News

Microsoft Releases 'Staged Rollout' for Hybrid Active Directory

• By Kurt Mackie
• April 12, 2021

Microsoft recently announced the general availability of a "staged rollout" feature in Azure Active Directory designed for organizations with "hybrid" environments.

Staged rollout lets organizations whose environments depend on local Active Directory implementations test Azure AD cloud-based authentication methods with a portion of their end users. The feature avoids having to carry out a whole-scale "cutover migration" of end users to the Azure AD service just to try cloud-based authentication methods, a process that likely would entail downtime.

Two Cloud Authentication Methods
Organizations can use the staged rollout feature to try the two types of authentication methods available via Azure AD, namely "password hash synchronization" and "pass-through authentication." End users can be put on one type of cloud authentication method, while a federation service continues to authenticate others within an organization.

Here's how it was explained by Alex Simons, corporate vice president of program management at the Microsoft Identity Division:

This [staged rollout] feature allows you to selectively test groups of users with cloud authentication methods, such as pass-through authentication (PTA) or password hash sync (PHS), while all other users in the federated domains continue to use federation services, such as AD FS, Ping Federate, Okta, or any other federation services to authenticate users.

Password hash synchronization is billed as "the simplest way to enable authentication for on-premises directory objects in Azure AD," according to a Microsoft "Hybrid Identity Solution" document. With it, a password used via on-premises Active Directory infrastructure can also work with Azure AD "without having to deploy any additional infrastructure," permitting the use of various Azure AD protective services. The passwords aren't stored in Azure AD datacenters in a way that can be decrypted, the document claimed.

The other method, pass-through authentication, also lets end users keep the same passwords to access on-premises and cloud-based apps. Pass-through authentication uses a software agent installed on premises-based servers to validate end users via local Active Directory. This process "ensures that the password validation doesn't happen in the cloud," according to Microsoft's "Hybrid Identity Solution" document.

The document includes a decision tree showing when to use password hash synchronization, pass-through authentication and federation. It's a complex decision to make. Organizations can use Microsoft's Azure AD Connect tool or PowerShell to do the provisioning, though.

Reduce On-Premises Dependencies
Simons argued that organizations would want to move to Azure AD from federation services to centralize management and reduce dependencies on premises-based infrastructures that need to be Internet-facing.

Using Azure AD also lights up the ability to use protective services such as "Azure AD multifactor authentication (MFA), Conditional Access, Identity Protection for leaked credentials, Identity Governance, and more," he added.

While staged rollout is currently at the "general availability" commercial-release stage, it isn't conceived as anything other than a tool for testing before migrating end users to Azure AD. It's not designed to support so-called "coexistence" (the concurrent use of federation plus Azure AD) on a long-term basis as "this approach could lead to unexpected authentication flows," Microsoft warned in the FAQ section of its "Staged Rollout" document.

A new capability added with the release of the staged rollout feature is the ability to use "new Hybrid Auth workbooks in the Azure Portal." These workbooks can be used to monitor "the users and groups added or removed from staged rollout and users sign-ins while in staged rollout," the announcement noted. Microsoft also published a "staged rollout interactive guide" showing setup steps.