Identity and password-hash synchronization including ADFS integration

With the implementation of the federation, all authentication is retained on-premises, and all passwords are stored on-premises only. All authentication traffic is redirected from Azure AD to the on-premises ADFS, which authenticates the user against a trusted AD domain. This scenario is commonly used in different company sizes if SSO is required and password-hash synchronization is prohibited due to \ security reasons.

The requirement is the usage of a federation service provider, such as ADFS in addition to Azure AD Connect in a highly available deployment.

The following diagram shows the identity and password-hash synchronization with ADFS scenario:

You can also combine the ADFS integration with password-hash synchronization to provide the capability if the on-premises infrastructure turns into an outage and users can still access their cloud services with their known password.