- Article
Deploy Azure AD Pass-through Authentication
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications by using the same passwords. Pass-through Authentication signs users in by validating their passwords directly against on-premises Active Directory.
Important
If you are migrating from AD FS (or other federation technologies) to Pass-through Authentication, view Resources for migrating applications to Azure AD.
Note
If you deploying Pass Through Authentication with the Azure Government cloud, view Hybrid Identity Considerations for Azure Government.
Follow these instructions to deploy Pass-through Authentication on your tenant:
Step 1: Check the prerequisites
Ensure that the following prerequisites are in place.
Important
From a security standpoint, administrators should treat the server running the PTA agent as if it were a domain controller. The PTA agent servers should be hardened along the same lines as outlined in Securing Domain Controllers Against Attack
In the Entra admin center
- Create a cloud-only Hybrid Identity Administrator account or a Hybrid Identity administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about adding a cloud-only Hybrid Identity Administrator account. Completing this step is critical to ensure that you don't get locked out of your tenant.
- Add one or more custom domain names to your Azure AD tenant. Your users can sign in with one of these domain names.
In your on-premises environment
Identify a server running Windows Server 2016 or later to run Azure AD Connect. If not enabled already, enable TLS 1.2 on the server. Add the server to the same Active Directory forest as the users whose passwords you need to validate. It should be noted that installation of Pass-Through Authentication agent on Windows Server Core versions is not supported.
(Video) Microsoft Entra / Azure AD 2 0 Explained with Full DemoInstall the latest version of Azure AD Connect on the server identified in the preceding step. If you already have Azure AD Connect running, ensure that the version is supported.
Note
Azure AD Connect versions 1.1.557.0, 1.1.558.0, 1.1.561.0, and 1.1.614.0 have a problem related to password hash synchronization. If you don't intend to use password hash synchronization in conjunction with Pass-through Authentication, read the Azure AD Connect release notes.
Identify one or more additional servers (running Windows Server 2016 or later, with TLS 1.2 enabled) where you can run standalone Authentication Agents. These additional servers are needed to ensure the high availability of requests to sign in. Add the servers to the same Active Directory forest as the users whose passwords you need to validate.
Important
In production environments, we recommend that you have a minimum of 3 Authentication Agents running on your tenant. There is a system limit of 40 Authentication Agents per tenant. And as best practice, treat all servers running Authentication Agents as Tier 0 systems (see reference).
If there is a firewall between your servers and Azure AD, configure the following items:
Ensure that Authentication Agents can make outbound requests to Azure AD over the following ports:
Port number How it's used 80 Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate 443 Handles all outbound communication with the service 8080 (optional) Authentication Agents report their status every ten minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure portal. Port 8080 is not used for user sign-ins. If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
If your firewall or proxy lets you add DNS entries to an allowlist, add connections to *.msappproxy.net and *.servicebus.windows.net. If not, allow access to the Azure datacenter IP ranges, which are updated weekly.
Avoid all forms of inline inspection and Termination on outbound TLS communications between Azure Passthrough Agent and Azure Endpoint.
If you have an outgoing HTTP proxy, make sure this URL, autologon.microsoftazuread-sso.com, is on the allowed list. You should specify this URL explicitly since wildcard may not be accepted.
Your Authentication Agents need access to login.windows.net and login.microsoftonline.com for initial registration. Open your firewall for those URLs as well.
(Video) Microsoft Entra: Azure Active Directory Authentication Strengths explainedFor certificate validation, unblock the following URLs: crl3.digicert.com:80, crl4.digicert.com:80, ocsp.digicert.com:80, www.d-trust.net:80, root-c3-ca2-2009.ocsp.d-trust.net:80, crl.microsoft.com:80, oneocsp.microsoft.com:80, and ocsp.msocsp.com:80. Since these URLs are used for certificate validation with other Microsoft products you may already have these URLs unblocked.
Azure Government cloud prerequisite
Prior to enabling Pass-through Authentication through Azure AD Connect with Step 2, download the latest release of the PTA agent from the Azure portal. You need to ensure that your agent is versions 1.5.1742.0. or later. To verify your agent see Upgrade authentication agents
After downloading the latest release of the agent, proceed with the below instructions to configure Pass-Through Authentication through Azure AD Connect.
Step 2: Enable the feature
Enable Pass-through Authentication through Azure AD Connect.
Important
You can enable Pass-through Authentication on the Azure AD Connect primary or staging server. It is highly recommended that you enable it from the primary server. If you are setting up an Azure AD Connect staging server in the future, you must continue to choose Pass-through Authentication as the sign-in option; choosing another option will disable Pass-through Authentication on the tenant and override the setting in the primary server.
If you're installing Azure AD Connect for the first time, choose the custom installation path. At the User sign-in page, choose Pass-through Authentication as the Sign On method. On successful completion, a Pass-through Authentication Agent is installed on the same server as Azure AD Connect. In addition, the Pass-through Authentication feature is enabled on your tenant.
If you have already installed Azure AD Connect by using the express installation or the custom installation path, select the Change user sign-in task on Azure AD Connect, and then select Next. Then select Pass-through Authentication as the sign-in method. On successful completion, a Pass-through Authentication Agent is installed on the same server as Azure AD Connect and the feature is enabled on your tenant.
Important
Pass-through Authentication is a tenant-level feature. Turning it on affects the sign-in for users across all the managed domains in your tenant. If you're switching from Active Directory Federation Services (AD FS) to Pass-through Authentication, you should wait at least 12 hours before shutting down your AD FS infrastructure. This wait time is to ensure that users can keep signing in to Exchange ActiveSync during the transition. For more help on migrating from AD FS to Pass-through Authentication, check out our deployment plans published here.
Step 3: Test the feature
Follow these instructions to verify that you have enabled Pass-through Authentication correctly:
Sign in to the Entra admin center with the Hybrid Identity Administrator credentials for your tenant.
Select Azure Active Directory.
Select Azure AD Connect.
Verify that the Pass-through authentication feature appears as Enabled.
Select Pass-through authentication. The Pass-through authentication pane lists the servers where your Authentication Agents are installed.
At this stage, users from all the managed domains in your tenant can sign in by using Pass-through Authentication. However, users from federated domains continue to sign in by using AD FS or another federation provider that you have previously configured. If you convert a domain from federated to managed, all users from that domain automatically start signing in by using Pass-through Authentication. The Pass-through Authentication feature does not affect cloud-only users.
Step 4: Ensure high availability
If you plan to deploy Pass-through Authentication in a production environment, you should install additional standalone Authentication Agents. Install these Authentication Agent(s) on server(s) other than the one running Azure AD Connect. This setup provides you with high availability for user sign-in requests.
Important
In production environments, we recommend that you have a minimum of 3 Authentication Agents running on your tenant. There is a system limit of 40 Authentication Agents per tenant. And as best practice, treat all servers running Authentication Agents as Tier 0 systems (see reference).
Installing multiple Pass-through Authentication Agents ensures high availability, but not deterministic load balancing between the Authentication Agents. To determine how many Authentication Agents you need for your tenant, consider the peak and average load of sign-in requests that you expect to see on your tenant. As a benchmark, a single Authentication Agent can handle 300 to 400 authentications per second on a standard 4-core CPU, 16-GB RAM server.
To estimate network traffic, use the following sizing guidance:
- Each request has a payload size of (0.5K + 1K * num_of_agents) bytes, that is, data from Azure AD to the Authentication Agent. Here, "num_of_agents" indicates the number of Authentication Agents registered on your tenant.
- Each response has a payload size of 1K bytes, that is, data from the Authentication Agent to Azure AD.
For most customers, three Authentication Agents in total are sufficient for high availability and capacity. You should install Authentication Agents close to your domain controllers to improve sign-in latency.
To begin, follow these instructions to download the Authentication Agent software:
To download the latest version of the Authentication Agent (version 1.5.193.0 or later), sign in to the Entra admin center with your tenant's Hybrid Identity Administrator credentials.
Select Azure Active Directory.
Select Azure AD Connect, select Pass-through authentication, and then select Download Agent.
Select the Accept terms & download button.
Note
You can also directly download the Authentication Agent software. Review and accept the Authentication Agent's Terms of Service before installing it.
There are two ways to deploy a standalone Authentication Agent:
First, you can do it interactively by just running the downloaded Authentication Agent executable and providing your tenant's global administrator credentials when prompted.
Second, you can create and run an unattended deployment script. This is useful when you want to deploy multiple Authentication Agents at once, or install Authentication Agents on Windows servers that don't have user interface enabled, or that you can't access with Remote Desktop. Here are the instructions on how to use this approach:
- Run the following command to install an Authentication Agent:
AADConnectAuthAgentSetup.exe REGISTERCONNECTOR="false" /q. - You can register the Authentication Agent with our service using Windows PowerShell. Create a PowerShell Credentials object
$credthat contains a global administrator username and password for your tenant. Run the following command, replacing <username> and <password>:
$User = "<username>"$PlainPassword = '<password>'$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $SecurePassword- Go to C:\Program Files\Microsoft Azure AD Connect Authentication Agent and run the following script using the
$credobject that you created:
RegisterConnector.ps1 -modulePath "C:\Program Files\Microsoft Azure AD Connect Authentication Agent\Modules\" -moduleName "PassthroughAuthPSModule" -Authenticationmode Credentials -Usercredentials $cred -Feature PassthroughAuthenticationImportant
If an Authentication Agent is installed on a Virtual Machine, you can't clone the Virtual Machine to setup another Authentication Agent. This method is unsupported.
Step 5: Configure Smart Lockout capability
Smart Lockout assists in locking out bad actors who are trying to guess your users’ passwords or using brute-force methods to get in. By configuring Smart Lockout settings in Azure AD and / or appropriate lockout settings in on-premises Active Directory, attacks can be filtered out before they reach Active Directory. Read this article to learn more on how to configure Smart Lockout settings on your tenant to protect your user accounts.
Next steps
- Migrate your apps to Azure AD: Resources to help you migrate application access and authentication to Azure AD.
- Smart Lockout: Learn how to configure the Smart Lockout capability on your tenant to protect user accounts.
- Current limitations: Learn which scenarios are supported with the Pass-through Authentication and which ones are not.
- Technical deep dive: Understand how the Pass-through Authentication feature works.
- Frequently asked questions: Find answers to frequently asked questions.
- Troubleshoot: Learn how to resolve common problems with the Pass-through Authentication feature.
- Security deep dive: Get technical information on the Pass-through Authentication feature.
- Hybrid Azure AD join: Configure Hybrid Azure AD join capability on your tenant for SSO across your cloud and on-premises resources.
- Azure AD Seamless SSO: Learn more about this complementary feature.
- UserVoice: Use the Azure Active Directory Forum to file new feature requests.
FAQs
How do I enable passthrough authentication in Azure AD? ›
Sign in to the Entra admin center with the Hybrid Identity Administrator credentials for your tenant. Select Azure Active Directory. Select Azure AD Connect. Verify that the Pass-through authentication feature appears as Enabled.
How is Azure AD pass through authentication configured? ›Clicking on Pass Through Authentication, will take you to Agent Download screens. we will install agent on another machine to make it highly available and the above warning will also go away. Download Binary and copy it to the server. Double click on the server, It will ask you for global admin credentials.
What are the key benefits of using Azure AD pass through authentication? ›- Great user experience. Users use the same passwords to sign into both on-premises and cloud-based applications. ...
- Easy to deploy & administer. No need for complex on-premises deployments or network configuration. ...
- Secure. ...
- Highly available.
Password hash synchronization—Synchronizes the hash of a user's Azure AD and on-premise Active Directory passwords. Pass-through authentication—Allows users to authenticate with the same password on both Azure AD and on-premise Active Directory.
How do I know if pass-through authentication is enabled? ›Ensure that the Pass-through Authentication feature is still Enabled on your tenant and the status of Authentication Agents shows Active, and not Inactive. You can check status by going to the Azure AD Connect blade on the Entra admin center.
What is the difference between pass-through authentication and federation? ›Pass-through Authentication and federation rely on on-premises infrastructure. For pass-through authentication, the on-premises footprint includes the server hardware and networking the Pass-through Authentication agents require. For federation, the on-premises footprint is even larger.
Which three authentication methods can Azure AD users use? ›- Microsoft Authenticator.
- Authenticator Lite (in Outlook)
- Windows Hello for Business.
- FIDO2 security key.
- OATH hardware token (preview)
- OATH software token.
- SMS.
- Voice call.
Authentication methods
Security defaults users are required to register for and use Azure AD Multifactor Authentication using the Microsoft Authenticator app using notifications. Users may use verification codes from the Microsoft Authenticator app but can only register using the notification option.
Azure AD Multi-Factor Authentication works by requiring two or more of the following authentication methods: Something you know, typically a password. Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key. Something you are - biometrics like a fingerprint or face scan.
What port does Azure Active Directory use for authentication? ›Only standard ports (port 80 and port 443) are used for outbound communication from the authentication agents to Azure AD. You don't need to open inbound ports on your firewall. Port 443 is used for all authenticated outbound communication.
What is the difference between PHS and PTA in Azure? ›
Microsoft recommends using password-hash synchronization (PHS) for authentication. Identity federation and PTA are options for organizations that cannot or choose not to synchronize password hashes to the cloud, or organizations that need stronger authentication controls.
Does Azure AD provide federated authentication? ›You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization. This sign-in method ensures that all user authentication occurs on-premises. This method allows administrators to implement more rigorous levels of access control.
Which three authentication methods can Azure AD users use to reset their password? ›The following authentication methods are available for SSPR: Mobile app notification. Mobile app code. Email.
How many types of authentication are there in Azure? ›Microsoft offers the following three passwordless authentication options that integrate with Azure Active Directory (Azure AD): Windows Hello for Business. Microsoft Authenticator app. FIDO2 security keys.
What is the difference between Delta Sync and initial sync in Azure AD Connect? ›Azure Active Directory Sync. There are two types of sync in Azure Active Directory Connect: delta sync and full sync. A delta syncs synchronizes only the latest changes while a full sync is only necessary when changing Azure AD Connect configuration.
What are pass through authentication methods? ›Pass-through authentication (PTA) is a feature of Azure AD Connect. It involves a simple service in the form of an agent running on one or several on-premises domain-joined servers, which validates a user's sign-on on behalf of Azure AD directly with the on-premises Active Directory (AD).
What happens if Azure AD Connect goes down? ›AAD Connect takes user accounts, and maybe passwords, from your on-premises Active Directory and copies them into Azure Active Directory. If your AAD Connect server goes down, you don't lose any data or very much functionality. There really isn't any need for a high availability configuration for AAD Connect.
Which of the following authentication method validates the password on Azure AD? ›Azure AD Multi-Factor Authentication (MFA) adds additional security over only using a password when a user signs in.
Which protocol is most commonly used for federated authentication systems? ›The SAML protocol simplifies password management and user authentication in a federated system. It uses Extensible Markup Language (XML) to standardize communications between multiple systems.
What is the difference between SAML and federation? ›Single sign-on enables access to applications and resources within a single domain. Federated identity management enables single-sign on to applications across multiple domains or organizations.
What is the difference between federation and trust in Active Directory? ›
While trust relationships can be set up between AD domains and forests to allow sharing of network resources, ADFS provides secure sharing of identity information between federated business partners.
What are two factor authentication verification methods are available in Azure AD? ›- A password.
- A trusted device that's not easily duplicated, like a phone or hardware key.
- Biometrics like a fingerprint or face scan.
For most organizations that just want to enable user sign-in to Microsoft 365, SaaS applications, and other Azure AD-based resources, we recommend the default password hash synchronization option.
What are the 4 types of authentication? ›The most common authentication methods are Password Authentication Protocol (PAP), Authentication Token, Symmetric-Key Authentication, and Biometric Authentication.
What is entra Microsoft? ›What is Microsoft Entra? Microsoft Entra a family of products that encompasses all identity and access capabilities. Within the Entra family are products such as Microsoft Azure Active Directory (Azure AD), Microsoft Entra Verified ID, and Microsoft Entra Permissions Management.
What are the three types of authentication? ›Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.
What is the difference between Windows authentication and Active Directory authentication? ›Windows authentication enables the separation of duties. The Active Directory (AD) team manages the AD users. Whereas, the DBA adds AD users in the SQL instances and provides appropriate permissions. Active Directory helps to create Windows groups.
Does Azure AD use Kerberos authentication? ›The Kerberos delegation flow in Azure AD Application Proxy starts when Azure AD authenticates the user in the cloud. Once the request arrives on-premises, the Azure AD Application Proxy connector issues a Kerberos ticket on behalf of the user by interacting with the local Active Directory.
What is the difference between port 389 and 636 in Active Directory? ›Port 389 has historically been used for unencrypted connections into an LDAP server. Port 636 is used for legacy SSL connections. Port 389 is used for TLS connections; TLS establishes a non encrypted connection on port 389 that it 'upgrades' to an encrypted TLS connection as the initial connection proceeds.
Is Azure AD used for authentication and authorization? ›Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. Delegating authentication and authorization to it enables scenarios such as: Conditional Access policies that require a user to be in a specific location. Multi-Factor Authentication which requires a user to have a specific device.
What is the difference between Pam and PIM in Azure AD? ›
The main difference between PIM and PAM is that PIM addresses what access a user is already granted, while PAM addresses how to monitor and control access whenever a user requests access to a resource.
What is the difference between AAD managed identity and service principal? ›Managed Identity is suitable for scenarios where a single resource needs to access another Azure resource, while Service Principal is suitable for more complex scenarios where multiple resources need to access multiple Azure resources.
What is the difference between Azure AD Premium P1 and P2? ›A standalone Azure Premium P1 license costs $6 per user / per month, whereas Azure Premium P2 license cost $9 per user / per month. All member user accounts in the Azure AD tenant must be licensed. If your organization licenses Microsoft 365, then Microsoft 365 E3 licenses include Azure Active Directory Premium P1.
What is the difference between Azure AD authentication and AD FS? ›The key difference is that AAD is an identity and access management (IAM) solution while AD FS is a security token service (STS). As such, they each have their own distinctions.
Does Azure AD require MFA to join? ›To secure user sign-in events in Azure AD, you can require multi-factor authentication (MFA). Enabling Azure AD Multi-Factor Authentication using Conditional Access policies is the recommended approach to protect users.
How do I disable Azure AD pass through authentication? ›- PS C:\Program Files\Microsoft Azure AD Connect Authentication Agent> Import-Module . \Modules\PassthroughAuthPSModule.
- Get-PassthroughAuthenticationEnablementStatus.
- Disable-PassthroughAuthentication.
Password hash synchronization—Synchronizes the hash of a user's Azure AD and on-premise Active Directory passwords. Pass-through authentication—Allows users to authenticate with the same password on both Azure AD and on-premise Active Directory.
How do I implement Azure AD authentication? ›- From the portal menu, select Azure Active Directory.
- From the left navigation, select App registrations > New registration.
- In the Register an application page, enter a Name for your app registration.
- Select Register.
Authentication and authorization are two vital information security processes that administrators use to protect systems and information. Authentication verifies the identity of a user or service, and authorization determines their access rights.
What is the difference between initial and delta? ›Initial load is the first time that all of the data from a source system is loaded into a target system. Delta load is the process of loading only the changes or updates that have happened since the last load.
Is Azure AD Connect a two way sync? ›
By default, the sync is one way: from on-premises AD to Azure AD. However, you can configure the writeback function to sync changes from Azure AD back to your on-premises AD.
What is the difference between Azure AD joined and hybrid Azure AD joined? ›Hybrid Azure AD Joined – The Windows 365 Cloud PC Joined to on-premises AD, and Azure AD requires an organizational account to sign in to the Cloud PCs. Azure AD joined – The Windows 365 Cloud PC Joined only to Azure AD requiring an organizational account to sign in to the Cloud PCs.
How do I enable authentication methods in Azure? ›- Sign into the Azure portal.
- Browse to Azure Active Directory > Users > All users.
- Choose the user for whom you wish to add an authentication method and select Authentication methods.
- At the top of the window, select + Add authentication method.
How can I disable Pass-through Authentication? Rerun the Azure AD Connect wizard and change the user sign-in method from Pass-through Authentication to another method. This change disables Pass-through Authentication on the tenant and uninstalls the Authentication Agent from the server.
How to enable Basic authentication in Azure Active Directory? ›- Open the Azure Portal;
- Go to the Azure Active Directory -> Sign-in logs;
- Select the date range Last 1 month;
- Add filter by field Client App;
- Select all Legacy Authentication Clients for this filter.
Enable Modern authentication for your organization
However, you need to make sure your Office 365 subscription is enabled for ADAL, or modern authentication. To enable modern authentication, from the admin center, select Settings > Settings and then in the Services tab, choose Modern authentication from the list.
- Microsoft Authenticator.
- Authenticator Lite (in Outlook)
- Windows Hello for Business.
- FIDO2 security key.
- OATH hardware token (preview)
- OATH software token.
- SMS.
- Voice call.
What is Microsoft Entra? Microsoft Entra a family of products that encompasses all identity and access capabilities. Within the Entra family are products such as Microsoft Azure Active Directory (Azure AD), Microsoft Entra Verified ID, and Microsoft Entra Permissions Management.
What are the default authentication methods for Azure AD? ›Authentication methods
Security defaults users are required to register for and use Azure AD Multifactor Authentication using the Microsoft Authenticator app using notifications. Users may use verification codes from the Microsoft Authenticator app but can only register using the notification option.
Disable in SQL Database using Azure portal
Go to your SQL server resource, and select Azure Active Directory under the Settings menu. To disable the Azure AD-only authentication feature, uncheck the Support only Azure Active Directory authentication for this server checkbox and Save the setting.
How do I turn off Microsoft Basic authentication? ›
Beginning in early 2023, we disabled Basic authentication for any tenants who requested an extension. You can read more about the timing here. In Office 365 Operated by 21Vianet, we'll begin disabling Basic authentication on March 31, 2023. All other cloud environments are subject to the October 1, 2022 date.
How do I turn off two step verification on Azure AD? ›To turn two-step verification on or off: Go to Security settings and sign in with your Microsoft account. Under the Two-step verification section, choose Set up two-step verification to turn it on, or choose Turn off two-step verification to turn it off.
How to configure Active Directory authentication? ›- Open the Server Manager, go to the Tools menu and select Active Directory Users and Computers.
- Expand the domain and click Users.
- Right-click on the right pane and press New > User.
- When the New Object-User box displays enter a First name, Last name, User logon name, and click Next.
- Enter a password and press Next.
Which Type of Authentication is Used in Active Directory? AD Authentication is a process that typically follows Kerberos protocol, where users have to log in using their credentials to gain access to resources.
What is the difference between basic authentication and modern authentication? ›Modern authentication, which is based on ADAL (Active Directory Authentication Library) and OAuth 2.0, offers a more secure method of authentication. To put it in simple terms, basic authentication requires each app, service or add-in to pass credentials – login and password – with each request.
How do I know if MFA is enabled in Azure AD? ›- Sign in to the Azure portal as a Global administrator.
- Search for and select Azure Active Directory, then select Users > All users.
- Select Per-user MFA.
- A new page opens that displays the user state, as shown in the following example.
In the New ASP.NET Project dialog, select MVC, and then click Change Authentication. On the Change Authentication dialog, select Organizational Accounts. These options can be used to automatically register your application with Azure AD as well as automatically configure your application to integrate with Azure AD.