Automatic Management of Domains whitelist for External partners in Azure AD

External Identities Management in Azure AD

Azure AD with the B2B feature allow to easily collaborate with external partners. By default, tenant configuration permit to collaborate with any external domains without restrictions, but you can select to apply Collaboration restrictions.
There are 3 modes available for Collaboration Restrictions on Azure AD:

Allow invitations to be sent to any domain (most inclusive)
Deny invitations to the specified domains
Allow invitations only to the specified domains (most restrictive)

That we can schematize like this with a security approach:

In this article we will focus on Whitelist mode and how to apply an automated management on it.

Whitelist impact on MS Ecosystem

There is a non-exhaustive list of Microsoft product that will be affected by the implementation of a domains whitelist on Azure AD.

Item	Comment	Rely on AAD Whitelist
Azure AD Applications	Partner user account must be part of the allowed domains list.	YES
SharePoint	Preview – SharePoint and OneDrive integration with the Azure AD B2B one-time passcode feature is currently in preview. After preview, this feature will replace the ad-hoc external sharing experience used in OneDrive and SharePoint today for all tenants. https://docs.microsoft.com/en-us/sharepoint/sharepoint-azureb2b-integration-preview	By default NO B2B integration YES
Teams	All the apps provided by MS Teams will be impacted in the way that users cannot be added to the apps if Azure settings doesn’t allow it.	YES
Skype for Business (Hybrid)	Skype only relies on his proper Federation settings	NO
Azure DevOps	Partner user account must be part of the allowed domains list.	YES
Dynamics 365	Partner user account must be part of the allowed domains list, user needs to be added first in Azure AD in order to be able to access Dynamics.	YES
PowerBI	Settings made in Azure AD replicates in Power BI admin center.	YES
Power Apps	External users not supported yet. This feature is currently being worked on.	NO
Flow	Flow doesn’t support yet guest users for sharing.	NO
Yammer	Yammer doesn’t rely on Azure AD settings	NO
Planner	Built on Office 365 groups meaning that the user you want to add to Planner needs to already exists in Azure AD.	YES
Stream	Built on Office 365 groups meaning that the user you want to add to Stream needs to already exists in Azure AD.	YES
Office 365 Groups	You can add external users on O365 Groups if the domain is allowed on Azure AD settings.	YES
Azure B2B Direct federation	Federation with an External IdP based on a non whitelisted domain is not affected. But of course invitation of a user on a non whitelisted domain is not possible.	Federation creation NO User invitation YES

As May 2020

Portal Settings

On Azure Portal, we can mange this choice and directly add domain FQDN that we want to grant on the whitelist.

Proposed Solution

The idea here, is to provide a solution to automate this domains management and provide a single entry point where we can manage this whitelist.
By taking into account the simplicity of implementation and the cost of the solution.

Proposed Architecture

The architecture will reside on text/csv file stored on an Azure Storage, this file can be modified by business stakeholders, and this list will be automatically and with a specific schedule replicate on Azure AD settings.
In terms of assets, we just need:

1 Storage Account
- to store the text file
1 Automation Account
- with 1 PowerShell Runbook
  - to execute the targeted PowerShell code
- with 1 schedule
  - to automate the process at a desired schedule
- with 1 Webhook
  - if you want a simple and public trigger to launch all the process

In terms of accounts, we just need:

1 AzureRunAsConnection given by the Automation Account
- to authenticate against Azure for Storage Account steps
1 dedicated user account in Azure AD with Global Administrator rights, to manage External Collaboration Restrictions settings (at the time of writing this article, the RunAs account of Automation is not compatible to authenticate against Azure AD)

Automation Runbook

So there is the PowerShell code I used. This is a first version, he do the job but of course he can be improved and upgraded as you want.
The code do the following:

Connect on Azure AD with Automation Credentials ($AutomationCred)
Connect on Azure with Automation AzureRunAsConnection
Download the content of the Storage Account file
Get the default B2B Azure AD Policy name
Create a custom Azure AD Policy (after a check on presence)
Disable the default B2B Azure AD Policy
Build a custom JSON for the policy from Storage Account content
Set the target Azure AD Policy with JSON settings and put it as active

##########################################################
################### Script - Variables ###################
##########################################################
# Update these variables according to your context

# Azure AD
$AutomationCred = "aadb2baccount"
# Azure Az module
$connectionName = "AzureRunAsConnection"
# Storage Account
$containerName = "aadb2bcon"
$blobName = "AADB2B-DomainsWhiteList.csv"
$storageAccConnectionString = "Update the Storage Account Connection String according to your context"
# Azure AD Policy
$TargetAzureADPolicyName = "Here the new Azure AD Policy Name"

###########################################################
################### Connect to Azure AD ###################
###########################################################

$credObject = Get-AutomationPSCredential -Name $AutomationCred
"[INFO] Logging in to Azure AD..."
try {
    Connect-AzureAD -Credential $credObject
    "[SUCCESS] Log on Azure AD..."
}
catch {
    "[ERROR] Unable to log in Azure AD"
}

###########################################################
################### Connect to Azure Az ###################
###########################################################

try {
    $servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
    "[INFO] Logging in to Azure..."
    $connectionResult =  Connect-AzAccount -Tenant $servicePrincipalConnection.TenantID `
                             -ApplicationId $servicePrincipalConnection.ApplicationID   `
                             -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint `
                             -ServicePrincipal
    "[SUCCESS] Log on Azure with $connectionName..."
}
catch {
    "[ERROR] Unable to log in Azure"
}

############################################################
################### Storage Account Step ###################
############################################################

# Storage Account context
try {
    $storageAccContext = New-AzStorageContext -ConnectionString $storageAccConnectionString
    "[SUCCESS] Storage Account Context created"
}
catch {
    "[ERROR] Unable to create Storage Account Context"
}

# Set Temp folder
$TempPath = $env:temp + "\AADB2B-DomainsWhiteList.csv"

# Download the csv file content from Storage Account and store it on Temp path
try {
    $blob = Get-AzStorageBlob -Container $containerName -Blob $blobName -Context $storageAccContext
    Get-AzStorageBlobContent -CloudBlob $blob.ICloudBlob -Destination $TempPath -Context $storageAccContext
    "[SUCCESS] Storage Account content downloaded on Temp Path"
}
catch {
    "[ERROR] Unable to download Storage Account content and store it on Temp Path"
}

############################################################
################### Azure AD Policy Step ###################
############################################################

# Clean Variables
$csv = ""
$DomainsList = ""
$FinalDomainsList = ""

# Azure AD B2B Policy Default Settings
$defaultjson = @"
{"B2BManagementPolicy":{"InvitationsAllowedAndBlockedDomainsPolicy":{"BlockedDomains":[]},"AutoRedeemPolicy":{"AdminConsentedForUsersIntoTenantIds":[],"NoAADConsentForUsersFromTenantsIds":[]}}}
"@

# Get the Default Azure AD Policy for B2B
try {
    $defaultpolicy = Get-AzureADPolicy | Where-Object {$_.Type -eq 'B2BManagementPolicy' -and $_.DisplayName -eq 'B2BManagementPolicy'}
    "[SUCCESS] Get the Default Azure AD Policy for B2B"
}
catch {
    "[ERROR] Unable to get the Default Azure AD Policy for B2B"
}

# Check Azure AD custom Policy Presence
$CustomAzureADPolicyPresence = (Get-AzureADPolicy | Where-Object {$_.DisplayName -eq $TargetAzureADPolicyName })

If ($CustomAzureADPolicyPresence -eq $null){
    "[INFO] Azure AD Custom Policy for B2B named: $TargetAzureADPolicyName is not already created"
    # Create a New Azure AD Custom Policy
    try {
            New-AzureADPolicy -DisplayName $TargetAzureADPolicyName -Definition $defaultjson -IsOrganizationDefault $false -Type B2BManagementPolicy
            "[SUCCESS] New Custom Azure AD Policy for B2B named: $TargetAzureADPolicyName is now created"
    }
    catch {
            "[ERROR] Unable to create the New Custom Azure AD Policy for B2B named: $TargetAzureADPolicyName"
    }
}
else {
    "[INFO] Azure AD Custom Policy for B2B named: $TargetAzureADPolicyName is already present on the configuration"
}

# Disable the default Policy
try {
    Set-AzureADPolicy -Definition $defaultjson -Id $defaultpolicy.Id -IsOrganizationDefault $false
    "[SUCCESS] The default Azure AD Policy for B2B is now Disable"
}
catch {
    "[ERROR] Unable to disable the default Azure AD Policy for B2B"
}

# Enable the new policy that we want to put with Domains from CSV file
## Import CSV content
$csv = Get-Content -Path $TempPath
"[INFO] Content of Domains WhiteList file is $csv "
## Add " between each entry and ,
foreach ($record in $csv) {
    $DomainsList += '"' + ($record) + '"' + ','
}
#For Debug "List with quote and virgule: $DomainsList"

## Delete the last 2 characters for domain list (delete , and ")
$FinalDomainsList = $DomainsList.Substring(0,$DomainsList.Length-2)
#For Debug "Final List: $FinalDomainsList"

## Build the JSON 
$TargetJSONcontent = @"
    {
        "B2BManagementPolicy": {
          InvitationsAllowedAndBlockedDomainsPolicy: {
            "AllowedDomains": [
              $($FinalDomainsList)"
            ],
            "BlockedDomains": [
              
            ]
          }
        }
      }
"@
"[INFO] There is the final JSON $TargetJSONcontent"

# Get custom Target Azure AD Policy settings
try {
    $targetpolicy = Get-AzureADPolicy | Where-Object {$_.Type -eq 'B2BManagementPolicy' -and $_.DisplayName -eq $TargetAzureADPolicyName}
    "[SUCCESS] Able to get settings for Azure AD Policy $TargetAzureADPolicyName"
    "[INFO] Custom Azure AD Policy ID is '$targetpolicy.ID' "
}
catch {
    "[ERROR] Unable to get settings for Azure AD Policy $TargetAzureADPolicyName"
}

# Set custom Target Azure AD Policy as Active with JSON settings on Domains WhiteList
try {
    Set-AzureADPolicy -Definition $TargetJSONcontent -Id $targetpolicy.Id -IsOrganizationDefault $true
    "[SUCCESS] The custom Target Azure AD Policy for B2B named $TargetAzureADPolicyName is now enable with Domains WhiteList from CSV file"
}
catch {
    "[ERROR] Unable to set the custom Target Azure AD Policy for B2B named $TargetAzureADPolicyName as default and active B2B policy"
}

Result

Storage Account content:

After Runbook execution look on the result.

Enjoy 😉

AD FS update Password Page – Add a Captcha

On AD FS, a specific Endpoint called /adfs/ls/updatepassword is present and disable by default, this endpoint allows you to provide a page for your users to update their password.

You can choose to provide this page only for Internal users, but if you choose to enable this endpoint on Proxy, it becomes publicly accessible from the Internet.
And so, attackers can try to do brute force on it.

One way to guard against this is to set up a captcha feature.

Create a new AD FS Web Theme

To be able to customize some scripts used by AD FS, we first need to create a new dedicated Web Theme.

Open PowerShell with administrator rights, and type the following commands:

New-AdfsWebTheme –Name custom –SourceName default

This command create a new theme named custom based on the default theme.

Export-AdfsWebTheme –Name default –DirectoryPath c:\ADFStheme

This command export theme elements for default theme to your selected path.

Edit onload.js file

Go to the exported folder path, in our example C:\ADFStheme\ and go to script folder.
Edit the onload.js file with the following code:

/***************************************/
// CAPTCHA DISPLAY
/***************************************/
if(window.location.href.indexOf("adfs/portal/updatepassword") != -1) {
var updatePasswordFormElement = document.getElementById("updatePasswordForm");
var headerElement = document.getElementById("header");
var introductionElement = document.getElementById("introduction");
if (updatePasswordFormElement){
	updatePasswordFormElement.style.display = "none";
}
if (introductionElement) {
	var iDiv = "<br /><br /><br /><div id='captchaForm' class='captchaForm'><form name='review' ACTON='#' METHOD='GET' onsubmit=\"return checkform(this);\"><font color='#000000'>For security reasons please retype this code <br /><br />Enter code: </font><span id='txtCaptchaDiv'style='background-color:#0000ab;color:#FFF;padding:5px;margin:10px'></span><input type='hidden' id='txtCaptcha' /><input type='text' name='txtInput' id='txtInput' size='6'/><span id='txtCaptchaDiv' style='margin:10px'></span><input type='submit' value='Submit'/></form></div>";
		introductionElement.innerHTML += iDiv;
		}
	
	if (window.name == "goodCaptcha"){
		var captchaFormElement = document.getElementById("captchaForm");
		var updatePasswordFormElement = document.getElementById("updatePasswordForm");
		captchaFormElement.style.display = "none";
		updatePasswordFormElement.style.display = "block";
	}
	
	//Generates the captcha function
	var a = Math.ceil(Math.random() * 9)+ '';
	var b = Math.ceil(Math.random() * 9)+ '';
	var c = Math.ceil(Math.random() * 9)+ '';
	var d = Math.ceil(Math.random() * 9)+ '';
	var e = Math.ceil(Math.random() * 9)+ '';
	var f = Math.ceil(Math.random() * 9)+ '';
	var code = a + b + c + d + e + f;
	document.getElementById("txtCaptcha").value = code;
	document.getElementById("txtCaptchaDiv").innerHTML = code;
}


/***************************************/
// CAPTCHA FUNCTIONS
/***************************************/
function checkform(theform){
var why = "";
if(theform.txtInput.value == ""){
	why += "Security code should not be empty.\n";
}
if(theform.txtInput.value != ""){
	if(ValidCaptcha(theform.txtInput.value) == false){
	why += "Security code did not match.\n";
	}
}
if(why != ""){
	alert(why);
	return false;
}
window.name = "goodCaptcha"
}

// Validate the Entered input aganist the generated security code function
function ValidCaptcha(){
	var str1 = removeSpaces(document.getElementById('txtCaptcha').value);
	var str2 = removeSpaces(document.getElementById('txtInput').value);
	if (str1 == str2){
		return true;
		}else{
			return false;
		}
	}

// Remove the spaces from the entered and generated code
function removeSpaces(string){
return string.split(' ').join('');
}

This is just an example of what you can do with script integration, but you can develop your own code or directly called the Captcha API.
My example is just based on 6 numeric characters, we can of course do much more complex.

Apply the our custom js to our custom AD FS Web Theme

Open PowerShell with administrator rights, and type the following commands:

Set-AdfsWebTheme -TargetName custom -OnLoadScriptPath "c:\ADFStheme\script\onload.js"

This command apply our new onload.js to our custom theme named custom

Set-AdfsWebConfig -ActiveThemeName custom

This command will apply our new theme named custom a Active Theme on AD FS

Check the result

Open a browser session on go to the update password page of your federation service
https://fs.labyann.int/adfs/portal/updatepassword

Users now need to enter the displayed Security code, before being allowed to change their password.

Azure Key Vault Presentation

Today, I’m going to introduce you to an Azure security solution that I use almost all the time now in my various Azure architecture security projects, Azure Key Vault.

What Azure Key Vault is solving ?

HSM cost is no longer an issue in Azure

What Azure Key Vault can do ?

Key Management Service

Create and control encryption keys that encrypt your data.

Secrets Management Service

Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.

Certificate Management Service

Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.

Service with FIPS 140-2 validated HSMs

Use either software or FIPS 140-2 Level 2 validated HSMs to help protect secrets and keys.

Hardware Security Modules (HSMs) are FIPS Level 2 overall, with the following at Level 3:

Physical Security
Roles, Services, and Authentication
EMI/EMC
Design Assurance

Azure Key Vault Certification

Software VS Hardware

Both store keys at rest in HSM Hardware.
Software : Encrypt and Decrypt performed in Software on compute VM’s
Hardware : Encrypt and Decrypt performed in the HSM Hardware

Recommended :

Use Software in dev/test
Hardware in production

Azure Key Vault offers

New Offer – Azure Dedicated HSM

What is it

New service offering, for scenarios that require:

FIPS 140-2 Level 3 or CC EAL 4+ to meet compliance needs
Direct control of HSMs (Gemalto SafeNet Luna Network HSM 7)
Low latency

How does it work

Microsoft hosts and powers the HSMs, and connects them to your VNET. You control everything else.

That includes firmware & patches, redundancy & availability, disaster recovery & backup, root keys, capacity plan

Azure Key Vault Security

How to secure your Key Vault ?

Authentication – defense in depth
- For users – Mandate MFA
- For services – Use MSI (Managed Services Identity)
- For both – Vnet Service endpoint
Authorization – defense in depth
- Use security groups
- App + user
Monitoring
- Enable logging…and alerts, reports
Other practices
- Separate security boundaries per app
- Separate owners between app and key vault

Security: Alert on specific patterns

An interesting feature with Azure Key Vault is to build alert on specific patterns.
We can configure alerts via:

Built-in alerts blade
Azure Log Analytics

You can configure the alert to go to multiple destinations

Email, SMS, Push, Voice, Function App, Logic App, Automation Runbook, WebHook

Which version to choose ?

Azure Key Vault Pricing

Azure Key Vault Best Practices

Use MSI to talk to Azure Key Vault (https://aka.ms/azuremsi)
“No Secrets” is better than “Managed Secrets”
Designated Key Vaults for different environments
- Production, Staging, UAT, Test, Dev, etc.
- Use automation in CI/CD pipeline to switch references to keys/secrets
Role Separation
- Key Vault owner, Key/Secret Owner, App Owner, App Resource, Auditor, etc.
- Subscription Administrator?
Carefully bootstrap access to Key Vault keys and secrets
Use Virtual Network Service Endpoints to further secure access and reduce threat surface for Key Vault

Demystifying Password Hash Sync

During my several mission, I have often eared that:
“We don’t want to use Password Hash Sync, because we don’t want to send our passwords on the cloud !”
And so we entering in a long conversion to explain in depth what is exactly P#S, and especially what is not P#S.

PHS What it is not ?

PHS doesn’t sync actual passwords
It syncs the hashes of passwords
- which have all undergone a per-user salt and 1,000 iterations of the HMAC-SHA256 key hashing algorithm, before being sent to Azure Active Directory
The SHA256 hash cannot be decrypted
- so the plain-text version of the password is never and can never be exposed to Microsoft

PHS – AAD Connect deep dive

With PHS

With PHS your Identity Management provider is moved from your current provider to Azure AD
Move from on-premises Identity Management provider to a platform-as-a-service (PaaS) provider
Denial of Service (DoS) and/or Password Spray attack on Microsoft side, Microsoft will take the brunt of that traffic
Utilize Microsoft’s telemetry that gives organizations the power of Microsoft’s intelligence

PHS – Security Advantages

Smart Lockout
- Assists in blocking bad actors who are attempting to brute force passwords.
- By default, Smart Lockout locks the account from sign-in attempts for one minute after ten failed attempts.
- Smart Lockout tracks the last three bad password hashes to avoid re-incrementing the lockout counter.
IP Lockout
- Works by analyzing those billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems.
- With that analysis, IP Lockout finds IP addresses acting maliciously, such as an IP that is password spraying the tenant, and blocks those sign-ins in real-time, while allowing the real user to continue to successfully sign in.
Microsoft Leaked Credentials Service
- Acquires username/password pairs by monitoring public web sites and the Dark Web and by working with:
  - Researchers
  - Law enforcement
  - Microsoft Security teams
  - Other trusted sources
- When the service acquires username/password pairs, the passwords are sent through the same hashing algorithm and are checked against Azure AD users’ password hashes.

Choose Hybrid Identity solution with Azure AD

Once the decision to go on Azure is done, an important question is how to manage the Identity between on-premises and the Cloud, so Azure Active Directory.

There are different Identity Models available to deal with it.
Let’s take a little bit of time to present these models.

Identity Models

Cloud Identity

Cloud Identity mode means that only Azure AD directory is available, there is no Active Directory Domain Services present.
All accounts are stored and created on Azure AD
Manual account creation
- Azure Portal (Azure, Intune, Office 365, etc…)
- PowerShell
- API
CSV file import, for multiple account creation

Synchronized Identity

Directory & Password synchronization mode means that a synchronization process was made to:
- Copy an account created On-Premise to Azure AD
- Synchronize password
- Easy Provisioning
- No manual action (Azure AD Connect)

Federated Identity

Federated Identity mode means that a synchronization process was made and a Federation trust was made between Azure AD and On-Premise Active Directory Domain Services:
- Copy an account created On-Premise to Azure AD
- Synchronize password
- Easy Provisioning
- No manual action (Azure AD Connect)
- Federation between On-Premise AD DS and Azure AD

Once an Identity Model is chosen, it is necessary to choose which tools and solutions to implement.

Decision Tree

Microsoft has made a Decision Tree to help customer to select the right solution within customer context.

Now let’s go depth in each solution.

Azure AD Connect

Azure AD Connect Timeline

Azure AD Connect is an old and robust tool developed by Microsoft to synchronize identity between on-premises directory and cloud directory.

Azure AD Connect components

Azure AD Connect is made up of three primary components: the synchronization services, the optional Active Directory Federation Services component, and the monitoring component named Azure AD Connect Health.

Azure AD Connect Sync Process

Connector

The code modules that are used to communicate with a connected directory are called connectors (formerly known as management agents (MAs))

Attribute flow

Attribute flow is the process of copying or transforming data from one system to another and all attribute flows (inbound or outbound).

Attribute flow occurs between the connector space and the metaverse bi-directionally when synchronization (full or delta) operations are scheduled to run.

Connector space

Each connected data source is represented as a filtered subset of the objects and attributes in the connector space.

Metaverse

The metaverse is the consolidated view of all joined identities from neighboring connector spaces.

AD FS

Resume:

SSO via on-premises AD credentials
Seamlessly authenticate to AD FS when the client is attached to the corporate network
Passwords remain on-premises
On-premises authentication policies
On-premises authentication methods (multi-factor)
Conditional access via AD FS policies
Require public certificates
Authentification using certificates
- Certificates
- Smart cards
- Windows Hello
Complex and expansive architecture
Protection again on-premise account lockout

Password # Sync

Key Security Capabilities:

Isolation of sign-in requests between tenants
Standard ports (80 and 443) are used for outbound communication from the Authentication Agents to Azure AD
- Port 443 is used for all authenticated outbound communication
- Port 80 is used only for downloading the Certificate Revocation Lists (CRLs) to ensure that none of the certificates used by this feature have been revoked
High security encryption of password hashes

Resume:

On-premises password complexity applies to synchronised users
- If an administrator changes the cloud password using PowerShell, the Azure AD password policy applies
An expired/disabled on-premises account can still be active in the cloud
- The cloud password for a PHS user is set to never expire
Synchronisation of a new password will have no impact on a user signed into Azure AD
Password synchronisation can be used in addition to federation and used as a fall-back

Pass-Through Authentication

Big Picture

Key Security Capabilities:

Isolation of sign-in requests between tenants
On-premises passwords are never stored in the cloud in any form
On-premises Authentication Agents that listen for, and respond to, password validation requests only make outbound connections from within your network. NO DMZ need
Standard ports (80 and 443) are used for outbound communication from the Authentication Agents to Azure AD
- Port 443 is used for all authenticated outbound communication
- Port 80 is used only for downloading the Certificate Revocation Lists (CRLs) to ensure that none of the certificates used by this feature have been revoked
Passwords that users provide during sign-in are encrypted in the cloud before the on-premises Authentication Agents accept them for validation against Active Directory
The HTTPS channel between Azure AD and the on-premises Authentication Agent is secured by using mutual authentication
Integrates with Azure AD cloud-protection capabilities, such as conditional access policies (including Azure Multi-Factor Authentication), identity protection, and Smart Lockout

Pass-Through Authentication – Authentication Agent

Getting an Authentication Agent working involves three main phases:

1.Authentication Agent installation

2.Authentication Agent registration

3.Authentication Agent initialization

Authentication Agent uses 2 different services/applications:
- The Authentication Agent application itself:
  - application runs with NetworkService privileges
- The Updater application that’s used to auto-update the Authentication Agent
  - application runs with LocalSystem privileges

Authentication Agent registration

Authentication Agent initialization

Sign-In request

Security of Authentication Agents

Resume:

No on-premises passwords/hashes in the cloud
All on-premises password policies operational
Password changes are immediately in effect
Account expired/disabled operational
Works with Conditional Access Policy
No DMZ requirements
Does not support on-premises MFA
- Azure AD MFA supported
Works with Alternate ID
Does not provide SSO for on-premises credentials
- Requires Seamless SSO in addition
Requires high-availability for the company’s Internet connection
- Remote workers will not be able to authenticate to Azure AD If the link is down

Seamless SSO

Big Picture

Sign-in on a web browser

Sign-in on native client

Resume:

Works with Password Hash Sync (P#S) or Pass-through Authentication (PTA)
Users only need to type their name to authenticate to Azure AD
- It is possible for applications to pass a login_hint for seamless SSO
Supports Windows 7 and above
- Windows 10 Edge not currently supported
Machine must be domain joined and have access to a DC
- On corporate network or via remote access technology
Authenticates to Azure AD with a Kerberos token
Available with all versions of Azure AD
Supports Alternate ID
Support for multiple browsers and Oss
- Including Safari and Mac

Comparison Matrix

Infrastructure & Operations

Authentication

MFA

Applications

Sign-In Experience

Password expiry notification and change

Devices & Access Control

To conclude, my recommendations

If you are new customers:
- Use cloud authentication (P#S or PTA)
- Leverage conditional access and Azure AD MFA
- If AD FS is deployed to support on-premises applications, consider managing authentication for those apps via Azure AD
Enable Seamless SSO if you’re using P#S or PTA
- Simple to deploy
- Immediately enhances the sign-in experience for your users
- Implement domain_hint
If you are already in Federated Identity mode with AD FS
- Simplify Identity architecture and gain in server number
- Consider migration to PTA if with your AD FS you don’t use:
  - On-premise MFA server (MS or third parties)
  - Certificate Authentication
  - Windows Hello