To utilize synchronized identity in your Office 365 deployment, you need to install and configure a directory synchronization appliance to copy your identities from an on-premises directory to Azure Active Directory. Microsoft has a free software appliance, Azure AD Connect, that performs this function. There are also third-party vendors that provide similar solutions.
The concept of synchronized identity has two core sub-configuration concepts:
- Synchronized identity (with and without) password hash synchronization
- Synchronized identity with pass-through authentication (with and without) password hash synchronization
Objects that are synchronized to Azure AD are linked to their on-premises account by way of a property called the ImmutableID. The ImmutableID value in Azure AD is a base64 conversion of an object's on-premises Active Directory object GUID. You can obtain the ImmutableID value for any on-premises directory object with the following PowerShell command, where sAMAccountName is the pre-Windows 2000 account name for an identity whose ImmutableID you wish to compute:
$ImmutableID = [system.convert]::ToBase64String((Get-AdUser sAMAccountName).objectGuid.ToByteArray())
The resultant value in $ImmutableID is a base64 string value, such as go0HPqiAEkSwHaRd2bQZ9g==.
Let's go over the core functional capabilities of each method of authentication.