Wednesday, 12 Jun 2024

Choose the Right Authentication Method for Your Microsoft Entra Hybrid Identity Solution

Choosing the correct authentication method is of utmost importance for organizations looking to transition their apps to the cloud. This decision should not be taken lightly, as it has several implications:

  • It is the first decision for organizations moving to the cloud.
  • The authentication method is a critical component of an organization’s cloud presence, as it controls access to all cloud data and resources.
  • It serves as the foundation for advanced security and user experience features in Microsoft Entra ID.

Identity is now the control plane of IT security, and authentication serves as an organization’s access guard to the cloud. Organizations require an identity control plane that strengthens security and safeguards cloud apps from intruders.

Out of Scope

This article does not focus on organizations that do not have an existing on-premises directory footprint. Such businesses create identities solely in the cloud, which does not require a hybrid identity solution. Cloud-only identities exist solely in the cloud and are not associated with on-premises identities.

Authentication Methods

Authentication serves as the foundation of cloud access when using the Microsoft Entra hybrid identity solution. Choosing the correct authentication method is a crucial first decision in setting up this solution. The authentication method is configured using Microsoft Entra Connect, which also provisions users in the cloud.

Tham Khảo Thêm:  Is Genshin Impact coming to Xbox Series X|S and Xbox One?

To choose an authentication method, organizations need to consider factors such as time, existing infrastructure, complexity, and cost. These factors vary for each organization and may change over time.

Microsoft Entra ID supports the following authentication methods for hybrid identity solutions.

Cloud Authentication

When choosing cloud authentication, Microsoft Entra ID handles the user’s sign-in process. With single sign-on (SSO), users can sign in to cloud apps without having to re-enter their credentials. There are two options for cloud authentication:

  • Microsoft Entra password hash synchronization: This is the simplest way to enable authentication for on-premises directory objects in Microsoft Entra ID. Users can use the same username and password that they use on-premises without the need for any additional infrastructure. Some premium features of Microsoft Entra ID, such as Identity Protection and Microsoft Entra Domain Services, require password hash synchronization, regardless of the chosen authentication method.

  • Microsoft Entra pass-through authentication: This method provides simple password validation for Microsoft Entra authentication services using a software agent running on one or more on-premises servers. These servers directly validate users with the on-premises Active Directory, ensuring that password validation occurs on-premises.

Companies with security requirements that demand immediate enforcement of on-premises user account states, password policies, and sign-in hours may opt for this authentication method. For more details on the pass-through authentication process, please refer to User sign-in with Microsoft Entra pass-through authentication.

Federated Authentication

When opting for federated authentication, Microsoft Entra ID hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user’s password. This authentication system can provide other advanced authentication requirements, including third-party multifactor authentication.

Tham Khảo Thêm:  Keeper Security Pricing

A decision tree is available to help organizations determine whether to deploy cloud or federated authentication for their Microsoft Entra hybrid identity solution. It assists in choosing the right authentication method.

Frequently Asked Questions

How do I choose the right authentication method for my organization?

To choose the right authentication method, consider factors such as time, existing infrastructure, complexity, and cost of implementation. These factors vary for each organization and may change over time.

What is the difference between cloud authentication and federated authentication?

Cloud authentication handles the user’s sign-in process within Microsoft Entra ID, while federated authentication hands off the authentication process to a trusted external system, such as Active Directory Federation Services, for validation.

Can I customize the sign-in pages for cloud authentication?

Yes, it is possible to customize the logo, image, and description on the sign-in pages with Microsoft Entra ID P1 or P2.

What are the business continuity options for pass-through authentication?

To ensure high availability of authentication requests, it is recommended to deploy two extra pass-through authentication agents in addition to the first agent on the Microsoft Entra Connect server. Password hash synchronization can serve as a backup authentication method when the primary method is unavailable.

Can I use password hash synchronization as a backup authentication method for federated authentication?

Yes, password hash synchronization can be used as a backup authentication method for federated authentication when the on-premises servers are unavailable. Failover to password hash synchronization must be done manually using Microsoft Entra Connect.

Tham Khảo Thêm:  How to Unlock Wiko Phone Pattern Password Without Losing Data?


This article provides an overview of various authentication options available for organizations to configure and deploy for accessing cloud apps. It is essential to consider factors such as implementation effort, user experience, required advanced scenarios, and business continuity features when choosing the appropriate authentication method.

Implementing the correct authentication method will mitigate security risks and protect identities. To get started with Microsoft Entra ID and deploy the right authentication solution for your organization, visit the Eireview – Extractive Industries Review website.

Next Steps

In today’s environment, threats are constant and can come from anywhere at any time. Implementing the correct authentication method will help mitigate security risks and protect identities. Take the next step by deploying the right authentication solution for your organization with Microsoft Entra ID.

If you are considering migrating from federated to cloud authentication, learn more about changing the sign-in method. Additionally, project deployment plans and the Staged Rollout feature can help plan and implement the migration in a phased approach.

Remember, your identity system ensures your users’ access to apps in the cloud. Make the right choice and safeguard your organization’s security.

password hash synchronization vs pass-through authentication