When it comes to Azure AD Authentication in an Hybrid environment, where we have an on-premises and cloud environment, we can easy lose track regarding the different options and terms for authentication in Azure AD.

We firstly need to distinguish between two fundamental different models to authenticate users in Azure/Microsoft 365, these are managed vs. federated domains in Azure AD.


Table Of Contents
  1. Federated Domain
  2. Managed Domain
  3. Single Sign-on to Azure and Office 365
  4. Links



Federated Domain

A federated domain means, that you have set up a federation between your on-premises environment and Azure AD. In this case all user authentication is happen on-premises. When a user logs into Azure or Microsoft 365, their authentication request is forwarded to the on-premises AD FS server.

Because of the federation trust configured between both sites, Azure AD will trust the security tokens issued from the AD FS sever at on-premises for authentication with Azure AD.

The federation itself is set up between your on-premises Active Directory Federation Services (AD FS) and Azure AD with the Azure AD Connect tool.

What is federation with Azure AD?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed

Azure AD Connect and federation
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-whatis


Further Azure supports Federation with PingFederate using the Azure AD Connect tool.

Configuring federation with PingFederate
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom#configuring-federation-with-pingfederate

Ping Identity
https://en.wikipedia.org/wiki/Ping_Identity

PingIdentiyFederated Identity Management Solutions
https://www.pingidentity.com/en/software/pingfederate.html





Managed Domain

A managed domain means, that you synchronize objects from your on-premises Active Directory to Azure AD, by using the Azure AD Connect tool. Here you can choose between Password Hash Synchronization and Pass-through authentication.

When using Password Hash Synchronization, the authentication happens in Azure AD and with Pass-through authentication, the authentication still happens in on-premises.

What is password hash synchronization with Azure AD?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs
Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash, of the hash, of a user’s password from an on-premises Active Directory instance to a cloud-based Azure AD instance.

What is Azure Active Directory Pass-through Authentication?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. When users sign in using Azure AD, this feature validates users’ passwords directly against your on-premises Active Directory.

A great post about PTA and how it works you can also find here.
https://jaapwesselius.com/2017/10/26/azure-ad-connect-pass-through-authentication


No matter if you use federated or managed domains, in all cases you can use the Azure AD Connect tool.





Single Sign-on to Azure and Office 365

All above authentication models with federation and managed domains will support single sign-on (SSO).

Regarding managed domains with password hash synchronization you can read fore more details my following posts.

Primary Refresh Token (PRT) in Azure and Microsoft 365


Providing SSO in Azure AD and Microsoft 365





Links

What is Azure Active Directory authentication?
https://docs.microsoft.com/en-us/azure/active-directory/authentication/overview-authentication

What authentication and verification methods are available in Azure Active Directory?
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods

What is federation with Azure AD?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed

Azure AD Connect and federation
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-whatis

Migrate from federation to password hash synchronization for Azure Active Directory
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-password-hash-sync

What is password hash synchronization with Azure AD?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs

What is Azure Active Directory Pass-through Authentication?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta

Manage device identities using the Azure portal
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal