Jun 4, 2023
Federation– Planning Identity Synchronization
With federated identity solutions, Azure AD is configured to refer authentication requests to an on-premises service to validate login data. When a federated user attempts to log on to an Azure AD resource, Azure AD redirects the login session to an organization-managed web service. Users then enter their credentials in this organization-managed application, which, in turn, validates the logon details against the on-premises directory.
Some organizations may require federated identity due to specific regulations, the need to use smartcard-based login, or third-party multi-factor authentication products. Due to its on-premises password validation component, if on-premises services (such as federation farm servers, load balancers, web application proxy servers, or domain controllers) are unavailable, users will be unable to log in to Azure AD.
You can use the following flowchart to understand which solution is appropriate for you:
`
Figure 3.6 – Authentication selection decision flowchart
Once you have selected an identity and authentication mechanism for your tenant, you can begin preparing your environment for hybrid authentication. Regardless of the method selected for authenticating hybrid identity, Azure AD Connect can be used to configure it.
Summary
In this chapter, you learned how to plan for a hybrid identity deployment, including choosing an authentication method (such as password hash sync, pass-through authentication, or federation) and understanding the various requirements and capabilities of identity synchronization tools. You also learned the basic terminology associated with the Azure AD Connect synchronization engine.
In the next chapter, we will begin configuring Azure AD Connect.
Knowledge check
In this section, we’ll test your knowledge of some key elements from this chapter.
Questions
Answer the following questions:
- Which two authentication or sign-in methods validate user passwords on-premises?
• Password hash synchronization
• Pass-through authentication
• Federation
• Hybrid identity
- Which two rights are necessary for password hash synchronization?
• Replicating Directory Changes
• Replicating Directory Changes Password
• Replicating Directory Changes All
• Replicating Directory Changes Advanced - Which feature, service, or component is a consolidated view of all objects from the connected systems?
• Connector space
• sourceAnchor
• Connected system
• Metaverse - You have 75,000 objects in your Active Directory environment and need to recommend a solution for Azure AD Connect. You should recommend the simplest option that supports your environment.
• An Azure AD Connect server with local SQL Server Express
• An Azure AD Connect server with local or remote SQL Server Analysis Services
• Azure AD Connect with database stored in a local or remote standalone SQL server
• Azure AD Connect configured with WID database - Azure AD Connect setup can configure which two federation services?
• Azure Active Directory Federation Services
• Active Directory Federation Services
• OKTA Federation Services
• PingFederate
Answers
The following are the answers to this chapter’s questions:
- B: Pass-through authentication; C: Federation
- A: Replicating Directory Changes; C: Replicating Directory Changes All
- D: Metaverse
- A: Azure AD Connect with local SQL Server Express
- B: Active Directory Federation Services; D: PingFederate