In previous Article, we have seen the Basic Understanding of the Azure AD and the Different Editions.
In this Article, We see how the to Sync On-Premises Identities to the Azure AD and how to enable the different model based on the requirements.
Many of the large Organizations are already setup well defined On-premises Windows Server Active Directory Domain Services and most of the online customers will worry how to trust cloud based solutions and sync the Entire AD Infrastructure in a secured way. also they will get in to a conflict with compliance issues on Password sync.
Microsoft provides different types of Directory sync Models and you can get them configured depends on your organization requirements. Each model has Merits and Demerits.
Azure Identity Models:
Cloud Based Identity Model:
IN this Model, Users accounts are getting created in the Cloud Azure AD and managed in the Cloud itself. there will not be any link between the users On-Premises Accounts.
Pros:
1. Any network issues between onpremises and cloud, there is no major impact for the cloud services.
2. No need to have any additional setup required other than creating the iser Accounts in Cloud.
Cons:
1. Users needs to keep their both On-premises and Cloud Identity Details. Hence it will bring users to confused state which one is for mail access and which one is for the Mailbox Access.
2. Troubleshooting will become more complicated when issue occurs to check on where is the issue.
3. Administrators needs to keep two different password reset portals and options for the users. Maintaining the two different Identity models will become more conflict when the during security incident happens and tracking the usage.
Synchronized identity:
In this model, We will be Syncing all the user accounts along with respective Passwords Hashes(only) by using Azure AD Connect.
Pros:
1. Users will be using the same Accounts and passwords for both On-Premises and Cloud Applications.
2. Password Hashes only synced hence there is breaches in the security Policies.
Cons:
1. User accounts are synced with Password hashes, Many Organizations they don’t want to sync passwords to cloud which brings attention what will if cloud got password attack as it is Shared Geo Model.
2. Have to install Additional Azure AD Connect application in On-premises Server to sync the users and Groups to Cloud.
Please refer the below Azure AD Connect (Azure AD Connect) Installation Documents, Azure AD Connect can be installed using two different options
Federated Identity:
In this Federated Identity Model, we are using AAD Connect to sync On-Premises User accounts and groups to Cloud and ADFS Services which are installed in On-Premises.
Pros:
1. There is no passwords sync to cloud required.
2. Only Accounts are synced and passwords are kept in On-Premises. Hence there is no security violations.
3. If you have any other third party Identity Providers, you can get them used in place of ADFS for the Authentication.
Cons:
1. If ADFS or Third Part identity Provider is not reachable, all users can not get authentication. hence there is single point of failure.. To solve this issue, you can keep Password hash sync as backup, so whenever ADFS goes down, you can enable users to get authenticated using password sync.
Please refer the below ADFS Installation Documents,
Please refer the below Azure AD Connect (Azure AD Connect) Installation Documents, Azure AD Connect can be installed using two different options
For the Part 1 of this Multi Part Articles, Please click Overview of Azure Active Directory (Azure AD) – Part 1