Skip to main content

Azure Hybrid Identity Authentication Methods

The move to the cloud is picking up steam.  As such, many corporations are beginning to find themselves supporting a mixture of on-prem apps as well as cloud apps. Users are finding that they need access to this mix of applications as well.  As one would expect, this can become a challenge to implement.

To improve access to solutions that span on-prem and cloud-based capabilities and platforms, an organization needs to create a common user identity that can be used for authentication and authorization to all such resources, including those on-prem and those in the cloud.  

This is called hybrid identity.

A successful hybrid identity solution requires the deployment of any one of three different authentication methods.  Which authentication method is deployed is dependent on the specific scenario being addressed.

In this article, we are going to discuss the three authentication methods, including Password Hash Synchronization, Pass-Through Authentication, and Federation.  Password Hash Synchronization is also referred to as PHS. Pass-Through Authentication is referred to as PTA. Federation is referred to as, well, Federation.

Password hash synchronization (PHS)

Password hash synchronization is a sign-in method that’s used as part of a hybrid identity solution.  To accomplish a hybrid identity solution with PHS, a hash of a user’s on-prem Active Directory (AD) password is synchronized to a cloud-based Azure AD instance.  This feature is typically used for signing in to Azure services such as Office 365 with the same password as an on-prem AD account.  This is a preferable solution for end users because it creates a pleasant end user experience.

Using a password hash synchronization strategy reduces the number of passwords that a user needs to remember to one.  As such, it often results in reduced help desk costs.

Password hash synchronization is the most widely used hybrid identity solution.  It requires the installation of Azure AD Connect. Azure AD Connect then performs an ongoing directory synchronization between the on-prem Active Directory and the Azure Active Directory instance.

Part of the synchronization configuration is password hash synchronization.

How Password Hash Synchronization works

The on-prem Active Directory instance stores each password in the form of a hash value representation of the actual user password.  The hash value is calculated from a one-way mathematical function or hashing algorithm. For security reasons, there is no way to reverse-engineer the hash back to the plain text version of a password.

To synchronize a password, Azure AD Connect extracts the password hash from the on-premises AD instance.  Additional security processing is also applied to the password hash before the hash is synchronized to the Azure Active Directory authentication service. Passwords are synchronized on a per-user basis and they are synchronized in chronological order.

Data flow of the password hash synchronization process is quite similar to the synchronization of user data. However, because passwords change often, they are synchronized more frequently than the standard directory synchronization window for other AD attributes. Password hash synchronization runs every 2 minutes and the frequency of this cycle cannot be modified.  As you would expect, when a password is synchronized, it overwrites the existing cloud password.

When the password hash synchronization feature is enabled for the first time, it performs an initial synchronization of the passwords for all users that are in-scope.  It’s not possible to explicitly define a subset of user passwords to synchronize.

When an on-prem password is changed, the updated password is synchronized, typically within in a matter of minutes. The password hash synchronization process will automatically retry failed synchronization attempts. When an error does occur during a synchronization attempt, an error is logged in the event viewer.

The synchronization of a password has no impact on a user who is currently signed in. While the current cloud service session is not immediately affected by a synchronized password change that occurs, when the cloud service requires a signed-in user to authenticate again, the user will need to provide the new password.

Generally speaking, users must provide their corporate credentials a second time when authenticating to Azure AD, whether they’re signed in to their corporate network or not.  However, this requirement can be minimized if users select the “Keep me signed in” checkbox at sign-in. When this box is checked, a session cookie is set. This cookie bypasses authentication for 180 days. The Azure admin can enable/disable the “keep me signed in” behavior.  Additionally, password prompts can be reduced by turning on Seamless SSO, which, in turn, automatically signs users in when they are on corporate devices and connected to the corporate network.

Pass-through authentication (PTA)

Similar to Password Hash Synchronization, Azure AD Pass-through Authentication allows users to sign in to on-prem apps as well as cloud-based apps, using the same password.  However, pass-through authentication validates user passwords directly against the on-premises Active Directory. It doesn’t use a synced password hash. Using pass-through authentication offers organizations the ability to enforce on-prem Active Directory security policies and password policies since it leverages the on-prem credentials.  

Combining Pass-through Authentication with Seamless Single Sign-On allows an organization’s users to access applications on corporate machines inside the network, without needing to type in their passwords again.

Azure AD Pass-through Authentication offers a better end-user experience because it provides users the ability to complete self-service password management tasks.  It’s relatively easy to deploy and administer pass-through authentication because all it requires is a lightweight agent to be installed on-prem. Because the agent automatically receives updates, there isn’t any management to be concerned with.

Pass-through authentication provides better security than password hash synchronization because, with pass-through authentication, on-prem passwords are never stored in the cloud.  Additionally, pass-through authentication offers more account protection because it works with Azure AD Conditional Access policies, including multi-factor authentication. Another key benefit of pass-through authentication is the fact that the agent only makes outbound connections from the network. Because there are no inbound connections required, all requirements for a DMZ as part of the solution are removed.

Communications between the on-prem agent and Azure Active Directory is secured with certificate-based authentication, which adds yet another layer of security.  Azure AD automatically renews the certificates that are used every few months; thus, removing any requirement to manually maintain them.

In addition to offering high security, Azure AD Pass-through Authentication offers high availability, which is attained by installing additional agents on multiple on-prem servers.

How Pass-Through Authentication Works

Assuming a user is not already signed in when they launch an application (e.g. Outlook Web App), the user is redirected to the Azure AD User Sign-in page.

At the Azure AD sign-in page, the user provides their username and then clicks the Next button. After providing their password, the user clicks the sign-in button.

When it receives the sign-in request, Azure AD places the username and password, which has been encrypted with the public key of the Authentication Agents, in a queue.  One of the on-premises Authentication Agents retrieves the username and encrypted password from the queue and then decrypts the password by using its private key.

After decrypting the password, the agent validates the username and password against Active Directory, using standard Windows APIs (similar to what ADFS does). The on-premises Active Directory domain controller evaluates the request and then it returns the appropriate response to the agent. Such a response would be success, failure, password expired, or user locked out.  The Authentication Agent then returns this response back to Azure AD.

Next, Azure AD evaluates the response and responds to the user as appropriate. If the user sign-in is successful, the user can access the application.


The third authentication method, Federation, is a bit different from the other two methods.  Federation consists of a collection of domains with an established trust. The trust typically includes authentication and almost always includes authorization.  A typical federation configuration would include several organizations that have established trust for shared access to a set of resources.

How Federation Works

Federating an on-prem AD environment with Azure Active Directory allows an organization to use the federation for authentication and authorization.  By using federation, the organization can ensure all user authentication is performed on-prem. As such, federation offers administrators the ability to maintain more rigorous levels of access control.  Federation is available with both ADFS and PingFederate.

To protect itself against a failure of the ADFS infrastructure when using federation, an organization can leverage password hash synchronization as a backup.  By doing so, authentication can continue, despite a failure of the ADFS infrastructure.


As you can see, there are several options available to an organization looking for a hybrid identity solution from Microsoft Azure.  To determine which solution (or solutions) to consider, it is critical to understand the problem you are trying to solve. While all three hybrid identity authentication methods offer single sign-on capabilities, other considerations must be taken into account as well.

An organization looking for a simple implementation with fewer moving parts might consider the password hash sync method.  However, a really security-conscious organization that wants to retain all authentication on-premises might want to consider federation or maybe pass-through authentication.

At the end of the day, choosing a hybrid identity authentication method starts with understanding the needs of the business.  With three identity authentication methods available, a solution likely isn’t far away.

If you’re interested to learn how to create and manage hybrid identities via Azure AD Connect, I recommend the Cloud Academy’s Designing for Azure Identity Management course. Watch this short video for an overview of the course.

Written by

Thomas Mitchell

Tom is not only a Cloud Platform & Infrastructure MCSE but also an IT industry veteran with 20+ years of experience in multiple technologies. An Active Directory specialist, Tom has never met an AD problem that he couldn't solve. He also speaks Microsoft Exchange fluently.

Related Posts

Giacomo Marinangeli
— March 29, 2019

NEW: Custom Hands-On Labs for Azure and Google Cloud Platform

Harvard Business Review recently estimated that some 90% of corporate training never gets applied on the job. Given the $200B training industry, that is a staggering amount of waste. One reason for the disconnect? Lack of context.Cloud Academy’s platform was built to make it extraor...

Read more
  • Azure
  • Content Engine
  • Google Cloud Platform
  • hands-on labs
Guy Hummel
— March 28, 2019

How to Become a Microsoft Certified Azure Solutions Architect

Microsoft Azure is the fastest growing cloud provider. Azure’s revenue grew an incredible 76% in the last quarter of 2018. As more and more businesses move their IT infrastructure to Microsoft’s cloud platform, the demand for Azure professionals keeps rising. Since there are relatively ...

Read more
  • Azure
  • microsoft azure
Nitheesh Poojary
— March 20, 2019

What is Heroku? Getting Started with PaaS Development

So just what is Heroku? It's a service for developers eager to get their applications online without having to worry about infrastructure details.Metered, pay-as-you-go Cloud Computing services come in all kinds of flavors. Infrastructure as a Service (IaaS) offerings like AWS allow e...

Read more
  • Azure
  • Development & deploy
Nitheesh Poojary
— March 12, 2019

Understanding Object Storage and Block Storage Use Cases

Cloud Computing, like any computing, is a combination of CPU, memory, networking, and storage. Infrastructure as a Service (IaaS) platforms allow you to store your data in either Block Storage or Object Storage formats.Understanding the differences between these two formats - and how ...

Read more
  • Azure
  • Storage
Guy Hummel
— November 21, 2018

Google Cloud Certification: Preparation and Prerequisites

Google Cloud Platform (GCP) has evolved from being a niche player to a serious competitor to Amazon Web Services and Microsoft Azure. In 2018, research firm Gartner placed Google in the Leaders quadrant in its Magic Quadrant for Cloud Infrastructure as a Service for the first time. In t...

Read more
  • AWS
  • Azure
  • Google Cloud
Thomas Mitchell
— October 30, 2018

Azure Stack Use Cases and Applications

This is the second of a two-part series covering Azure Stack. Our first post provided an introduction to Azure Stack. Why would your organization consider using Azure Stack? What are the key differences between Azure Stack and Microsoft Azure? In this post, we'll begin to answer bot...

Read more
  • Azure
  • Hybrid Cloud
  • Virtualization
Guy Hummel
— October 3, 2018

Highlights from Microsoft Ignite 2018

Microsoft Ignite 2018 was a big success. Over 26,000 people attended Microsoft’s flagship conference for IT professionals in sunny Orlando, Florida. As usual, Microsoft made a huge number of announcements, ranging from minor to major in importance. To save you the trouble of sifting thr...

Read more
  • Azure
  • Ignite
Guy Hummel
— September 20, 2018

Planning for Microsoft Ignite 2018 Sessions: What Not to Miss

Cloud Academy is proud to be a sponsor of the Microsoft Ignite Conference to be held September 24 - 28 in Orlando, Florida. This is Microsoft’s biggest event of the year and is a great way to stay up to date on how to get the most from Microsoft’s products. In this post, I’ll help you p...

Read more
  • Azure
Cloud Academy Team
— September 18, 2018

How to Optimize Cloud Costs with Spot Instances: New on Cloud Academy

One of the main promises of cloud computing is access to nearly endless capacity. However, it doesn’t come cheap. With the introduction of Spot Instances for Amazon Web Services’ Elastic Compute Cloud (AWS EC2) in 2009, spot instances have been a way for major cloud providers to sell sp...

Read more
  • AWS
  • Azure
  • Google Cloud
  • SpotInst
Guy Hummel and Jeremy Cook
— August 23, 2018

What are the Benefits of Machine Learning in the Cloud?

A Comparison of Machine Learning Services on AWS, Azure, and Google CloudArtificial intelligence and machine learning are steadily making their way into enterprise applications in areas such as customer support, fraud detection, and business intelligence. There is every reason to beli...

Read more
  • AWS
  • Azure
  • Google Cloud
  • Machine Learning
Dwayne Monroe
— July 5, 2018

How Does Azure Encrypt Data?

In on-premises environments, data security is typically a siloed activity, with a company's security team telling the internal technology groups (server administration, database, networking, and so on) what needs to be protected against intrusion.This approach is absolutely a bad idea...

Read more
  • Azure
Andrew Larkin
— June 26, 2018

Disadvantages of Cloud Computing

If you want to deliver digital services of any kind, you’ll need to compute resources including CPU, memory, storage, and network connectivity. Which resources you choose for your delivery, cloud-based or local, is up to you. But you’ll definitely want to do your homework first. In this...

Read more
  • AWS
  • Azure
  • Cloud Computing
  • Google Cloud