AD Connect Authentication Options – What do I Choose?

AD Connect Authentication Options – What do I Choose?

Microsoft continues to provide new and interesting ways to configure AD Connect for authentication. In the past, the two main options were Password Hash Synchronization or ADFS. Microsoft has now added in Pass-through Authentication and has also added a new feature called Seamless Single Sign-On. So with all of these options, here are a few questions to help you pick what is best for your organization:

Do you have complex user login rules based on location, time and/or device?

Some organizations have very complex rules around user logins to Office 365. Those rules can include limiting access based on location, time of day, or device type. Many of those rules such as device type or location specific rules can be managed by Azure Active Directory Conditional Access policies, however, if you are looking for time-based rules or a combination of all of the above rules then ADFS might be the solution for you.

ADFS gives the most flexibility for custom policies and access restriction rules, but it is also the most complicated of the environments to manage. ADFS requires numerous redundant on-premises servers because if the ADFS environment fails then your authentication to Office 365 will also fail.

If you don’t need extremely complicated authentication rules…

Do you have a high compliance threshold where you can access your passwords from anywhere, but Active Directory is a challenge?

When passwords are replicated to Azure AD they are hashed twice and thoroughly secured so that Microsoft can meet all requirements from a compliance perspective, however, some financial and legal organizations prefer to keep all password information locally. In that scenario, Pass-through Authentication is for you. This solution has agents installed in your environment that pass all Azure AD authentication back to your domain controllers directly. This ensures that all authentication is done on-premises and that all on-premises authentication security is applied to your cloud logins.

Pass-through does have similar risks to ADFS because the agents are required for authentication, but they are much more lightweight and they are built into the AD Connect installation for easier deployment and management.

Do neither of the above questions apply to you?

Then you fall into the most common category and that is to use Password Hash Synchronization. Whenever possible, Microsoft and BDO Digital recommend using Password Hash since it is the simplest solution and the most resilient. If the on-premises environment fails authentication to Office 365, it will not be impacted. Password Hash Synchronization is built into the base AD Connect installation so no additional software is required, and as mentioned above the passwords are double hashed and secured to ensure compliance.

So what about Seamless Single Sign-On?

Seamless Single Sign-On is a solution built into AD Connect that allows for reduced username and password prompts when users are in the office. If you are using Password Hash or Pass-through Authentication then it is recommended to turn on Seamless Single Sign-On. Seamless Single Sign-On functionality is already built into ADFS so there is no need to turn it on twice. Seamless Single Sign-On is also opportunistic so it will work when possible but it does not block login or disrupt the user experience if it is not working properly.

Are you an existing ADFS user looking to transition back to Password Hash? Are you new to Office 365 and need help setting up AD Connect? Contact BDO Digital and we will be happy to help.

Teams security and compliance demo