Manage authentication

5 minutes

Power Platform authentication involves a sequence of requests, responses, and redirects between the user's browser and Power Platform or Azure services. The sequence follows the Microsoft Entra ID auth code grant flow.

You can choose from three main identity models in Microsoft 365 when you set up and manage user accounts:

Cloud identity: Manage your user accounts in Microsoft 365 only. No on-premises servers are required to manage users; it's all done in the cloud.
Synchronized identity: Synchronize on-premises directory objects with Microsoft 365 and manage your users on-premises. You can also synchronize passwords so that the users have the same password on-premises and in the cloud, but they'll have to sign in again to use Microsoft 365.
Federated identity: Synchronize on-premises directory objects with Microsoft 365 and manage your users on-premises. The users have the same password on-premises and in the cloud, and they don't have to sign in again to use Microsoft 365. This is often referred to as single Sign-On.

It's important to carefully consider which identity model to use to get up and running. Think about time, existing complexity, and cost. These factors are different for every organization. Your choice is based largely on the size of your company and the depth and breadth of your IT resources.

Understanding Microsoft 365 identity and Microsoft Entra ID

Microsoft 365 uses the cloud-based user identity and authentication service Microsoft Entra ID to manage users. Choosing if identity management is configured between your on-premises organization and Microsoft 365 is an early decision that is one of the foundations of your cloud infrastructure. Because changing this configuration later can be difficult, carefully consider the options to determine what works best for the needs of your organization.

You can choose from two main authentication models in Microsoft 365 to set up and manage user accounts; cloud authentication and federated authentication.

Cloud authentication

Depending if you've or don't have an existing Active Directory environment on-premises, you have several options to manage authentication and identity services for your users with Microsoft 365.

Cloud Only

With the cloud-only model, you manage your user accounts in Microsoft 365 only. No on-premises servers are required; it's all handled in the cloud by Microsoft Entra ID. You create and manage users in the Microsoft 365 admin center or by using Windows PowerShell PowerShell cmdlets and identity and authentication are handled completely in the cloud by Microsoft Entra ID.

The cloud-only model is typically a good choice if:

You have no other on-premises user directory.
You have a complex on-premises directory and simply want to avoid the work to integrate with it.
You have an existing on-premises directory, but you want to run a trial or pilot of Microsoft 365. Later, you can match the cloud users to on-premises users when you're ready to connect to your on-premises directory.

Password hash sync with seamless single Sign-On

The simplest way to enable authentication for on-premises directory objects in Microsoft Entra ID. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Microsoft 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Microsoft Entra ID so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Microsoft Entra ID so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Microsoft Entra ID or stored in Microsoft Entra ID in clear text. Some premium features of Microsoft Entra ID, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single Sign-On, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network.

Pass-through authentication with seamless single Sign-On

Provides a simple password validation for Microsoft Entra ID authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Microsoft 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft 365 resources and applications using their on-premises account and password. This configuration validates users passwords directly against your on-premises Active Directory without sending password hashes to Microsoft 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign in hours would use this authentication method. With seamless single Sign-On, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network.

Single Sign-On

By default, Dynamics 365 Online uses Microsoft Entra ID for authentication, however, many organizations around the world use their Local Active Directory to do authentication in-house.

Microsoft Entra ID Seamless Single Sign-On (Microsoft Entra Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Microsoft Entra, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any more on-premises components.

Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication sign-in methods. Seamless SSO isn't* applicable to Active Directory Federation Services (ADFS).

Diagram of Seamless Single Sign-On with Password Hash Synchronization and Pass-through Authentication methods.

Note

Seamless SSO needs the user's device to be domain-joined, but doesn't need for the device to be Microsoft Entra Joined.

Key benefits

Great user experience
- Users are automatically signed into both on-premises and cloud-based applications.
- Users don't have to enter their passwords repeatedly.
Easy to deploy & administer No other components needed on-premises to make this work.
- Works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication.
- Can be rolled out to some or all your users using Group Policy.

Things to consider

Sign-in username can be either the on-premises default username (userPrincipalName) or another attribute configured in Microsoft Entra Connect (Alternate ID). Both use cases work because Seamless SSO uses the securityIdentifier claim in the Kerberos ticket to look up the corresponding user object in Microsoft Entra ID.
Seamless SSO is an opportunistic feature. If it fails for any reason, the user sign-in experience goes back to its regular behavior - i.e, the user needs to enter their password on the sign-in page.
If an application (for example, https://myapps.microsoft.com/contoso.com) forwards a domain_hint (OpenID Connect) or whr (SAML) parameter, identifying your tenant, or login_hint parameter, identifying the user, in its Microsoft Entra sign-in request, users are automatically signed in without them entering usernames or passwords.
Users also get a silent Sign-On experience if an application (for example, https://contoso.crm.dynamics.com sends sign-in requests to Microsoft Entra's tenant endpoints - that is, https://login.microsoftonline.com/contoso.com or https://login.microsoftonline.com <tenant_ID> instead of Microsoft Entra's common endpoint - that is, https://login.microsoftonline.com/common.
Sign out is supported. This allows users to choose another Microsoft Entra ID account to sign in with, instead of being automatically signed in using Seamless SSO automatically.
Microsoft 365 Win32 clients (Outlook, Word, Excel, and others) with versions 16.0.8730.xxxx and above are supported using a non-interactive flow. For OneDrive, you'll have to activate the OneDrive silent config feature for a silent Sign-On experience.
It can be enabled via Microsoft Entra Connect.
It's a free feature, and you don't need any paid editions of Microsoft Entra ID to use it.

Federate a single AD forest environment to the cloud

The following tutorial will walk you through creating a hybrid identity environment using federation. This environment can then be used for testing or for getting more familiar with how a hybrid identity works.

Tutorial: Federate a single AD forest environment to the cloud

Microsoft Entra conditional Access

Conditional Access policies in Microsoft Entra ID at their simplest are if-then statements: if a user wants to access a resource, then they must complete an action.

Example: A payroll manager wants to access the payroll app that has been built with Power Apps and is required to perform multifactor authentication to access it.

Administrators are faced with two primary goals:

Empower users to be productive wherever and whenever.
Protect the organization's assets.

By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure, and stay out of your user’s way when they're not needed. Conditional Access policies are enforced after the first-factor authentication has been completed.

Only Global Admins can configure Conditional Access policies. This isn't available for Microsoft Power Platform or Dynamics 365 admins.

To learn how to set up Conditional Access policies, see Plan a Conditional Access deployment.

Continue