Planning for Azure AD Connect for User Identities
Planning for Azure AD Connect for User Identities

An important aspect of designing an Azure Virtual Desktop (AVD) environment is ensuring you understand user identities and profiles.  To get the most out of this cloud-hosted service, it is important to ensure our user identities are fully secure and integrated with the storage solutions you use for user profiles.  This will in turn give a much better experience for your users. 

 AVD allows organizations to set up redundant, scalable, and agile environments that offer the following key capabilities:

  • Integration with both cloud and on-premises identity and access management solutions
  • Configuring Azure native and 3rd party storage solutions to facilitate user profiles
  • Complete licensing solution that covers both Azure Virtual Desktop and Microsoft 365 SaaS services

From an identity perspective, you can synchronize your Azure cloud identities with on-premises Active Directory.  This allows you to utilize hybrid join for your Azure Virtual Desktop session hosts and integrate your user profiles with Group Policy.  

This course will help you design and plan your Azure Virtual Desktop identity and user profiles and allow you to understand how it integrates with other Azure services.  It covers understanding choosing the appropriate licensing model, looking at the different storage solutions available, planning for user profiles, and planning for Azure AD Connect for identities.

Learning Objectives

  • Select an appropriate licensing model for Azure Virtual Desktop based on requirements
  • Recommend an appropriate storage solution (including Azure NetApp Files vs. Azure Files)
  • Planning for Azure Virtual Desktop client deployment
  • Planning for user profiles
  • Recommending a solution for network connectivity
  • Planning for Azure AD Connect for user identities

Intended Audience

This course is intended for anyone who wants to become an Azure Virtual Desktop Specialist and is preparing to take the AZ-140 exam.


If you wish to get the most out of this course, it is recommended that you have a good understanding of Azure Administration, however, this is not essential.


Welcome to this module on planning for Azure AD Connect for User Identities. We will cover the following topics in this module: I will explain what Azure AD Connect is. We will then discuss some the synchronization features available with Azure AD Connect. Finally, we will have a look at some of the use cases that fit each of these features.

Let's start by looking at what Azure AD Connect is. Azure AD Connect is an application that is installed on a server within your on-premises environment, and it allows you to create a hybrid identity and access management solution between Active Directory Domain Services and Azure AD. It has a built-in health monitoring feature called Azure AD Connect Health which provides robust monitoring of your on-premises identity environment.

Although Azure AD Connect is a free tool and included as part of your Azure subscription, to get the best out of this tool, including the health capability, you need at least an Azure AD P1 license. Let's look a bit deeper now at some of the main Azure AD Connect features, specifically the synchronization options. The first synchronization feature is called password hash synchronization. This feature enables a user to have the same password for Microsoft 365 and on-premises, and it synchronizes a hash, of the hash, of the user's password from on-premises AD to Azure AD.

The second synchronization option is called pass-through authentication, or PTA. This has the same features as password hash, but in addition it allows organizations to enforce their on-premises AD security and password policies without the need for extra infrastructure. The final synchronization option is Active Directory Federation Services, or ADFS. With ADFS you get all the same features as pass-through, but much more integration with 3rd party MFA providers and ADFS claims. Also requires much more additional on-premises infrastructure than password hash and pass-through authentication.

In the final part of this module, we are going to look at the different use cases that would fit each of the synchronization options we have discussed. If you have a lot of existing on-premises infrastructure, including applications and services that need to be accessed with your Microsoft 365 accounts, then ADFS would be a sensible choice for your organization. If you want your users to have the same login credentials, both on-premises and in the cloud, then pass-through authentication, or PTA, is the most sensible choice for your organization. Finally, if you are just looking to improve user productivity, then password hash synchronization is the most relevant choice for your organization.

About the Author

Shabaz Darr is a Senior Infrastructure Specialist at Netcompany based in the UK. He has 15 years plus experience working in the IT industry, 7 of those he has spent working with Microsoft Cloud Technologies in general, with a focus on MEM and IaaS. Shabaz is a Microsoft MVP in Enterprise Mobility with certifications in Azure Administration and Azure Virtual Desktop. During his time working with Microsoft Cloud, Shabaz has helped multiple public and private sector clients in the UK with designing and implementing secure Azure Virtual Desktop environments.