Scenario: Contoso Pharmaceuticals
Company Overview
Contoso Pharmaceuticals is a global company that researches, develops, and sells healthcare products. The organization employs 8,500 users across multiple continents, with its headquarters in Toronto, Canada, and regional offices in Chicago, Berlin, and Singapore.
Contoso operates in a highly regulated industry and must maintain strict data protection and compliance with HIPAA and GDPR. The company currently runs a hybrid IT environment, relying heavily on on-premises Active Directory (AD) and Exchange Server 2016 for communication, along with SharePoint Server for document management.
Existing Environment
Active Directory and Network
- Contoso uses a single AD forest: contoso.com.
- Each department (Research, Sales, HR, and IT) has its own top-level Organizational Unit (OU) with sub-OUs for devices and users.
- User sign-in format: username@contoso.com.
- Two domain controllers are deployed at each site, both serving as DNS servers.
- The public DNS zone contoso.com is hosted externally.
Email and Collaboration
- The Exchange 2016 environment handles email for all users.
- Employees access email through Outlook Anywhere, Outlook on the web, and mobile devices.
- Shared documents are hosted on an internal SharePoint Server farm.
Contoso’s IT department plans to modernize its collaboration environment by migrating to Microsoft 365.
Planned Changes
- Project Alpha: Migrate the Research department’s mailboxes to Exchange Online for pilot testing.
- Project Beta: After Project Alpha’s success, enable Microsoft Teams for the Research users.
- Create a security group named LicenseAdmins to manage Microsoft 365 license assignments.
Technical Requirements
Contoso leadership defines these goals for the migration:
- Users must continue using their existing email addresses without interruption.
- Authentication to cloud services must still work if on-prem AD is unavailable.
- A compliance officer (ComplianceUser1) must be able to access all DLP reports in the Microsoft Purview compliance portal.
- Microsoft 365 Apps must be installed from a network share only.
- Feature updates for Microsoft 365 Apps must be minimized.
- Disruptions to email and Teams access must be kept to a minimum.
- The solution must comply with the principle of least privilege and minimize administrative overhead.
Application Requirements
- A legacy on-prem web app named ExpensePro (for expense submissions) must be accessible via the My Apps portal in Microsoft 365.
- Authentication to both on-premises and cloud applications should be automatic after migration.
Security Requirements
- After migration, users must continue to log in using their UPN (e.g., username@contoso.com).
- Membership in LicenseAdmins must be reviewed monthly, and inactive users automatically removed.
- Users must sign in automatically to both on-premises and cloud applications without re-entering credentials.
Key Challenge
Contoso needs a hybrid identity solution that:
- Avoids implementing federation services (e.g., AD FS).
- Supports cloud authentication even if AD or network connectivity is lost.
- Enables a seamless user experience during the transition to Microsoft 365.
Evaluating Authentication Options
| Option | Description | Meets Requirements? | Notes |
|---|---|---|---|
| A. Pass-through authentication (PTA) | Authenticates users directly against on-prem AD in real time. | ❌ No | Fails if on-prem AD or Internet connectivity is unavailable. |
| B. Pass-through authentication + Seamless SSO | Adds SSO but still depends on on-prem AD for sign-in. | ❌ No | Users can’t sign in when AD or network is down. |
| C. Password hash synchronization (PHS) + Seamless SSO | Syncs hashed passwords to Microsoft Entra ID; adds seamless logon experience. | ✅ Yes | Supports cloud authentication, SSO, and resilience if AD is offline. |
| D. Password hash synchronization only | Syncs passwords but lacks seamless user login experience. | ⚠️ Partial | Functional but not ideal; lacks SSO convenience. |
Why Password Hash Synchronization with Seamless SSO Fits Best
1. Password Hash Synchronization (PHS)
- Periodically syncs password hashes from on-prem AD to Microsoft Entra ID (formerly Azure AD).
- Users can log in using the same credentials both on-premises and in Microsoft 365.
- Authentication remains available even if AD or network connections are lost.
- Simplifies hybrid Exchange coexistence (required for Project Alpha).
✅ Meets:
“Users must be able to authenticate to cloud services if Active Directory becomes unavailable.”
2. Seamless Single Sign-On (Seamless SSO)
- Signs in users automatically when they are on the corporate network, without retyping passwords.
- Works alongside PHS to deliver smooth authentication between on-prem and cloud apps like Teams, Outlook, and SharePoint.
✅ Meets:
“After migration, all users must be signed in automatically to on-premises and cloud applications.”
3. Reliability and Security
- PHS doesn’t expose passwords—only non-reversible password hashes are synchronized.
- No dependency on on-prem AD for authentication, reducing downtime risk.
- Supports Microsoft Purview integration, DLP, and audit logging across environments.
- Simplifies management while maintaining least privilege access control.
Implementation Steps
Step 1: Install Azure AD Connect
- Deploy Azure AD Connect on a dedicated server.
- Choose Password Hash Synchronization as the sign-in method.
- Select Enable Seamless Single Sign-On during setup.
Step 2: Verify and Sync Domain
- Verify the public domain contoso.com in Microsoft 365 using a TXT DNS record.
- Ensure all user UPNs match the verified domain format (
username@contoso.com).
Step 3: Configure OU Filtering
- Use organizational unit (OU) filtering to sync only the Research department for the pilot.
- This avoids unnecessary synchronization of other departments.
Step 4: Validate Authentication
- Test sign-ins from Microsoft 365 web portals (Outlook, Teams, SharePoint).
- Confirm that users on the internal network are logged in automatically via Seamless SSO.
Step 5: Monitor and Review
- Use Azure AD Connect Health to monitor sync cycles.
- Enable Conditional Access policies in Microsoft Entra ID for device and location-based security.
Advantages of PHS + Seamless SSO for Contoso
| Benefit | Description |
|---|---|
| Resilient Authentication | Users can sign in to cloud services even when on-prem AD is unavailable. |
| Seamless User Experience | SSO removes the need to repeatedly enter credentials. |
| Simplified Management | No need for complex federation infrastructure or maintenance. |
| Security Compliance | Password hashes are protected; aligns with HIPAA and GDPR. |
| Hybrid Compatibility | Supports Exchange hybrid coexistence and Microsoft Teams enablement. |
Summary
Contoso Pharmaceuticals’ hybrid migration strategy requires a simple, secure, and resilient authentication model.
By implementing Password Hash Synchronization with Seamless Single Sign-On, Contoso can:
- Maintain user access even when AD is offline.
- Reduce login prompts for end users.
- Meet compliance and security goals.
- Support Exchange and Teams during migration phases.
