Azure AD Pass-Through Authentication with on-Premise AD

Microsoft

Take a look at this link to see various options that are possible for Integrating Azure Active Directory with on-Premise Active Directory https://techdirectarchive.com/2020/02/02/methods-for-integrating-azure-active-directory-with-on-premise-active-directory/

Pass-Through Authentication (PTA) allows users to sign in to both on-premises and cloud-based applications using the same passwords. Here, you do not have to care about SSO.

Note: No passwords in the cloud, all authentications have to be performed on-premises. Therefore, when users sign in using Azure AD, this feature validates users’ passwords directly against your on-premises Active Directory. See the link below for how this is done https://channel9.msdn.com/Shows/OEMTV/OEM1710

An alternative to this method is the Azure AD Password Hash Synchronisation. In this method, the the authentication happens in the cloud https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta

See the link below for methods for integrating Azure Active Directory with on-Premise Active Directory https://techdirectarchive.com/2020/02/02/methods-for-integrating-azure-active-directory-with-on-premise-active-directory/

Below are the steps on how PTA works
On-premises you have an agent (Microsoft AAD App Proxy Connector) constantly polling your Azure AD to check if there are credentials up to date. It is worth to note that, it is your agent that is constantly contacting Azure AD and not Azure AD contacting your agent, so there are no incoming ports to open.

  1. When the user types its credentials, they are put in a queue in Azure AD and retrieved by the on-premises agent.
  2. The agent verifies them and updates the queue with something like “good creds” or “bad creds”.
  3. Azure AD validates the authentication or prompts the user for its credentials again if they were incorrect.

So, it is great to know that we don’t rely on ADFS to authenticate but still do not have SSO for your domain joined machines.

As at the time of this writing, there is currently a preview feature as described by Pierre Audonnet [MSFT]. He explained that there is currently a new preview feature called the Azure AD Connect Seamless SSO. This means you will have SSO functionalities for domain joined machines when they are connected on-premise, just like you had an ADFS farm. See the link for more information https://blogs.technet.microsoft.com/pie/2017/02/06/do-i-really-need-adfs/

Note: The major difference between AD FS and PTA is that, outside the complexity of AD FS, it enables us to support other methods of Password Authentication, 3rd party MFA and Smart Cards Authentication.

PTA is able to perform seamless SSO using Kerberos
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s