Manage Identity and Access: Implement Hybrid Identity
Azure Connect - Integrates on-prem directories with Azure AD and provides a common ID to be used across multiple platforms.
Password Hash Synchronization - Sign-in method that syncs a hash of a user’s on-prem AD password with Azure AD.
Pass-Through Authentication - Sign-in method that allows users to use the same password on-prem and in the cloud, without extra infrastructure or a federated environment.
Federation Integration - Operational part of Azure AD Connect, used to configure a hybrid environment using on-prem infrastructure. Provides management tools such as cert renewal and server deployments.
Synchronization - Creates users, groups, and other objects, and is responsible for syncing on-prem users and groups with cloud members and groups. Syncing includes password hashes.
Health Monitoring - Azure AD Connect Health provides monitoring in a central location in the Azure portal.
Cloud Authentication Methods
Password hash synchronization (PHS) - Feature used to sync user passwords from an on-prem Active Directory instance to a cloud-based Azure AD instance.
Azure AD Pass-through Authentication (PTA) - Alternative to PHS, users can cloud authenticate with on-prem creds. Authentication validates directly against an on-prem AD.
Federated Authentication - Authentication process handled by a separate, trusted system.
Details on decision questions:
Azure AD can handle sign-in for users without relying on on-premises components to verify passwords.
Azure AD can hand off user sign-in to a trusted authentication provider such as Microsoft’s AD FS.
If you need to apply user-level Active Directory security policies such as account expired, disabled account, password expired, account locked out, and sign-in hours on each user sign-in, Azure AD requires some on-premises components.
Sign-in features not natively supported by Azure AD:
Sign-in using smartcards or certificates.
Sign-in using on-premises MFA Server.
Sign-in using third-party authentication solution.
Multi-site on-premises authentication solution.
Azure AD Identity Protection requires Password Hash Sync regardless of which sign-in method you choose, to provide the Users with leaked credentials report. Organizations can fail over to Password Hash Sync if their primary sign-in method fails and it was configured before the failure event.
Password Writeback - Feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-prem directory in real time.