Authentication and Authorization

Authentication (AuthN) is who you are
- I know
- I have (device)
- I am
- Entra MFA
Authorization (AuthZ) is what you can do

AuthZ is always against “Entra ID”.

Ways for authentication

There are different ways for authentication, as listed below. After authentication is done then in all cases “Entra ID” creates a token.

Password hash synchronization (cloud)

Best option/always recommended even if using others as primary (see pt. 4)
AD has password hash.
Hash of this password hash is synced to “Entra ID” which is then used for AuthN
can compare if any creds are leaked on dark web
can’t do things like locked accounts/logon hours/expired password

Pass through AuthN (hybrid)

If you want to use your onprem DCs for authentication
Sending cred to “Entra ID”, but it checks with onprem

Federation (hybrid)

Not recommended
Could be ADFS or third-party thing
Different flow:
1. Cred to federation service
2. Federation service will check with DC
3. Create token and share with user
4. User will use that token to get token from “Entra ID”

references:

Subscribe to NordLetter

A weekly newsletter on living in Finland.

← Back to Til

UPDATED April 1, 2024 at 11:14

Thoughts? Email sajal@sajalchoudhary.net

2 Backlinks

Entra MFA

TIL

Microsoft Entra

TIL