Single Sign-on (SSO) Options with Azure Active Directory

Figuring out the best way to implement Single Sign-On (SSO) in a Microsoft cloud environment can be challenging given how the options have evolved over time, but it’s a key component of any successful Office 365 or Azure deployment. There are four main options on how you can configure SSO:

The most basic option is to not implement single sign-on at all, which might make sense for smaller implementations. In this scenario, user accounts are provisioned on Office 365 and users logon independently of their local Active Directory. 

Cloud-only passwords – non-SSO

The most basic option is to not implement single sign-on at all, which might make sense for smaller implementations. In this scenario, user accounts are provisioned on Office 365 and users logon independently of their local Active Directory. 

Pros: 

Cons: 

Password Synchronization with SSO

Microsoft provides a tool called Azure Active Directory (AD) Connect to synchronize user data from on-premise Active Directory to Azure AD. This saves provisioning user accounts on Office 365 while also giving the ability to synchronize a hash of the end user’s password. The end user’s full password is not synced, and a password change on-premise will trigger a sync. In this scenario, users on the network will receive a Kerberos challenge and be able to pass that token to Azure AD for authentication. Users who are outside of the network will login with their AD credentials.

Pros: 

Cons: 

Pass-through Authentication 

Another option for SSO is to use pass-through authentication with Azure AD Connect. The latest version of the Azure AD Connect tool includes an agent that opens and maintains an outbound connection to Azure AD (no DMZ or firewall rules required). When this option is enabled, user logons to Office 365 are passed back through this open tunnel to your on-premise Active Directory where they are authenticated live. This means you have access to logon time restrictions. The good news is that you can deploy additional agents which ideally would use separate internet connections. Of course, the downside of having machines authenticate against your local AD is that you need to provide high availability.

The best part is that pass-through authentication means that we can now have domain joined machines pass through their domain credentials seamlessly. This takes place automatically in most web browsers (IE, Chrome and Firefox). If you have Outlook 2013 or later deployed and modern authentication enabled, Outlook can take advantage of seamless single sign-on as well. 

Pros: 

Con: 

Federated Identity 

Federated identity offers some unique security options not available in other scenarios, but it also has the most requirements in terms of server infrastructure to implement. To enable federated identity, you need to deploy Active Directory Federation Services (ADFS) in an on-premise network. A typical deployment would be a two-server farm at separate sites (Azure has an option to add a second site for single datacenter customers). Two additional servers are needed in a DMZ (demilitarized zone, sometimes referred to as perimeter network) to securely publish ADFS to the internet. Once ADFS is in place, federated identity can be enabled with a few PowerShell commands. 

Similar to pass-through authentication, user logon attempts are passed back to the ADFS farm to validate against your local active directory. Outlook 2013 or later will leverage modern authentication to communicate with ADFS. Web browsers will get redirected to the ADFS server to complete their authentication. This lets you use what’s called SmartLinks technology to allow users to logon directly to SharePoint online without entering a username or password. 

You also have access to security features not available in other scenarios. You can enable client access filtering which lets you restrict access to Microsoft cloud services based on IP address (commonly used for hourly employees that shouldn’t be able to check email from home). You can also integrate with on-premise multifactor authentication servers (although you should be looking at Microsoft Azure options for MFA). 

Pros: 

Cons: 

Learn more from the blog article: Understanding Office 365 identity and Azure Active Directory


Think you are interested in SSO, but want to talk with an expert about which option is best for your company and environment? Contact us today!