What is the Azure AD Pass-through Authentication?

We know that security is very important for IT administrators. In this article , you can find which is best configuration of ADConnect sync tool. I am going to be explain what does Azure AD Pass-through and Seamless Single Sign-On (SSO).

Normally , when you configure ADConnect with “Azure AD Password Hash Synchronization” feature , one copy of on-premise AD users passwords (hash values) are sending across the internet always and store in cloud besides authentication happens in cloud.


Azure AD Password Hash Synchronization Process

Some companies don’t permit to organizations to send users’ password, even in hashed form because of their security and compliance policies. Especially, these days security rules are very strict because of GDPR. Azure AD Pass-through authentication provides us keeping passwords in on-premises and validate users’ password directly against your on-premises AD. Normally, if you would like to authenticate users through on-premise you had to install ADFS server to on-premises side. To configure ADFS server in high availability mode you need minimum 4 servers (2 ADFS & 2 Proxy) + OS license + hardware + operational effort to keep the system running. As a result, you don’t need ADFS server from now on and Pass-through authentication is the best solution for now.

How works Pass-through authentication?

Basically, when user try to sign-in Office 365 and Azure with on-premises AD password, Microsoft servers actually encrypts the passwords using a public key and then user name and encrypted password wait for validation. Pass-through agent retrieves the user name and encrypted password by making outbound call from your network. Pass-through agent uses https port to receive information. You don’t need to open inbound ports on your firewall.

The agent decrypts the password using a private key that only it has access to and tries to validate it against the on-premises active directory. Active directory returns success or failure result to agent and the agent forwards it up to Azure AD.

As a result, Azure AD decides sign-in the service or not.

How to configure Pass-through authentication on ADConnect ?

When you run ADConnect setup you should select the sign-on method as “Pass-through authentication” on interface.

In the second option you can also select “enable single sign-on” as enable. What is benefit of SSO (Single sign-on) ? Basically when you enable SSO in AD Connect , users don’t need to write password on sign-in page while users sign in Azure and Office 365 services that if their computers “domain joined” and already signed in computer with their ad account on domain network. The feature provides users automatically sign in Azure AD.

If you enabled SSO on ADConnect you need to add Azure AD URL to the users’ Intranet zone settings by using GPO in Active Directory

1-Browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Then select Site to Zone Assignment List.

Enable the policy, and then enter the following values in the dialog box:

Value name: https://autologon.microsoftazuread-sso.com

Value (Data): 1 indicates the Intranet zone.

It should be like below ;

2- Browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone. Then select Allow updates to status bar via script.

Enable the policy setting below.

Notes ;

-If you use firewall or proxy you have too allow *.msappproxy.net URLs over port 443.

-Enabling SSO services it can take up to 30 minutes.

-Edge browser does not support yet.

-If you disable or re-enabled the feature , users will not be able to get the single sign-on experience until their cached Kerberos tickets, generally valid for 10 hours , have expired.

-It is free feature you don’t need to paid edition of Azure AD.

To verify the feature ;

https://aad.portal.azure.com/

Select Azure Active Directory in the left pane.

Select Azure AD Connect.

If you want to have pass-through authentication in High available please check out it.