Azure Active Directory (Azure AD) allows you to choose from three options for authenticating cloud users against your on-premises Active Directory (AD):
- Password Hash Sync (PHS). This option synchronizes passwords from your on-premises AD to Azure AD.
- Pass-through authentication (PTA). This option allows users to use a single password to access both on-premises and Azure cloud services. Authentication is performed on-premises against your AD, and the password hash is not sent to the cloud.
- Active Directory Federation Services (AD FS). This option performs all authentication on the on-premises side. It is the most complex option to configure and maintain.
Pass-through authentication
PTA is a good option if you do not want to synchronize password hashes from your on-premises AD to Azure AD for security reasons. To use PTA, you must:
- Install the Azure AD Connect appliance on a server in your on-premises network.
- Deploy the PTA agent on the Azure AD Connect appliance.
- Enable PTA in Azure AD.
How PTA works
When a user tries to sign in to a cloud service, Azure AD encrypts the user’s password using the public key of the PTA agent. The encrypted password is then sent to the PTA agent. The PTA agent decrypts the password using its private key and then authenticates the user against your on-premises AD. If the authentication is successful, Azure AD allows the user to sign in to the cloud service.
Step-by-step process for enabling PTA
To enable PTA in Azure AD, follow these steps:
- Sign in to the Azure portal.
- In the left navigation pane, select Azure Active Directory.
- In the middle pane, select Azure AD Connect.
- In the right pane, select Configure.
- In the Sign-in method section, select Pass-through authentication.
- Select Save.
- For organizations with multiple Azure AD Connect appliances. If you have multiple Azure AD Connect appliances, you will need to enable PTA on each appliance. To do this, follow the steps above for each appliance.
- For organizations with a large number of users. If you have a large number of users, you may want to consider using a third-party tool to help you manage PTA. There are a number of tools available that can help you automate the deployment and configuration of PTA, as well as provide reporting and troubleshooting capabilities.
Azure AD will now download and install the PTA agent on the Azure AD Connect appliance. Once the installation is complete, PTA will be enabled.
Use cases for PTA
PTA can be used in a variety of scenarios, including:
- Hybrid cloud environments. PTA is a good option for organizations that have a hybrid cloud environment, with users who access both on-premises and Azure cloud services.
- Organizations with strict security requirements. PTA can help organizations with strict security requirements to protect their passwords from being stored in the cloud.
- Organizations with a large number of users. PTA can help organizations with a large number of users to simplify their IT management tasks by eliminating the need to synchronize password hashes from on-premises AD to Azure AD.
- Organizations with remote users. PTA can help organizations with remote users to improve the user experience by allowing them to sign in to both on-premises and Azure cloud services using a single password.
- Organizations with BYOD policies. PTA can help organizations with BYOD policies to improve the security of their environment by preventing users from storing their passwords on their personal devices.
Troubleshooting PTA
If you are having problems with PTA, you can check the following logs:
- Pass-through Authentication logs in Event Viewer (Application and Services Logs > Microsoft > AzureAdConnect > AuthenticationAgent > Admin)
- %ProgramData%\Microsoft\Azure AD Connect Authentication Agent\Trace\ file
These logs can provide you with information about the errors that are occurring with PTA.
Benefits of PTA
PTA offers several benefits, including:
- Increased security. Because passwords are not stored in the cloud, PTA can help to protect your organization from data breaches.
- Simplified management. PTA does not require you to synchronize password hashes from your on-premises AD to Azure AD. This can simplify your IT management tasks.
- Improved user experience. Users can use a single password to access both on-premises and Azure cloud services. This can improve the user experience and reduce the risk of password fatigue.
If you are looking for a secure and easy-to-manage way to authenticate users to both on-premises and Azure cloud services, PTA is a good option to consider.