Build resilience in your hybrid architecture

Hybrid authentication allows users to access cloud-based resources with their identities mastered on-premises. A hybrid infrastructure includes both cloud and on-premises components.

• Cloud components include Azure AD, Azure resources and services, your organization’s cloud-based apps, and SaaS applications.

• On-premises components include on-premises applications, resources like SQL databases, and an identity provider like Windows Server Active Directory.

Important

As you plan for resilience in your hybrid infrastructure, it’s key to minimize dependencies and single points of failure.

Microsoft offers three mechanisms for hybrid authentication. The options are listed in order of resilience. We recommend that you implement password hash synchronization if possible.

• Password hash synchronization (PHS) uses Azure AD Connect to sync the identity and a hash of the hash of the password to Azure AD, enabling users to sign-in to cloud-based resources with their password mastered on-premises. PHS has on-premises dependencies only for synchronization, not for authentication.

• Pass-through Authentication (PTA) redirects users to Azure AD for sign-in. Then, the username and password are validated against Active Directory on premises, through an agent that is deployed in the corporate network. PTA has an on-premises footprint of its Azure AD PTA agents that reside on servers on-premises.

• Federation customers deploy a federation service such as AD FS, and then Azure AD validates the SAML assertion produced by the federation service. Federation has the highest dependency on on-premises infrastructure, and therefore more failure points.

‎You may be using one or more of these methods in your organization. For more information, see Choose the right authentication method for your Azure AD hybrid identity solution. This article contains a decision tree that can help you decide on your methodology.

Password hash synchronization

The simplest and most resilient hybrid authentication option for Azure AD is Password Hash Synchronization which does not have any on-premises identity infrastructure dependency when processing authentication requests. Once identities with password hashes are synchronized to Azure AD, users can authenticate to cloud resources with no dependency on the on-premises identity components.

If you choose this authentication option, you will not experience disruption when on-premises identity components become unavailable. On-premises disruption can occur for many reasons, including hardware failure, power outages, natural disasters, and malware attacks.

How do I implement PHS?

To implement PHS, see the following resources:

• Implement password hash synchronization with Azure AD Connect

• Enable password hash synchronization

If your requirements are such that you cannot use PHS, use Pass-through Authentication.

Pass-through Authentication

Pass-through Authentication has a dependency on authentication agents that reside on-premises on servers. A persistent connection, or service bus, is present between Azure AD and the on-premises PTA agents. The firewall, servers hosting the authentication agents, and the on-premises Windows Server Active Directory (or other identity provider) are all potential failure points.

How do I implement PTA?

To implement Pass-through Authentication, see the following resources.

• How Pass-through Authentication works

• Pass-through Authentication security deep dive

• Install Azure AD Pass-through Authentication

• If you are using PTA, define a highly available topology.

Federation

Federation involves the creation of a trust relationship between Azure AD and the federation service, which includes the exchange of endpoints, token signing certificates, and other metadata. When a request comes to Azure AD, it reads the configuration and redirects the user to the endpoints configured. At that point, the user interacts with the federation service, which issues a SAML assertion that is validated by Azure AD.

The following diagram shows a topology of an enterprise Active Directory Federation Services (AD FS), deployment that includes redundant federation and web application proxy servers across multiple on-premises data centers. This configuration relies on enterprise networking infrastructure components like DNS, Network Load Balancing with geo-affinity capabilities, firewalls, etc. All on-premises components and connections are susceptible to failure. Visit the AD FS Capacity Planning Documentation for more information.

Note

Federation has the highest number of on-premises dependencies, and therefore the most potential points of failure. While this diagram shows AD FS, other on-premises identity providers are subject to similar design considerations to achieve high availability, scalability, and fail over.

How do I implement federation?

If you are implementing a federated authentication strategy or want to make it more resilient, see the following resources.

• What is federated authentication

• How federation works

• Azure AD federation compatibility list

• Follow the AD FS capacity planning documentation

• Deploying AD FS in Azure IaaS

• Enable PHS along with your federation

Next steps

Resilience resources for administrators and architects

• Build resilience with credential management

• Build resilience with device states

• Build resilience by using Continuous Access Evaluation (CAE)

• Build resilience in external user authentication

• Build resilience in application access with Application Proxy

Resilience resources for developers

• Build IAM resilience in your applications

• Build resilience in your CIAM systems