AAD Connect

Microsoft’s identity solutions span on-premises and cloud-based capabilities, creating a single user identity for authentication and authorisation to all resources, regardless of location. We call this hybrid identity.

To achieve hybrid identity with Azure AD, one of three authentication methods can be used, depending on your scenarios. The three methods are:

• Password hash synchronisation (PHS)

• Pass-through authentication (PTA)

• Federation (AD FS)

First things first would be to refer to the diagram below and identify which authentication method you will pick for your organisation's Azure AD.

Details on decision questions:

1. Azure AD can handle sign-in for users without relying on on-premises components to verify passwords.

2. Azure AD can hand off user sign-in to a trusted authentication provider such as Microsoft’s AD FS.

3. If you need to apply user-level Active Directory security policies such as account expired, disabled account, password expired, account locked out, and sign-in hours on each user sign-in, Azure AD requires some on-premises components.

4. Sign-in features not natively supported by Azure AD:

   1. • Sign-in using smartcards or certificates.

      • Sign-in using on-premises MFA Server.

      • Sign-in using third party authentication solution.

      • Multi-site on-premises authentication solution.

5. Azure AD Identity Protection requires Password Hash Sync regardless of which sign-in method you choose, to provide the Users with leaked credentials report. Organisations can fail over to Password Hash Sync if their primary sign-in method fails and it was configured before the failure event.