The majority of organizations using Azure AD, sync on-prem accounts using AAD Connect. For Authentication, password hash sync has since long been the recommended approach. It is secure since only the hash of the hash of the password is synced to the cloud. And it gives you all the advantages of Azure AD like Identity Protection.
However, historically many organizations have chosen for ADFS. The arguments were often: we don’t want passwords in the cloud, we want SSO and we want to do smart stuff with conditional access and password policies.
The downside of AFDS is the complexity of the solution and the amount of infrastructure it requires. Despite being free from a license perspective, operational cost of ADFS is relatively high.
With Conditional Access and Password Protection in Azure AD, some of the arguments for ADFS have become invalid. And with the introduction of Pass-through Authentication, it is also no longer necessary to sync password hashes to the cloud. The user password can be checked against your on-prem Active Directory, while the authentication and token service runs on the cloud. And it offers Seamless SSO.
Moving from ADFS to PTA is usually a big cost saver, so let’s see in today’s video how PTA is setup and used: