What is pass-through authentication?

Pass-through authentication (PTA) is a feature of Microsoft Entra Connect. It involves a simple service in the form of an agent running on one or several on-premises domain-joined servers, which validates a user’s sign-on on behalf of Microsoft Entra ID directly with the on-premises Active Directory (AD).

The password need not be present in Microsoft Entra ID (in any form). The agent connects outbound to Microsoft Entra ID and listens for authentication requests, so it only requires outbound ports to be open. 

This service can be used when on-premises validation is required, for example when a policy, regulation, or law doesn’t allow synchronization of password hashes, which is Microsoft’s favoured approach when using Microsoft Entra Connect. It also has the advantage that any on-premises policies, such as working hours restrictions, can be evaluated during authentication to cloud services. 

The PTA user experience is the same sign-on (and sometimes single sign-on – see SSSO) when using AD and Microsoft Entra ID The user enters the same username and password whether authenticating on-premises or in the cloud.

Find out more about pass-through authentication on our Microsoft Entra Connect Masterclass.

You will learn what It can do beyond its ‘out-of-the-box’ form as well as learn how to configure and maintain it.  The 3-day course includes lectures, demos, discussions, and hands-on labs.


Don’t have the time to attend a course?
Entra Connect Video TrainingLearn exactly what you need to know, when you need to know it, with our series of highly practical video training courses.

Pass-through authentication is examined in Course #6: Authentication which is available right now for £166 / $199 / €190



R driven provisioning solution for AD trainingLearn how to build an HR-driven provisioning solution for your Active Directory and Microsoft Entra ID with our practical video training.