publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/914682
19 WWW.ILTANET.ORG | ILTA WHITE PAPER OFFICE 365 Staying in Sync: How to Choose an Office 365 Authentication Method the agent decrypts the password and validates it against AD using the Active Directory Authentication Library (ADAL). The agent returns the authentication result to Azure AD where it is evaluated and the proper response is given to the user. It is easy to see the upside of this solution. In addition to reduced infrastructure requirements, authentication takes place on premises and no credentials are stored in the cloud. It has many of the features that were previously available only with an ADFS deployment, such as full conditional access capabilities, user logon restrictions and immediate account disablement. Pass- through authentication also allows the deployment of a second authentication agent to ensure high availability. Pass-Through Authentication will not suit all environments. Legacy clients that do not support ADAL (Office 2013 or earlier) will not be able to utilize modern authentication, and neither will Skype for Business client applications of any version. You can, however, mix modern authentication and password synchronization if your polices allow. In that case the password hash stored in Azure AD would be leveraged for clients that do not support ADAL. Decisions, Decisions The decision on how to establish authentication to Azure AD can be a tough one, but you may rule out one or more methods immediately. Check with your security and compliance departments. If there are restrictions regarding password hash storage or authentication location requirements, then password synchronization can be taken off the table. Does your firm currently have ADFS in place? If so, it makes sense to take advantage of your existing infrastructure and the investment you have made in training. Similarly, if yours is a smaller firm with limited budget and staff, you probably would not want to invest in ADFS unless absolutely necessary. Here, pass- through authentication could give you the best of both worlds. Past wisdom has been that you should start with password synchronization and deploy ADFS only if it is required. As time goes on and Microso forces you to update your clients to versions that support ADAL, all signs point to modern authentication becoming the default standard for any firm that does not already have ADFS. ILTA DOMINICK CIACCIARELLI Dominick Ciacciarelli is a Practice Architect in the Infrastructure and Enterprise Systems practice group at Kraft Kennedy. He specializes in designing, deploying and supporting Microsoft Windows Active Directory and Exchange environments. Dominick also has deep expertise in Microsoft Azure and in streamlining administration with Windows PowerShell.
