What is pass-through authentication?

Pass-through authentication (PTA) is a feature of Azure AD Connect. It involves a simple service in the form of an agent running on one or several on-premises domain-joined servers, which validates a user’s sign-on on behalf of Azure AD directly with the on-premises Active Directory (AD). The password need not be present in Azure AD (in any form). The agent connects outbound to Azure AD and listens for authentication requests, so it only requires outbound ports to be open.

This service can be used when on-premises validation is required, for example when a policy, regulation or law doesn’t allow synchronization of password hashes, which is Microsoft’s favoured approach when using Azure AD Connect. It also has the advantage that any on-premises polices, such as working hours restrictions, can be evaluated during authentication to cloud services.

The PTA user experience is of the same sign-on (and sometimes single sign-on – see SSSO) when using AD and Azure AD. The user enters the same username and password whether authenticating on-premises or in the cloud.

Find out more about pass-through authentication on our Azure AD Connect Masterclass.

Azure AD Connect Training VideosLearn exactly what you need to know about Azure AD Connect, when you need to know it, with our series of highly practical video training courses. Pass-through authentication is examined in Course #6: Authentication which is available right now for £166 / $199 / €190

R driven provisioning solution for AD trainingLearn how to build an HR driven provisioning solution for your Active Directory and Azure Active Directory with our practical video training.



Page last reviewed  July 2022