Q: What is the link between Azure AD and my on-premises AD account?

A: In "Azure Active Directory vs. On-Premises Active Directory," I discussed the difference between on-premises Active Directory (AD) and Azure Active Directory. Most organizations won't choose one approach over the other; instead, they'll use both because they achieve very different results. It's possible to use DirSync to replicate from on-premises AD to Azure AD, which can also include replication of password hashs—which means the same password can be used for on-premises AD and Azure AD. Some organizations will stop here, simply using the password replication so the two different security principals (AD and Azure AD) have the same password—which is a type of SSO.

The next step is to leverage federation—or more specifically, Active Directory Federation Services (AD FS)—to create a relationship between Azure AD and on-premises AD. With AD FS, when a user authenticates against services that leverage AD FS, the actual authentication is redirected to on-premises AD via AD FS and then a token passed back to the service from AD FS, consisting of claims about the user that's then used by the cloud service. For services that leverage Azure AD, such as Office 365, when a user authenticates using Azure AD with federation configured, the actual authentication is redirected to the organization's AD and the token that's returned contains an ImmutableID claim based on the AD user object ID per the AD FS rule created (as the following figure shows).

In Azure AD, that ImmutableID is used to find the corresponding Azure AD object, which the authenticated user now has the rights of. Note that the on-premises AD has no knowledge of Azure AD and has no link to which Azure AD account relates to an on-premises AD account.