Azure AD Connect Pass-through Authentication

This article explains how to configure and use Azure AD Connect Pass-through Authentication (PTA) to enable single sign-on for your users.

Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both their on-premises applications and cloud services using the same passwords, without the need for a federated identity solution like Active Directory Federation Services (AD FS).

What is Pass-through Authentication?

Pass-through Authentication works by having an agent installed on your on-premises servers that intercepts and validates user sign-ins against your on-premises Active Directory. When a user attempts to sign in to Azure AD, the agent forwards the password hash to Azure AD for validation.

Key Benefits:

  • Simplified User Experience: Users sign in once with their on-premises credentials.
  • No Additional Infrastructure: Eliminates the need for AD FS servers, reducing management overhead.
  • Secure: Password hashes are never stored in the cloud.
  • High Availability: Multiple agents can be deployed for redundancy.

How it Works

The process involves the following steps:

  1. A user attempts to sign in to an Azure AD-integrated application.
  2. Azure AD redirects the sign-in request to the on-premises authentication system.
  3. The Azure AD Connect Pass-through Authentication agent intercepts the request.
  4. The agent communicates with on-premises Active Directory Domain Services to validate the user's credentials.
  5. If the credentials are valid, the agent returns a success response to Azure AD.
  6. Azure AD issues an authentication token, granting the user access to the application.
Diagram of Azure AD Connect Pass-through Authentication Flow
Flowchart illustrating the Pass-through Authentication process.

Prerequisites

Before you begin, ensure you meet the following requirements:

  • An Azure AD tenant with at least a Free tier.
  • A custom domain verified in your Azure AD tenant.
  • Azure AD Connect installed and configured on a server in your on-premises environment.
  • Administrator credentials for your Azure AD tenant.
  • Administrator credentials for your on-premises Active Directory.

Installation and Configuration

Step 1: Download and Install Azure AD Connect

If you haven't already, download the latest version of Azure AD Connect from the Microsoft Download Center. Run the installer and follow the on-screen instructions. During the configuration, select the Pass-through authentication sign-in method.

Step 2: Install Authentication Agents

After installing Azure AD Connect with PTA enabled, you'll need to install one or more authentication agents on your on-premises servers. These agents are responsible for handling the authentication requests.

You can download the agents directly from the Azure portal:

  1. Navigate to the Azure AD Connect section in your Azure portal.
  2. Under "Pass-through authentication," click on "Download authentication agent."
  3. Install the downloaded agent on a server that can communicate with your on-premises Active Directory.

Step 3: Register Agents

Once installed, the authentication agents will automatically register with your Azure AD tenant. You can verify the status of your agents in the Azure portal under the Azure AD Connect configuration.

Enabling Pass-through Authentication

To enable Pass-through Authentication for your tenant:

  1. Sign in to the Azure portal.
  2. Navigate to Azure Active Directory.
  3. Go to Azure AD Connect under the "Hybrid management" section.
  4. Under "Pass-through authentication," click on Enable.
  5. Follow the prompts to complete the configuration.

Managing Pass-through Authentication

You can manage your Pass-through Authentication configuration from the Azure AD Connect page in the Azure portal. This includes monitoring agent status, adding new agents, and disabling the feature.

Monitoring Agent Status

Ensure your authentication agents are running and healthy. The Azure portal provides a dashboard to monitor the status of each agent.

Troubleshooting

If users are experiencing sign-in issues, check the following:

  • Ensure the authentication agents are running.
  • Verify network connectivity between the agents and Azure AD.
  • Check the event logs on the servers where agents are installed for any errors.
  • Confirm that the on-premises Active Directory is available and responsive.

Refer to the Microsoft documentation for advanced troubleshooting steps and common issues.

Considerations

While Pass-through Authentication offers a streamlined approach, consider the following:

  • Offline Scenarios: PTA does not support offline sign-ins. If on-premises AD is unavailable, users cannot sign in.
  • Password Policies: On-premises password policies (complexity, expiration) are enforced.
  • UserPrincipalName (UPN) Mismatch: Ensure that the UPN suffixes used in your on-premises AD match those verified in Azure AD.
Configure Pass-through Authentication Now