What is pass-through authentication?
Pass-through authentication (PTA) is a feature of Microsoft Entra Connect. It involves a simple service in the form of an agent running on one or several on-premises domain-joined servers, which validates a user’s sign-on on behalf of Microsoft Entra ID directly with the on-premises Active Directory (AD).
The password need not be present in Microsoft Entra ID (in any form). The agent connects outbound to Microsoft Entra ID and listens for authentication requests, so it only requires outbound ports to be open.
This service can be used when on-premises validation is required, for example when a policy, regulation, or law doesn’t allow synchronization of password hashes, which is Microsoft’s favoured approach when using Microsoft Entra Connect. It also has the advantage that any on-premises policies, such as working hours restrictions, can be evaluated during authentication to cloud services.
The PTA user experience is the same sign-on (and sometimes single sign-on – see SSSO) when using AD and Microsoft Entra ID The user enters the same username and password whether authenticating on-premises or in the cloud.
Find out more about pass-through authentication on our Microsoft Entra Connect Masterclass.
You will learn what It can do beyond its ‘out-of-the-box’ form as well as learn how to configure and maintain it. The 3-day course includes lectures, demos, discussions, and hands-on labs.
Learn how to build an HR-driven provisioning solution for your Active Directory and Microsoft Entra ID with our practical video training.