Shulou(Shulou.com)06/01 Report--

This article will explain in detail the example analysis of Azure AD Connect user login options. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Azure AD Connect believes that everyone has used it, and its role is to allow users to use the same account password to access local and cloud resources. Make the IT administrator only need to manage the users of the local DC.

In the new version of Azure AD Connect, some changes have taken place in users' login options and an item has been added: pass-through authentication. Currently, there are three authentication methods:

1) password synchronization

2) pass-through authentication

3) ADFS federated authentication

And added: seamless SSO, this function can be used in conjunction with password synchronization and pass-through authentication, after the local domain-joined PC logs in to the system using a domain account, it can directly access cloud resources without entering credentials.

As shown below:

For the above login options, which one should we choose? please refer to the following figure:

Browsers supported by SSO are shown in the following table:

Below, I will focus on the differences between the following two authentication methods:

1) password synchronization using SSO

2) pass-through authentication using SSO

The advantages of the above two authentication methods are as follows:

Great user experience

O Users are automatically signed into both on-premises and cloud-based applications.

O Users don't have to enter their passwords repeatedly.

Easy to deploy & administer

O No additional components needed on-premises to make this work.

O Works with any method of cloud authentication-Password Hash Synchronizationor Pass-through Authentication.

O Can be rolled out to some or all your users using Group Policy.

Register non-Windows 10 devices with Azure AD without the need for any AD FS infrastructure. This capability needs you to use version 2.1 or later of the workplace-join client.

The working principles of the above two authentication methods are shown in the following figure:

For the operation process of specific configuration, please refer to the following link:

Https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-quick-start

It is important to note that if we use either of the above two methods, we need to add the local intranet address to all PC browsers with the domain:

Https://autologon.microsoftazuread-sso.com

Https://aadg.windows.net.nsatc.net

As shown below:

We can add it through group policy (you can also refer to the link above for this process)

The important difference is:

Use SSO password synchronization if the local Azure AD connect fails, the credential box pops up when the user logs in to the cloud resource (because the SSO password synchronization has synchronized the local user's password hash value to the Azure AD), so we only need to enter the user name and password of the local account to log in.

If we use SSO pass-through authentication, when the local Azure AD connect fails, the user cannot log in to the cloud resource (because this authentication method does not synchronize the user's password to the Azure AD).

Therefore, if we are using SSO pass-through authentication, it is recommended to use a highly available deployment

This is the end of the sample analysis of Azure AD Connect user login options. I hope the above content can be of some help and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.