How to Enable Azure AD Pass Through Authentication?

With Azure AD, you can use one of three options for authenticating cloud users against the on-premises Active Directory:

• Password Hash Sync (PHS).
• Pass-through authentication (PTA).
• Active Directory Federation Services (AD FS).

After deploying Azure AD Connect, you can enable the Password hash synchronization to sync passwords from on-premises Active Directory to Azure AD. If you do not want to synchronize password hashes from local AD to the cloud for security reasons, Pass-through Authentication can be used as an alternative to PHS.

Note. When using AD FS, all authentication is always performed on the local AD side. However, this option is the most difficult to configure and maintain.

Azure pass-through authentication allows users to use a single password to access both on-premises and Azure cloud services. The password and password hash are not sent over the network. With PTA, the password hash is not transferred to the cloud because authentication is performed on-premises against Active Directory. How does it work?

1. The administrator deploys a lightweight agent on the device running Azure AD Connect on their on-premises network (multiple PTA agents can be deployed for high availability). These agents establish a persistent outbound connection to the Azure AD and pass authentication requests to the local Active Directory (ports 443/TCP and 80/TCP are used for interaction);
2. When a user authenticates to a cloud resource, Azure encrypts the entered password using the agent’s public keys and sends it to the Azure AD Connect Authentication Agent;
3. PTA agent authenticates to on-premises ADDS and returns information to Azure: whether authentication was successful; password expiration info. If the user account is locked or disabled in on-premises AD, the user will not be able to authenticate to the cloud-based M365 app;
4. If an Azure AD user has MFA enabled, they will need to confirm the authentication and then be able to access the app.

Then enable the PTA on the Windows host where Azure AD Connect is installed:

1. Run the Azure AD Connect and select Configure;
2. Select Change user sign-in > Next;
3. Enable the option Pass-through authentication;
4. The Azure AD Connect will automatically download and install the following additional services on your Windows host:
   Microsoft Azure AD Connect Agent Updater
   Microsoft Azure AD Connect Authentication Agent
   Microsoft Azure AD Connect Authentication Package
   

Note. You can directly download the setup file AAADConnectAuthAgentSetup.exe from https://aka.ms/getauthagent.

Check if PTA is now enabled in Azure Portal:

1. Sign-in to https://portal.azure.com/;
2. Navigate to Azure Active Directory > Azure AD Connect;
3. Check that Pass-through authentication is now enabled. You can also view the list of hosts where AAADConnectAuthAgent is installed.
   

If you uninstalled Azure AD Connect Authentication Agent on any server, it becomes Inactive. You cannot manually remove an inactive PTA from an Azure portal. Wait a few days and it will be automatically deleted.

If you need to troubleshoot PTA, check the Pass-through Authentication logs in Event Viewer (Application and Services Logs > Microsoft > AzureAdConnect > AuthenticationAgent > Admin) and the %ProgramData%\Microsoft\Azure AD Connect Authentication Agent\Trace\ file.