Managing user access to Microsoft 365 and cloud apps using Windows server Active Directory

Windows Server Active Directory (AD) has been the cornerstone of identity management for over 20 years. But as organizations face new challenges in providing services to remote workers during a global health pandemic, accessing line-of-business applications and data stored in the public cloud has moved up the priority list.

In this article, we'll look at the different options for extending on-premises Windows Server Active Directory to Microsoft Azure and Microsoft 365. Organizations can secure access to cloud applications without changing the way they manage user identities with Windows Server Active Directory today.

What is Azure Active Directory?

Azure Active Directory (now Microsoft Entra ID) is Microsoft's identity management platform for the cloud. When users log in to cloud apps, like Microsoft 365, Azure AD authenticates user identities before granting access. Azure AD also works with third-party cloud SaaS platforms, like Salesforce and ServiceNow, and with cloud apps developed in-house.

Azure Active Directory isn't just Windows Server Active Directory 'lifted and shifted' to the cloud. Azure AD was designed from the ground up to serve cloud apps. It doesn't support Windows Server protocols and services like Kerberos/NTLM authentication, Group Policy, LDAP, and domain join. Azure Active Directory Domain Services, an optional managed service that deploys Windows Server domain controllers in Azure, adds support for legacy services and protocols for organizations that want to lift-and-shift legacy apps, like Internet Information Services (IIS) and apps developed in-house, into the cloud.

Azure AD uses federated identity management protocols that were built for cloud apps, like OAuth 2.0, SAML, and OpenID. Azure AD Conditional Access and Azure Identity Protection further secure access to your cloud apps and data. Microsoft adds new security features to Azure AD regularly, some of which can be used with Windows Server AD in a hybrid setup.

Choosing a single sign-on method and hybrid topology to extend Windows Server Active Directory to the Azure cloud

Because of the significant investment in on-premises Windows Server AD, organizations want to continue to use it to manage authentication to cloud apps with no disruption to users or IT operations. To solve this problem, Microsoft Azure AD Connect enables single sign-on (SSO) capabilities for Windows Server AD users who also work with cloud apps.

What is Azure AD Connect?

Azure AD Connect is a free application that synchronizes Windows Server AD user accounts to Azure AD. You can choose to synchronize users' Windows Server AD password hashes to Azure AD or let Windows Server AD authenticate users while keeping their passwords on-premises. Both methods provide a secure way for users to log in to cloud services with single sign-on.

Password hash synchronization

Microsoft recommends password hash synchronization for most hybrid AD environments because it is simple to deploy, secure, and it supports the widest range of Azure AD features. To improve security, the user’s password hash is hashed again, and then is synchronized to the cloud.

Pass-through authentication

For organizations that don't want to synchronize password hashes to the cloud, or that want to enforce Windows Server AD security and password policies, pass-through authentication (PTA) is an alternative to password hash synchronization.

Azure AD sends password validation requests to Windows Server AD. One or more PTA agents are deployed on-premises to facilitate this. If used without password hash synchronization, PTA doesn't work with Azure AD Domain Services, Azure AD Connect Health, or the leaked credentials feature in Azure Identity Protection.

Azure AD Connect vs. Active Directory Federation Services

Active Directory Federation Services (ADFS) is a standalone federated identity solution that's a component of Windows Server AD. It can be used to provide Microsoft 365 SSO capabilities for Windows Server AD users but it is complex to deploy and manage. ADFS requires certificates, SQL Server, Windows Server, and failover clustering for high availability.

In most cases, ADFS doesn't provide any advantage over Azure AD Connect password hash synchronization or PTA. Microsoft no longer recommends ADFS but Azure AD Connect can help you install and configure ADFS if you choose to use it.

Hybrid AD topologies

The most common Azure AD Connect topology synchronizes a single forest with a single Azure AD tenant. It's easy to deploy with password hash synchronization using the express install option in Azure AD Connect.

If you have more than one on-premises AD forest, you can synchronize them all using a single Azure AD Connect sync server. Azure AD Connect will try to consolidate on-premises users so that they are only represented once in Azure AD. If you have multiple disconnected AD forests, Azure AD Connect cloud provisioning agents can act as a bridge.

Managing synchronization between Windows Server Active Directory and Azure Active Directory

Once Azure AD Connect is configured using your chosen authentication method and topology, it runs in the background to synchronize on-premises AD users to Azure AD . By default, only some attributes are synchronized. You can choose which AD user account attributes Azure AD Connect synchronizes to Azure AD. For example, you might want to prevent attributes that contain sensitive information, like personally identifiable information, syncing to Azure AD.

Integrating Azure Active Directory features with Windows Server Active Directory

The synchronization process is one-way, but it is possible to enable 'writeback' on some attributes so when updated in the cloud, they are synchronized back to on-premises AD. The most common example is password writeback.

The self-service password reset feature in Azure AD requires that users' passwords are written back to Windows Server AD in hybrid deployments. Group writeback lets you provision Microsoft 365 groups in your on-premises Active Directory if you also have on-premises Exchange Server.

Azure AD Connect Health and High Availability

Azure AD Connect Health uses an on-premises agent to send information to the cloud. IT can then monitor the on-premises identity infrastructure using an online portal to maintain a reliable connection to Azure. But if you choose pass-through authentication, Azure AD Connect Health isn't able to monitor the PTA agents, which could lead to reliability issues.

Microsoft doesn't support deploying multiple Azure AD Connect sync servers for a single Azure AD tenant. If you need high availability for synchronization, you can deploy Azure AD Connect in staging mode and failover over to the staging mode server should the primary sync server fail. Failover is managed using the Azure AD Connect wizard.

Day-to-day user management

Users can be managed with the tools you currently have for Active Directory, like the Active Directory Users and Computers (ADUC) console, the Active Directory Administrative Center (ADAC), and PowerShell. When you create a new on-premises AD user, Azure AD Connect automatically creates a user object in Azure AD to represent the Windows Server AD account.

The user can then access your local domain and cloud apps without any further intervention from IT. Azure AD Connect also automatically synchronizes changes you make to existing Windows Server AD user accounts, providing that the changed attributes are enabled in sync options.

In hybrid Exchange Server environments, the Exchange Admin Center (EAC) includes support for creating new hybrid cloud accounts and automatically provisioning mailboxes for new users in the cloud. So, there's no need to manually create mailboxes in Exchange Online.

Integrating Windows Server AD with Azure made easy

Microsoft has made it easy for you to integrate your on-premises AD forests with Azure AD. Azure AD Connect is simple to set up if you opt for Microsoft's recommended authentication method, which is password hash synchronization. The express install option does all the heavy lifting if you don't need to customize settings. PTA is more complex to configure and you should deploy at least three PTA agents for high availability. And while Azure AD Connect can help simplify deploying ADFS, you should consider using PTA if possible.

But the best part is that Azure AD Connect extends Windows Server AD's capabilities to provide seamless single sign-on to cloud apps for domain users. And IT can continue managing user identities with familiar tools while providing extra value to the organization. Organizations already integrating AD with third-party platforms, like Oracle Identity Management, can synchronize AD with Azure AD using Azure AD Connect while continuing to centrally manage user identities with Active Directory.