Pass-Through Authentication Principle: Azure Active Directory integration with on-Premise AD using PTA

Pass-Through Authentication (PTA) allows users to sign in to both on-premises and cloud-based applications using the same passwords. Here, you do not have to care about SSO.

Take a look at this link to see various options that are possible for Integrating Azure Active Directory with on-Premise Active Directory


Note: No passwords in the cloud, all authentications have to be performed on-premises. Therefore, when users sign in using Azure AD, this feature validates users’ passwords directly against your on-premises Active Directory. See the link below for how this is done

An alternative to this method is the Azure AD Password Hash Synchronisation. In this method, the the authentication happens in the cloud.

See the link below for methods for integrating Azure Active Directory with on-Premise Active Directory.

Below are the steps on how PTA works
On-premises you have an agent (Microsoft AAD App Proxy Connector) constantly polling your Azure AD to check if there are credentials up to date. It is worth to note that, it is your agent that is constantly contacting Azure AD and not Azure AD contacting your agent, so there are no incoming ports to open.

  1. When the user types its credentials, they are put in a queue in Azure AD and retrieved by the on-premises agent.
  2. The agent verifies them and updates the queue with something like “good creds” or “bad creds”.
  3. Azure AD validates the authentication or prompts the user for its credentials again if they were incorrect.

So, it is great to know that we don’t rely on ADFS to authenticate but still do not have SSO for your domain joined machines.

As at the time of this writing, there is currently a preview feature as described by Pierre Audonnet [MSFT]. He explained that there is currently a new preview feature called the Azure AD Connect Seamless SSO. This means you will have SSO functionalities for domain joined machines when they are connected on-premise, just like you had an ADFS farm. See the link for more information

Note: The major difference between AD FS and PTA is that, outside the complexity of AD FS, it enables us to support other methods of Password Authentication, 3rd party MFA and Smart Cards Authentication. PTA is able to perform seamless SSO using Kerberos

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x