Azure AD Connect Archive

What is Hybrid Azure AD Join ?

Let’s just start with the official definition from the Microsoft documentation:

Hybrid Azure AD Join: Joined to on-premises AD and Azure AD requiring organizational account to sign in to the device.

This means that after the device is Hybrid Azure AD joined, it behaves the same as any other computer connected to Active Directory.

Sign in with an Active Directory account is required.
User credentials are verified against an Active Directory domain controller.
Group Policy objects for users & computers read from the domain controller are applied automatically.

After the Active Directory connection process is complete, additional steps are performed asynchronously in the background to register the device in Azure AD as well.

For quite some time (Beginning of 2017) it is now possible to solve SSO scenarios with Azure even without ADFS infrastructure. However, it is only recently that companies has started to not insist on ADFS. Now one may finally also point out the alternative solutions of Microsoft.

The possible scenarios for Seamless SSO are:

Pass-through authentication (PTA)
Password Hash Sync (PHS)

Pass-through authentication (PTA)

Disadvantages

No automatic detection of leaked login data
Azure AD DS requires enabled Password Hash Synchronization feature in tenant to work
Is not part of Azure AD Connect Health

Password Hash Sync (PHS)

“Disadvantage“

Password is synchronized to the cloud (as hash value)

Tag: Azure AD Connect

Why a Windows Server 2019 VDI should be Hybrid Azure AD joined

What is Hybrid Azure AD Join ?

Activation of Azure AD Seamless Single Sign-On