In this post, I will be walking through configuring Azure AD pass through authentication and single sign-on for a single AD forest, and confirming the client experience once implemented.
Azure AD pass through authentication is another alternative to password synchronization, similar in functionality to AD FS, that can be enabled in Azure AD Connect. It ensures that password validation for Azure AD services is performed against your on-premises Active Directory. Passwords can be validated without the need for complex network infrastructure (e.g. AD FS) or for the on-premises passwords to exist in the cloud in any form.
With just pass through authentication enabled, a user will still need to enter their password to access cloud services from a machine connected to your on-premise AD domain.
Azure AD single sign-on is another option that can be enabled in Azure Active Directory Connect with either password synchronization or pass-through authentication. When enabled, users only need to type their username and do not need to type their password to sign in to Azure Active Directory (Azure AD) when they are on their corporate machines and connected on the corporate network.
Therefore, with pass through authentication and single sign-on enabled, you can achieve the same authentication requirements for Azure AD and SSO experience for clients, typically gained by implementing AD FS, which obviously simplifies the steps to implement this functionality.
NOTE: At the time of writing (March 2017) these features are still in preview, version 1.1.443.0.
A detailed list of requirements is detailed here. A summary of these relevant to this post are below:
Run the Azure AD Connect wizard. Click Configure on the Welcome screen.
Select Change user sign-in on the Additional Tasks page and click Next
Connect to your Azure AD tenant by entering your Username and Password and click Next
The wizard will connect to Microsoft Online. Click on Pass-through authentication and Enable single sign-on as shown below under the User sign-in page
You will need to provide domain administrator credentials for your on-premises AD forest on the Enable single sign-on page. Click Next once the credentials have been verified
Review the settings on the Ready to configure page and then click Configure to apply the settings.
The wizard will go through the steps of installing and configuring pass-through authentication.
To facilitate single sign-on for clients, the Azure AD URLs need to be added to the Intranet zone of client Internet browsers. This setting makes the browser automatically send the currently logged in user’s credentials in the form of a Kerberos ticket to Azure AD.
Typically, you would use group policy to do this, and this is explained here. However, for this lab, just enter the two required URLs into the Intranet zone of your test machine’s browser manually.
Now, from you client test machine, browse to any of your services that use Azure AD for authentication. For this test, I’ll logon to portal.office.com.
Enter your test username, e.g. email@example.com, and then click in the Password field.
When you click on the password field, the logon page will pass the user’s existing Kerberos token to Azure AD and they will be logged onto the portal automatically, without having to enter their password.
When logging onto portal.office.com from an external network, you must also enter the password, which is expected, and then click Sign in
After you click on Sign in you will see your browser Trying to sign you in as shown below. In the background this is authenticating against your on-premises AD via pass-through authentication. This will then take you through to the Office 365 portal as shown above.
So, as you can see above, you can now realise the benefits of single sign-on (for clients connected to your internal corporate network) very easily with just Azure AD Connect, rather than having to implement more complex AD FS infrastructure, which is an great new feature that will obviously be a big win for many.