Azure AD Seamless Sign On Announced

Microsoft recently announced Seamless Sign On with Azure AD for Password Sync or Pass Through Authentication (PTA) organizations. SSO allows users on domain-joined computers which can contact a domain controller to authenticate with Azure AD via ADAL without typing in their password. The end user experience is very similar to that of an organization that has federated with Azure AD via AD FS or other SAML system.

Existing Password Sync organizations do not need to deploy the new PTA agent to enable SSO. PTA allows for Azure AD authentication without copying password hashes to Azure AD. Additional pros and cons of PW Sync vs PTA are below.

Deployment of SSO is exceptionally easy, and is done in the AAD Connect setup wizard. SSO is enabled with the same process regardless of PTA or PW Sync. Multiple forests are supported if they have trusts between them.

After configuring SSO in AAD Connect, workstations need to have two sites added to their Intranet Security Zone, which can be done easily via Group Policy:

When SSO is enabled a computer account is created in AD called AZUREADSSOACCT. The on premises Kerberos decryption key is securely sent to Azure AD, and two SPNs are created in the domain.

The below table compares PW Sync to Pass Through Authentication, and does not consider Seamless Sign On, which is equally available for either method.

 

Auth Option	PW Sync	Pass Through Authentication
Deployment Complexity	Very low. Express configuration requires no additional config. Custom configuration requires two domain permissions granted for the service account	Very Low. Can be deployed as part of AAD Connect configuration. HA can be achieved by deploying additional agents, which has minimal increase in complexity
Dependency	A full on-premises outage would not affect PW Sync. The most recent passwords sent to Azure AD would remain in effect during an outage	Connectivity to at least one PTA agent on-premises is required. In the event of an outage for AD and/or all PTA agents, sign in would cease to work
Supported Clients	All clients including Office 2013, 2016, browsers, Activesync, etc	Only Modern Auth clients and browsers, which does not include ActiveSync and Office 2013 in non-modern-auth mode. Note that PW Sync can be configured as a failback for those clients
Availability	Only one AAD Connect instance running PW Sync can be Active, but Staging instances can be deployed and quickly (manually) turned on in the event of a disaster. Note that all previously synced passwords would continue to function if the Active AAD Connect server became unavailable	Multiple PTA agents can be deployed and Active for HA. Agents need only outbound connectivity and access to a Domain Controller, so they can be placed in separate datacenters from one another
Speed	Passwords sync from AD on premises to Azure AD in less than 3 minutes, however user accounts that are disabled/blocked on premises won’t be blocked in Azure AD until the next sync cycle, which is 30 minutes or less by default	Users who are disabled/blocked on premises are immediately blocked in Azure AD, as every authentication request is validated by a PTA agent directly against a DC in realtime

Reference article for more info and screenshots: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnect-sso