[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Private
  • Views: 29
  • Last Modified:

Azure Active Directory

Hello, I have a few questions around Azure AD and I am hoping some of the experts would help clarifying these areas.

  • When would you run separate domains in Azure? Factors to consider?
  • How SSO/MFA work with IAM and PIM?
  • Difference between Password Sync with SSO vs. Pass through authentication vs ADFS?

Regards,
J
0
onlinerack
Asked:
onlinerack
  • 2
  • 2
1 Solution
 
Cliff GaliherCommented:
First answer, one Azure AD instance per tenant/business. Azure AD is not AD. There is no concept if multi-domain forests or resource domains or parent-child trusts. It is very flat. But that means you'd almost never run multiple domains.

Not sure what you are asking in #2. SSO isn't really relevant to PIM in specifics, but can be available to any group,  privileged or otherwise, as the admin sees fit. Same applies to MFA with the right licensing.

For #3:

Password sync is exactly as it sounds. It syncs on-prem uses password hashes with Azure AD, and authentication against Azure AD happens using their servers and stored password hashes. Your on-prem links can be completely down and Azure AD Auth continues to work.

Pass-through Auth is for environments where the admin is not comfortable with password hashes being stored in Mixrosodt:s cloud. A small agent is installed on premises and any authentication against Azure AD servers handle the authentication request  but they communicate with the agent to verify the password. No password data is stored in the cloud.

ADFS is a full featured web friendly authentication platform. When setup with Azure AD, Azure AD does NOT handle authentication requests. When a request is made, it is redirected to the on premises ADFS install and ADFS returns the result (success or fail), to Azure AD.  ADFS may be chose over pass through where authentication is desired for other non Azure AD applications or where, for whatever reason, the pass through agent isn't a good fit.
0
 
onlinerackAuthor Commented:
Thanks Cliff for your quick response.  The first question about running separate domains in Azure, what is meant is should we extend our on prem domain into Azure or have a separate domain for Azure. Is the a best practice for that?

Regards,
J
0
 
Cliff GaliherCommented:
Azure AD is its own thing. You can set up a sync client (which you need to do for password sync, pass through, or ADFS.) But it is never an extension of your existing domain. It also isn't really a new domain. It is, like I said it's own entity. So that question actually doesn't really apply either way.
0
 
onlinerackAuthor Commented:
Thanks Cliff, your answer given me the info I need.

Regards,
J
0

Join & Write a Comment

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now