Choosing the right authentication for your Azure AD

By Starlin Daniel Raj | December 13, 2018

Choosing the right authentication for your Azure AD

Choosing the apt authentication method is the major concern for organizations wanting to move their apps to the cloud. Take this decision precisely, for the following reasons:

1. To control access to all data and resources in cloud, the authentication method cloud is critical.

2. Once implemented, it is not easy to change the authentication method.

Authentication methods

When the Azure AD hybrid identity solution is our new control plane, authentication is the foundation of cloud access. To choose an authentication method, we need to consider time, existing architecture, and cost of implementation

Azure AD supports the following authentication methods for hybrid identity solutions.

1. Cloud authentication

When we choose Cloud authentication, Azure AD handles users’ sign-in process. Coupling with seamless single sign-on (SSO), users can sign in to cloud apps without reentering their credentials.

Password-hash synchronization. If users prefer to use same username and password that they use on-premises, we could implement this easier approach.

Pass-through Authentication. With this approach, the validation happens with our on-premises AD, which also ensures that the password validation doesn’t happen in the cloud.

2. Federated authentication

When we choose this Federated authentication method, Azure AD transfers the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS).

Smartcard-based authentication or third-party multifactor authentication are the best examples.

More considerations…

Cloud authentication: Password-hash synchronization

Password-hash synchronization requires very minimal least when we think of deployment, infrastructure and maintenance. The sync occurs runs every two minutes and it is highly available.

This authentication methodology typically applies to organizations that has users on Office 365, SaaS apps and Azure AD-based resources. When user’s experience are considered, this approach is a good to go as it avoids unnecessary prompts for user to sign in.

Cloud authentication: Pass-through Authentication

Pass-through authentication needs few lightweight agents installed on existing servers. These agents need internet access and the access to the domain controllers as well. Pass-through authentication requires uninterrupted network access to domain controllers. The network traffic are very well encrypted and are for authentication requests alone.

Seamless SSO avoids unnecessary prompts after users sign in as in Password-hash authentication and it improves users’ sign-in experience better.

We can also use password-hash as a backup authentication method for pass-through, when the agents cannot validate due to some on-premises failure. For which, a manual intervention is needed to use Azure AD Connect to switch the sign-on method.

Federated authentication

This system depends completely on external trusted system for authentication. Few organizations want to reuse their existing federated system with their Azure AD hybrid identity solution. Since it is within the organizations’ control, it falls outside the control of Azure AD in deployment, security and authentication load handling.

User experience is completely based on how that federation farm is configured. If there is a MFA server or third party multifactor involved, then AD FS is the recommended one.


To keep users authorized and malicious people out of our organization’s sensitive data, authentication controls access to apps.

Enable password hash synchronization for whichever authentication method you choose, for the following key reasons:

1. High availability and disaster recovery

Deploy redundant servers, to avoid single points of failures. Authentication requests will always be serviced even if any component fails. Avoid outages by using password hash synchronization because the Microsoft Azure AD cloud authentication service scales globally and is always available.

2. Identity protection

Microsoft scans the internet for the credentials that malicious people sell and make it available on web. Hence, Azure AD can use this information to verify if any of the usernames and passwords in your organization are compromised and thereby protects our users. So it’s highly critical to enable password hash synchronization no matter what authentication method you use, whether that’s federated or pass-through authentication. We can also force users to change their passwords if they try to sign in with their leaked passwords.