Azure AD – Federated Domain vs. Managed Domain

When it comes to Azure AD Authentication in an Hybrid environment, where we have an on-premises and cloud environment, we can easy lose track regarding the different options and terms for authentication in Azure AD.

We firstly need to distinguish between two fundamental different models to authenticate users in Azure/Microsoft 365, these are managed vs. federated domains in Azure AD.

Table Of Contents

Federated Domain
Managed Domain
Single Sign-on to Azure and Office 365
Links

Federated Domain

A federated domain means, that you have set up a federation between your on-premises environment and Azure AD. In this case all user authentication is happen on-premises. When a user logs into Azure or Microsoft 365, their authentication request is forwarded to the on-premises AD FS server.

Because of the federation trust configured between both sites, Azure AD will trust the security tokens issued from the AD FS sever at on-premises for authentication with Azure AD.

The federation itself is set up between your on-premises Active Directory Federation Services (AD FS) and Azure AD with the Azure AD Connect tool.

What is federation with Azure AD?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed

Azure AD Connect and federation
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-whatis

Further Azure supports Federation with PingFederate using the Azure AD Connect tool.

Configuring federation with PingFederate
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom#configuring-federation-with-pingfederate

Ping Identity
https://en.wikipedia.org/wiki/Ping_Identity

PingIdentiy – Federated Identity Management Solutions
https://www.pingidentity.com/en/software/pingfederate.html

Managed Domain

A managed domain means, that you synchronize objects from your on-premises Active Directory to Azure AD, by using the Azure AD Connect tool. Here you can choose between Password Hash Synchronization and Pass-through authentication.

When using Password Hash Synchronization, the authentication happens in Azure AD and with Pass-through authentication, the authentication still happens in on-premises.

What is password hash synchronization with Azure AD?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs
Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash, of the hash, of a user’s password from an on-premises Active Directory instance to a cloud-based Azure AD instance.

What is Azure Active Directory Pass-through Authentication?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. When users sign in using Azure AD, this feature validates users’ passwords directly against your on-premises Active Directory.

A great post about PTA and how it works you can also find here.
https://jaapwesselius.com/2017/10/26/azure-ad-connect-pass-through-authentication

No matter if you use federated or managed domains, in all cases you can use the Azure AD Connect tool.

Single Sign-on to Azure and Office 365

All above authentication models with federation and managed domains will support single sign-on (SSO).

Regarding managed domains with password hash synchronization you can read fore more details my following posts.

Primary Refresh Token (PRT) in Azure and Microsoft 365

Providing SSO in Azure AD and Microsoft 365

Links

What is Azure Active Directory authentication?
https://docs.microsoft.com/en-us/azure/active-directory/authentication/overview-authentication
What authentication and verification methods are available in Azure Active Directory?
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods

What is federation with Azure AD?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed

Azure AD Connect and federation
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-whatis

Migrate from federation to password hash synchronization for Azure Active Directory
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-password-hash-sync

What is password hash synchronization with Azure AD?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs

What is Azure Active Directory Pass-through Authentication?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta

Manage device identities using the Azure portal
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

Blog Post

Azure AD – Federated Domain vs. Managed Domain

Federated Domain

Managed Domain

Single Sign-on to Azure and Office 365

Links

Tags In

Latest posts

Set up Microsoft Entra Application Proxy to publish Remote Desktop (RDS)

Mastering Microsoft Entra Application Proxy

Set up SUSE Linux Enterprise Server 12

Set up Microsoft Entra Application Proxy to publish Remote Desktop (RDS)

Mastering Microsoft Entra Application Proxy

Set up SUSE Linux Enterprise Server 12

Blog Post

Azure AD – Federated Domain vs. Managed Domain

Federated Domain

Managed Domain

Single Sign-on to Azure and Office 365

Links

Tags In

Related Posts

What is Microsoft Entra Global Secure Access (Internet Access)?

Create an ASP.NET Web Application (.NET Framework – Web Forms or MVC) using Azure AD Authentication

Blazor Server – Basics Part 8 – JavaScript interoperability (JS interop)

Latest posts

Set up Microsoft Entra Application Proxy to publish Remote Desktop (RDS)

Mastering Microsoft Entra Application Proxy

Set up SUSE Linux Enterprise Server 12

Set up Microsoft Entra Application Proxy to publish Remote Desktop (RDS)

Mastering Microsoft Entra Application Proxy

Set up SUSE Linux Enterprise Server 12