2. Design Decisions
• Azure AD Authorization options: Hash Sync Vs Pass Through
• Azure AD: Register Vs Join
• Azure AD MFA: Authenticator Vs YubiKey Vs Hello
4. AD Federated Authentication
On-Prem AD
Authentication sent to Federation Server
Internet
Perimeter
Azure AD
On-premises
Federation
Proxy
On-Prem
Federation Server
5. Cloud Authentication vs Federation (ADFS)
Cloud Federation
Authentication Location In Cloud On-Prem
Server Requirements None
Two or more AD FS servers & WAP
servers (in the perimeter/DMZ network)
Network Requirements
None(PHS)/
Outbound Internet Access(PTA)
Inbound Internet Access &
Network load balancing
Advantages
-Cost effective & Easiest deployment
-Can login even if AD is down
-High availability & Disaster recovery
-Use Azure AD Identity Protection
- More Intune feature sets
-Authentication happens on-Prem
-Immediate Account Lockout
-Use ADFS Claim Rules
-Azure AD Premium not required
-Custom MFA provider
6. AD Password Hash Sync
ADConnect On-premAD
Password Hash Sync
Password validated against Azure Hash*
Internet Intranet
Azure AD
*MD4+salt+PBKDF2+HMAC-SHA256
7. AD Pass Through Authentication
ADConnect On-premAD
Credentials sent to On-Prem agent
Internet Intranet
AuthN
Agent
Azure AD
8. AAD Password Hash Sync Vs Pass Through Auth
PHS PTA
Password Location Azure AD (hash) On-Prem
Account Lockout/Disable Next Cycle (disable) Immediate
Azure AD Identity Protection
Yes
(Require Azure AD Premium P2 licenses)
Advantages
-Cost effective & Easiest deployment
-Can login even if AD is down
-Authentication happens on-Prem
-Works with Azure Conditional
access
9. Azure AD: Register vs Join
Registering a device to Azure AD enables you to manage a device’s identity. When combined with a
mobile device management(MDM) solution such as Intune, allows you to create conditional access
rules that enforce access from devices to meet your standards for security and compliance
Joining a device is an extension to registering a device; Provides all benefits of registration in
addition to changing the local state of a device. This enables your users to sign-in to a device using
an organizational work or school account
10. Azure AD: Register vs Join
Register Join Hybrid
Device Ownership Personal (BYOD) Firm Issued Firm Issued
Device Type Win10 Devices
Win8.1-10, Android, IOS
(For devices that are not joined to an on-
premises AD)
Win7-10 PC’s
(For devices that are joined to an on-
premises AD)
Registration/
Management
• To manually register devices with Azure
AD
• MDM (Intune)
• To manually register devices with Azure
AD
• To change the local state of a device
• MDM (Intune)
• To automatically register devices with
Azure AD
• To change the local state of a device
• SCCM + GP
Additional
Functionality
• Cloud + SSO
• Conditional access using Intune
• AD Connect + Device writeback
• Windows Hello
• Cloud + SSO
• Conditional access using Intune
• AD Connect + Device writeback
• Windows Hello
• Enterprise State Roaming
• SSO
• Access Win32 apps that rely on AD
auth.
11. MFA Deployment: Decision Matrix
Planning Considerations Decision Points
Azure MFA verification options Authenticator, Call, SMS
Network definition* Named locations or trusted IPs
Azure conditional access policies* Cloud Apps, Users/Groups, Access Controls
Azure MFA registration policy MFA for Everyone Or Limited to Admin Groups
Remember MFA Yes/No (No of Days)
Azure MFA rollout for users Pilot Deployment, Full Scale Rollout
On-premises integration with Azure MFA Use with Legacy Apps, On-prem AD FS/Radius Apps?
12. Azure AD: 2FA Options
Windows Hello Microsoft Authenticator FIDO2 Security Keys
Trusted IPs under Azure MFA Service Configuration need only be configured when you are not using Azure Conditional Access Policies
Trusted IP ranges need only be defined when the Azure Active Directory tenant is managed (i.e. not federated with Active Directory Federation Services)
Multi-Factor Authentication