It was just yesterday (December 7, 2016) that the Azure AD Product Group announced the public preview of Azure AD Pass-Through Authentication and SSO. This was proved to be a feature that a lot of customers where looking forward to, because they would like to offer a SSO experience to the end user, keep passwords on-premises and offer the best integration between on-premises identity infrastructure and Azure AD.
So to get the idea, take a look at the following video that explains how it works:
As you can see, we now have the option to validate our passwords against the on-premises AD via a simple connector deployed on-premises. This connector will use only outbound connections, so there is no need to worry about DMZ, but the best part is that you don’t need ADFS! Incoming connections to Azure are also load-balanced, while the connector can be installed on domain controllers. Super-simple!
So practically when you use your Azure AD password on the Azure login page, that password is passed through the connector to your on-premises domain controllers and gets validated. There is also a SSPR (Self-Service password reset) option, in case the user wants to change the password. As the Azure AD product group says, there is no caching of passwords in the cloud.
But what about SSO? Everybody wants this, but some companies feel that is really complicated to do it using ADFS. The good news: now you can do it without ADFS! Users are still securely authenticated with Kerberos, just like they would be to other domain-joined resources, without needing to type the same passwords over and over again.
So no additional on-premises infrastructure needed, and if for some reason the user cannot get a Kerberos ticket for SSO, he will be asked to type the password. In case you want to read more about Azure AD SSO, take a look here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnect-sso
I want that feature now! What should I do?
Just download the new version of Azure AD Connect and when you do a custom installation make sure to select the new “Pass-through authentication” and “Enable single sign on” options:
Keep in mind that this is an authentication feature, so it’s best to try it out in a test environment to ensure you understand the end-user experience and how switching from one sign-on method to another will change that experience.
Just make sure that you go through the documentation here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnect-pass-through-authentication