During the last few days Microsoft released two new versions of the Azure AD Connect, first 1.1.370.0, and shortly after a minor increment to 1.1.371.0.
Besides a fix for an issue in Azure AD Connect if port 9090 is not opened for outbound connection, the big news is support for Azure AD pass-through authentication and Azure Single Sign-On.
Get the most recent Azure AD Connect here: https://www.microsoft.com/en-us/download/details.aspx?id=47594
Azure AD pass-through authentication is a new sign-in method that works in combination with Azure AD Connect and Azure Single Sign-On providing a seamless single sign-on experience in Azure AD and connected services without the requirements of an Active Directory Federation Service (ADFS) infrastructure.
Authentication using Azure AD pass-through is dependent on agents (or connectors) deployed on servers on-premises, listening for password validation requests. These connectors can be installed on multiple servers for high availability and load balancing.
All communications is outbound only, so there is no requirement for installing the connectors on servers in a DMZ network, or making sensitive changes to the firewall for allowing inbound connections.
Basically, when a user enter username and password into the Azure AD login page, Azure AD sends the username and password on to the on-premises connector for validation. One of the on-premises connectors picks up the validation request from the queue and validates it against the local Active Directory. One of the on-premises Domain Controller evaluates the request and returns a response to the connector, which forward this to Azure AD.
Last, Azure AD evaluates the response and provides the requesting user/client with an appropriate authentication response, such as granting access or challenging the login with a Multifactor Authentication request.
Azure single sign-on is a feature that works with Password Sync through Azure AD Connect or Pass-through authentication, and the on-premises Active Directory service.
To provide end users with Azure single sign-on, the following are required:
- Users must use domain-joined computers
- The computers must have a direct connection to a domain controller (corporate wired/wireless network, VPN or DirectAccess connection).
- Kerberos end-points in the cloud must be defines as part of the Intranet zone.
If Azure single sign-on cannot be applied, the connection fallback to simple prompt for username and password.
As mentioned, both Azure AD pass-though authentication and Azure single sign-on is in preview and currently only support web browser based clients and Office clients capable of using modern authentication – this may change by the time of general availability.
Clients that are not (yet) supported by the Azure AD pass-through and Azure single sign-on, that are legacy Office clients, Exchange active sync (i.e. native email clients on mobile devices), must resort to one of the other authentication methods available.
These are very innovative solutions with large usability and huge potentials, and it will be interesting to follow the impact they will make on cloud identity and integration capabilities as they evolve.