What is Pass-Through Authentication (PTA) in Azure AD Connect?
In Azure Active Directory (AD), now known as Microsoft Entra ID, pass-through authentication is a type of hybrid authentication method where users sign-in to applications on-premises and cloud with the same password. This way, users are less likely to forget their credentials and have lesser needs to run back to IT support, saving IT helpdesk costs. Having their budgets slashed, it’s a win-win for organizations, in efficiencies of both operations and cost.
How is this different from Password Hash Synchronization?
Password Hash Synchronization [PHS] is another hybrid authentication method offered by Azure. In PHS, each password is stored as a hash value which is calculated using mathematical function or hashing algorithm. This hash value representation of the password cannot be reversed back to the actual password due to security concerns. The passwords in on-premises AD are synchronized with cloud but the synchronization agent does not have access to the actual password.
While PHS is widely used for its simplified identity management suited for organizations working at a relatively lower scale, PTA is prefered over PHS when it comes to security. PTA authenticates users directly against the on-premises AD and does not store passwords on cloud. If an account is disabled on-premises, the user cannot access the cloud services either.This makes PTA ideal for organizations with stringent and complex security requirements.
Does AD-PAT pledge a strongly secure environment?
It certainly does. A seamless single sign-on, lightweight agent that requires no-management are all some of the many things that PAT offers but here’s what it contains to support a high-security environment:
With PAT, passwords that stay on-premise are never stored in cloud, empowering the end-users with complete control over the data and securing them from data breach.
Self-service management on cloud is a flexible highlight – any changes to password made in cloud, is synchronized with the AD on-premises. Only strong passwords are encouraged, while the popular and easy-to-hack ones are forbidden.
Thanks to outbound connections by the agents, they can now welcome a perimeter network free zone called DMZ.
PAT is coherent with Conditional access, a zero trust policy engine that is inclusive of MFA. With an benefit of smart lockout to block hoaxers or any brute force attacks and identity protection to detect and remediate risks, data is secured frictionless.
All things being said, PAT is highly recommended for scalable systems for a hassle-free password management and security. To learn about how to enable PAT, click here.