Similar to the Azure Active Directory pass-through authentication, federated identity processes the identity validation in the on-premises environment. Federated identity requires directory objects to be synchronized to Azure Active Directory.
Azure AD Connect provides a mechanism to configure federated identity directly for both Active Directory Federation Services (AD FS) and PingFederate, a third-party federation IDP, from the setup wizard:
When federation is configured for an environment, authentication attempts are redirected from the Azure AD login portal to a web server hosting the federated identity provider service endpoint. When a user is redirected to the IDP endpoint, they enter their credentials if necessary and the on-premises federation service authenticates the user against the on-premises directory.
When determining which identity model fits your organizational needs, you can refer to a table such as the following:
| Requirement | Potential identity and authentication models | Notes |
| Simplest identity | Cloud identity | Requires no on-premises infrastructure, but also provides no integration with on-premises applications or domain features. |
| On-premises credential verification | Pass-through authentication, federated identity | Both pass-through authentication and federated identity provide the ability to verify user credentials on-premises. Cloud identity and password hash synchronization perform identity verification in the cloud. |
| Easy integration with conditional access | Cloud identity, pass-through authentication, password hash sync | Of the identity models presented, federated identity and third-party identity providers may prove the most difficult to integrate with conditional access. |
| Integration with third-party identity provider | Only third-party identity providers | Third-party identity providers frequently require their solution end to end, so AAD Connect or other Microsoft-provided identity management services typically won't be deployed. |
| Leaked credential detection | Password hash sync; pass-through authentication or federated identity with password hash sync enabled and Azure AD Premium P2 license | Azure AD Premium P2 licensing is required in conjunction with an identity and authentication model that includes password hash sync. |
Once you have chosen an identity and authentication model, you should think about securing the identity. One of the tools available to all users of the Microsoft 365 platform is MFA, which we'll discuss next.