure AD. It's up to the organization by using the federated system to make sure it's deployed securely and can handle the authentication load.

C: For pass-through authentication, you need one or more (we recommend three) lightweight agents installed on existing servers. These agents must have access to your on-premises Active Directory Domain Services, including your on-premises AD domain controllers. They need outbound access to the Internet and access to your domain controllers. For this reason, it's not supported to deploy the agents in a perimeter network.

Pass-through Authentication requires unconstrained network access to domain controllers. All network traffic is encrypted and limited to authentication requests.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta

To ensure that password policies and user logon restrictions apply to user accounts that are synced to the Azure AD tenant and to minimize the number of servers required for the solution, the recommended authentication method is password hash synchronization with seamless single sign-on (SSO).

Here is a detailed explanation of each of the available authentication methods:

A. Federated identity with Active Directory Federation Services (AD FS): With this method, user authentication is performed by AD FS, which is a separate on-premises server that provides authentication services using security tokens. AD FS can be configured to use different authentication methods, such as smart cards or username and password. However, deploying AD FS requires additional infrastructure and maintenance, which may not be necessary for smaller organizations. Additionally, users may experience slower authentication times because of the extra network hops involved in the process.

B. Password hash synchronization with seamless single sign-on (SSO): This method synchronizes users' hashed passwords from on-premises Active Directory to Azure AD, allowing users to sign in to cloud-based services using the same password they use to sign in to their on-premises domain. Seamless SSO eliminates the need for users to enter their username and password again when accessing cloud resources from a domain-joined computer. This method is easy to deploy, requires minimal infrastructure, and ensures that password policies and user logon restrictions are enforced.

C. Pass-through authentication with seamless single sign-on (SSO): This method validates users' on-premises passwords in real-time against their on-premises Active Directory, providing an additional layer of security. However, this method requires more infrastructure than password hash synchronization, and users may experience slower authentication times because of the extra network hops involved in the process.

In summary, password hash synchronization with seamless single sign-on (SSO) is the recommended authentication method because it is easy to deploy, requires minimal infrastructure, and ensures that password policies and user logon restrictions are enforced.