Synchronized identity 

With synchronized identity, you are essentially configuring your organization's directory objects to be replicated to Azure AD. This includes a number of properties (first and last names, email addresses, office information, manager reporting configuration, and physical addresses and phone numbers, among others). You have the option to configure this synchronization with or without password hashes.

For an exhaustive list of the attributes that are synchronized to Azure AD, see https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized.

Password hash synchronization allows an Azure AD user to use the same password as the corresponding on-premises account. If you choose to synchronize identity with password hashes (the default configuration), then a hash of the user's on-premises password is synchronized to Azure AD. Authentication will be performed by Azure AD using the synchronized credential when a user attempts to access resources. To synchronize password hashes, the account specified in the Azure AD Connect setup must have two specific Active Directory rights granted (Replicating Directory Changes and Replicating Directory Changes All). These rights can be delegated manually (using a tool such as the Azure Active Directory Connect Advanced Permissions tool at http://aka.ms/aadpermissions) or through making the synchronization service account a member of either Domain Admins or Enterprise Admins. While the default synchronization time for Azure AD Connect is every 30 minutes, password changes on-premises are processed and synchronized to Azure AD immediately as a separate process.

For a deeper understanding of how Azure AD Connect password hash synchronization works, see https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs.

If you choose to synchronize identity without password hashes, all the account details are synchronized except for the password. Users have to maintain the password separately. This option is commonly configured if you are going to configure a federation service outside of Azure AD Connect, though you are not required to do so. Authentication will be performed by Azure AD using the synchronized user identity with a cloud password (if no federated authentication has been configured); otherwise, the request will be redirected to the federated Identity Provider (IDP) if the federation has been configured.

Password hash synchronization doesn't rely on any on-premises infrastructure to validate passwords or authentication attempts. If the on-premises environment is unavailable, users are still able to log on to Azure AD protected resources since the authentication attempt is processed against the service.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset