Identity and password-hash synchronization including SSO options

By synchronizing identities and the associated password hashes from the on-premises AD to the Azure AD, we can build a basic scenario for smaller companies that don’t want to invest in an ADFS infrastructure. Also, there's no SSO required. With this scenario, the same password can be used to authenticate the user either in the cloud or on-premises, depending on what resource is being accessed. Furthermore, the Password Reset and Account Unlock features are available with an Azure AD Premium license. A requirement is Azure AD Connect with password-hash synchronization enabled. Optional password write-back is enabled.

The following diagram shows the identity and password-hash synchronization scenario:

To add SSO to the solution, you can enable Pass-through authentication and the seamless SSO feature in the Azure AD Connect tool. This is the most commonly recommended option from Microsoft to reduce complexity and put Azure AD in the role of the central system to provide authentication to your SaaS and on-premises Kerberos/Claims-based applications:

It's highly recommended you enable password-hash synchronization, so in case of an on-premises service interrupt, your users can still use cloud services. For now, you can read about this feature at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta.