ADFS vs Azure AD – How Authentication has Evolved. For a long time information technology world believed that the cloud was unsafe and would be the gateway for massive data breaches that would ruin the credibility of the IT universe. Using cloud services for data has been a hot topic of debate for years.
But, that is the past!
Enhanced security measures and broader adoption made the IT professionals less anxious about the cloud security and it is authenticity. Increasing number of organizations are looking for ways to free themselves from any reliance on on prem functionality due to legacy difficulties and taking advantage of the cloud without much disruption.
What is Azure Active Directory
Azure Active Directory from Microsoft is a cloud based identity and access management solution. It helps legacy applications run in the clouds, which otherwise are incapable of modern authentication methods. Active Directory (AD) is an OS directory service that facilitates work of interconnected and complex computer network in united way.
Developers designed Azure AD with streamlining in mind. It assimilates comprehensive identity management capabilities like device registration, self service password management, auditing and multi factor authentication.
Benefits Of Azure AD
There are multiple benefits that an organization derives from Azure AD. The most prominent pros are ease of use and cost effectiveness. It helps companies streamline processes while improving security and productivity. The other features of Azure AD include:
- Azure AD benefit is that it is pre integrated with other cloud services.
- Multi tenanted and geo distributed. Azure Active Directory runs from 60 plus data centers around the world and is available globally
- Requires only one set of sign in credentials for users logging in remotely or on site so it improves IT efficiency.
- Allows Azure AD SSO.
- Implements multi factor authentication and conditional access, enhancing management control and security.
- Azure AD centralizes the organization’s identity management.
- Azure Active Directory is highly scalable and available. The cost of maintaining infrastructure greatly decreases and minimizes the risk of disaster recovery solutions.
- It easily integrates with an existing Windows Server Active Directory
An added benefit of Azure Active Directory is that it works with more than just Microsoft software, and it supports other operating systems and virtual tools effectively. Thus, allowing businesses to adopt services and solutions that meet their needs and requirements.
What is Active Directory Federation Services (ADFS)
Next tool of our comparison of ADFS vs Azure AD – How Authentication has Evolved is Active Directory Federation Services. It is a web service and a feature in the Windows Server operating system that allows you to share identity information outside a company’s network. It authenticates users with their usernames and passwords, and users can access specific applications without being prompted to provide login credentials repeatedly.
The applications can be on the cloud, local, or even hosted by other companies. It doesn’t matter who owns these applications or where they live. The administrator can maintain the user accounts from a single place Active Directory.
Components Of ADFS server
There are four major components of ADFS:
- Active Directory: This is where all the identity information is stored to be used by ADFS.
- Federation Server: It contains the tools that are required to route requests that come in from external users and also hosts.
- Federation Proxy Server: Hosts the Federation Service Proxy role service of ADFS. This is done since the federation server is not exposed directly to the internet, which heavily depends on the AD. So the proxy server forwards the requests from the outer world to the federation server.
- ADFS Web Server: This web agent manages security tokens and authentication cookies sent to the webserver to authenticate external users.
ADFS use cases
You may have come across the use of the word “trust” between companies/partners before, called Federal Identity Management (FIM). ADFS runs on this core concept and the concept of FIM is integrated with Windows using Active Directory. Since AD stores information of all users (user IDs and passwords), it acts as the base identity store.
ADFS uses all of this identity information in Active Directory and makes it available outside your network. Other organizations and applications can use this information. ADFS as an identity access solution supports:
- Identity Federation (Identity Management): Identity management is the process of managing information about the identities of users and controlling access to resources. The primary purpose of the Identity Federation is to have a centralized or linked identity that helps in increasing productivity and security while being cost effective.
- With applications still running on-premises, access rights to them can be granted to Active Directory objects (users and groups) ADFS provides recognition of users log into Active Directory regardless of which servers they’re connecting to access applications.
- Single Sign On (SSO): It allows computers on your network, both internal and external, to access internet facing applications or services with a single sign on. These user accounts and applications could be located in completely different networks or organizations.
- ADFS uses access control authentication.
Because of the rising number of applications and services, a centralized login system has become a necessity. It is not only convenient for the users, but equally simple to manage.
ADFS vs Azure AD
For the success of cloud based directory and identity management services that rely on a single sign on experience, the user experience is of utmost importance. The ADFS experience is not user friendly and authentication that happens on site is expensive and has a complex setup process. It makes access to tools like Office 365 dependent on servers, thus defeating the purpose of moving to the cloud.
The first cloud authentication option was utilizing the “password hash sync” which is more preferred authentication method. Azure AD effectively syncs a hash to decrease the number of passwords that users must maintain. Password Hash synchronization reduces helpdesk costs and improves user productivity, and it also allows seamless SSO.
Some companies still prefer ADFS but these companies are missing out on the scalability and availability of Azure AD. Azure Active Directory guarantees 99.9% uptime, removes cost capacity constraints and brings the best of both worlds to your doorstep.
From ADFS To Azure AD Connect And Cloud Authentication - Evolution
In the next part of this article about ADFS vs Azure AD – How Authentication has Evolved, the first cloud authentication option was used by Azure AD Connect’s Password Hash sync feature, that allowed users to authenticate in the cloud directly.
One of these methods was Pass Through Authentication (PTA). This integrates a web sign on to Office 365 with an authentication request sent to the AD domain controllers. In other words, the user completes the sign in form in Azure; however, the ID and password are still validated by AD after flowing through the Azure AD Connect server.
The development also meant that Microsoft came up with a new, improved method for single sign on. This new seamless sign on allowed Azure to accept a Kerberos ticket for authentication. The Kerberos ticket is linked to the original AD, where the user is authenticated and can be passed to Azure for validation.
PTA, however, still requires an on premises component. This is installed as an agent on the Azure AD Connect server, but you can also install it on additional servers to provide greater availability.
The requirement for the on premises component makes it problematic. If there is an internet pipe failure, there will be no access to Office 365 until authentication is switched to the cloud only mode or the internet connectivity to the authentication agent is restored.
Cloud Native Authentication
Pros of Azure AD
Using Azure Active Directory as the main authentication process will reduce the risk of a security breach more than relying on ADFS.
- Azure AD is better equipped to provide security safeguards, such as conditional access to ensure that the right user has the required access and multi factor authentication.
- Azure AD can also block legacy authentication, ban common passwords and protect your privileged identities.
- Azure AD features offers Self service password reset, password protection and conditional access policies.
- Azure AD seamless AD Single Sign On (SSO) is one of its biggest advantages with Pass Through Authentication (PTA) or Password Hash Synchronization (PSH) methods that are user friendly, free to use and allow dual sign in to both cloud based applications and on premise.
- What is best is access to Microsoft 365, and its features are not dependent on an on site component.
It is important that you get expert advice on the best authentication method for your organization, as ADFS still has its use cases and may be the best option in some environments.
ADFS vs Azure AD – How Authentication has Evolved Conclusion
ADFS is a good choice when authentication is required to be only on-prem.
For all other cases the use of PTA or PHS would be more beneficial due to PHS aids with better availability and has no reliability on on-premises elements.
Migrating from ADFS to Azure AD is an important step if your business wants to become fully cloud based, but it important to be prepared for some challenges along the way.