Although it has been around for a while, single sign-on allows users access to a company’s web properties with only one set of credentials. This helps to eliminate password fatigue, it helps to improve the user experience and simplifies password management.

Now, Azure AD Connect offers customers a seamless single sign-on experience. It hit general availability in June 2015 and now more and more large enterprises are now using it. So what is Azure AD Passthrough Authentication and Single Sign-On? Continue reading to learn more.

What is Azure AD Passthrough Authentication?

Some of the early adopters of the Microsoft Office 365 platform would deploy an on-premise service called Active Directory Federated Services (AD FS) to ensure that passwords never leave the on-premises Active Directory. This also required the IT department to set up and install AD FS.

Furthermore, it meant that cloud-based applications had to be dependent on the local Active Directory. What was the result? Well, if the Internet was down, so was your email server. In terms of Azure AD passthrough authentication vs ADFS: the complexity of configuring the AD FS infrastructure with separate links and ISPs, SSL Certificates and more was burdensome at best.

Azure AD premium offers single sign-on (SSO) via password sync or federation with Active Directory Federation Services. The good news is you can now use pass-through authentication with seamless SSO.

Source: Microsoft

While it does require that all logins rely on the local Active Directory for authentication; it does not require as much complexity as the AD FS server infrastructure or SSL certificates. Instead, it uses a lightweight connector, is installed on-premises and lets Azure AD validate all AD passwords and usernames. Nonetheless, the passwords are never stored in Azure AD, and you get seamless single sign-on.

Plus, since the connector uses secure outbound communications, it does not need to be placed in a demilitarized zone (DMZ). Even if you install more than one connector, they will load balance the other so you won't need to implement additional infrastructure. This is pass through authentication at its finest.

New Capabilities

Consider how you access and configure access for Templafy and other office applications with AD connect via Microsoft Azure. Users can now log into tenant Office 365 resources without having to login in again when using a Windows-based and domain-connected device. Here are just a few of the many highlights of SSO:

  • Can be managed via Group Policy
  • Works with both password hash synchronization and pass-through authentication
  • No additional components are needed
  • Can be enabled through Azure AD Connect
  • It is a free feature
  • Supported on browsers and platforms that can use Kerberos authentication
  • If the system fails, the user can simply enter their password manually on the sign-in page
  • Users are automatically signed into cloud-based applications and on-premise applications

Managing Azure AD Connect via group policy is ideal since you can easily implement company-wide policies for access and web restrictions for particular sites with highly-sensitive data. Not to mention, all businesses must prioritize network security.

The last thing any company wants is the bad press associated with a security breach when a user is found having a weak password. Plus, group policy ensures efficient management when there are over 100 employees, who all need access to company-wide apps.

Group Policy can install, update and upgrade Azure AD Passthrough Authentication access and user settings on every machine, simultaneously. According to Microsoft, Group Policy can be thought of as, "touch once, configure many."

Preparation for the General Data Protection Regulation (GDPR)

Passthrough authentication and GDPR

On May 25, 2018, the General Data Protection Regulation (GDPR) came into force. This is the regulation where the European Commission, the European Parliament and the Council of the European Union strengthened and conjoined data protection for every citizen of the European Union (EU).

This directive affects every area of customer data processing. All digital platforms that services customers were required to prepare for new compliance standards and additional administrative work. Here is IBM's four-step approach to prepare for GDPR. The steps included:

  • Designing an implementation plan
  • Transforming the organization wherever enhancements were needed
  • Operating along a framework to ensure compliance
  • Ongoing compliance with GDPR standards

The focus is on the security of the data. Still, the regulation mandates that companies with a large amount of data, elect a data protection officer. And, protecting data is different from protecting the network. Being one of the most dramatic data privacy regulations in the past 20 years, every data-collecting company has been affected.

What's most important is data loss and data misuse. This is where the benefits of Azure AD Connect pass-through authentication can play a role. Employees need access to various portals and departments within the business. To protect data, strong passwords are required. In addition, a strong password is and/or should be required for every single login.

Yet, let's face it, it is highly unrealistic to expect the average user to recall strong passwords for every portal and cloud service they utilize. Even those in the tech world will take shortcuts, such as reusing passwords, writing down passwords or creating weak passwords just to save time. With single sign-on, employees need only access a single portal for all their apps.

Moreover, this means they only need to remember one strong password instead of 10 or more. All global companies must manage marketing their products and services in disparate markets such as the US, the UK, the EU, Asia-Pacific, South America and more. Some enterprise companies might work with several local marketing agencies who all own different pieces of data.

Imagine if data was stored in one portal and access managed by Azure AD Connect pass-through authentication. This means that the data could be centralized for better security management.

What Do You Need?

Since Azure AD Connect is not as complex as AD FS, all you need is the key port TCP443 to communicate with ADDS on-premises and Azure AD in the cloud. Also, Azure AD should be updated to the most recent version. Other required components include:

  • Windows Server 2012 R2 or higher
  • Several new ports to allow communication with the Azure Application proxy
  • New firewall rules to permit traffic to wildcard subdomains.

Here is another reason why this option is so convenient and seamless: if you want to use your own infrastructure, in addition to third-party solutions, you can do that with Azure AD.

Final Thoughts

Azure AD Connect treads into a highly positive direction in the single sign-on world from Microsoft. It can streamline identity deployments while saving on the complexities of instance and infrastructure cost associated with AD FS.

With reduced overhead, companies can now maintain a higher level of security which is a boost, especially with government regulations such as the GDPR now in place. Furthermore, there isn't any question that Azure AD will cause many users to rejoice at its simplicity. Because as we all know, password management can be a headache for large enterprises.

More relevant articles:

Read an article written by our CTO: Why migrate your business to office 365

See how Templafy can help your company to achieve maximum office productivity

Learn how to add Templafy to your current SSO in your Azure AD