What is pass-through authentication?

Pass-through authentication (PTA) is a feature of Azure AD Connect. It involves a simple service in the form of an agent running on one or several on-premises domain-joined servers, which validates a user’s sign-on on behalf of Azure AD directly with the on-premises Active Directory (AD). The password need not be present in Azure AD (in any form). The agent connects outbound to Azure AD and listens for authentication requests, so it only requires outbound ports to be open.

This service can be used when on-premises validation is required, for example when a policy, regulation or law doesn’t allow synchronization of password hashes, which is Microsoft’s favoured approach when using Azure AD Connect. It also has the advantage that any on-premises polices, such as working hours restrictions, can be evaluated during authentication to cloud services.

The PTA user experience is of the same sign-on (and sometimes single sign-on – see SSSO) when using AD and Azure AD. The user enters the same username and password whether authenticating on-premises or in the cloud.


Find out more about pass-through authentication on our Azure AD Connect Masterclass.

First published 20 January 2020