Azure AD Connect is Microsoft’s secure integration and synchronisation tool, designed to help sites adopt hybrid identities. The solution has a number of different components that can be enabled, and can manage everything from enabling secure Pass-Through Authentication (PTA) via your existing Active Directory (AD) Domain, or by synchronising your users, groups, and even devices, to Azure Active Directory (Azure AD) so that they can authenticate in the cloud: Providing anywhere, any time access.
In a traditional on-premises identity solution, users will need to authenticate against local Domain Controllers, or will likely need to use a solution like Virtual Private Network (VPN) connections to access work resources when external. When some sites attempt to extend their Domain to the cloud, their first thought is to provision new accounts in the cloud, but this often leaves the user needing to manage two accounts with two different passwords. Integrating your on-premises AD with Azure AD, via Azure AD Connect sync, makes your users more productive by providing a common identity for accessing both cloud and on-premises resources, helping you more easily reach you hybrid identity goals.
What are the License requirements Connect?
When talking about identity management platforms, synchronisation tools, and cloud tools, one of the first questions people ask is: “How much will this cost me?”. So let’s get this out of the way nice an early… Using Azure AD Connect is free, and included in the Azure subscription that you likely already have if you have a Microsoft 365 tenant. Yes, you read that right. Microsoft are so committed to Azure, their cloud and security tools, that they are more than happy for you to download and use Azure AD Connect in order to get your identities cloud-enabled.
This is just one of the many Hybrid features that Microsoft offers customers to assist with their modernisation/transformation projects. Of course, it’s not all just a good will gesture: Many of the products, services and features that you’ll likely want to implement will cost a monthly subscription per user, and that’s how they can justify giving this functionality away for free… but you’re not obligated to pay for anything. If all you want to do is create cloud identities, provide Single Sign-On (SSO) functionality, and provide access to Office apps (if you are licensed for them), then this remains a completely free solution to your site.
What else does Azure AD Connect offer?
I get it, sometimes you want more value from a solution before you consider investing in it, even if the solution is free. So here are some of the other features that you get when you decide to install Azure AD Connect:
- Password Hash Synchronisation
Password Hash Sync )or PHS) is a feature that can be used as a security reporting tool, and as a sign-in method. With PHS enabled in Azure AD Connect, a hash of your Active Directory user’s password is further secured and hashed before being presented to Azure AD as a way to authenticate. But PHS offers far more than just this, so please read my blog post on Password Hash Sync here.
- Pass-through Authentication
Pass-through Authentication (or PTA) is a sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.
- Federation integration
Federation is an optional part of Azure AD Connect and can be used to configure a Hybrid environment using on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
- Password Write-Back
Azure Active Directory (Azure AD) self-service password reset (SSPR) lets users reset their passwords in the cloud, but most companies also have an on-premises Active Directory Domain Services (AD DS) environment where their users exist. Password writeback is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time. Together with Password Hash Sync, this completes the full password management cycle.
- Device Write-Back
Device Writeback is used to complete the setup of trusts needed for Windows Hello for Business (WHfB) using Hybrid Key Trust or Certificate Trust deployments, and to enable Conditional Access policies to apply to devices that need to connect through ADFS (2012 R2 or higher)
- Health Monitoring
Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity. While this feature also requires Azure AD Premium licensing, it does allow you to install Health clients on your Domain Controllers, Web Application Proxy and ADFS server, and will help report on any issues found with identity or synchronisation on your site.