Misha Hanin  

Azure AD Pass-Through Authentication and Seamless Single Sign-on

I hope there is no need to explain what is “Azure AD Connect” :). We like it or not, but all organisations, that want to work with Office 365 / Azure probably be starting with a hybrid configuration where existing Active Directory objects (and in some cases passwords) on-premises sync to Azure AD using Azure AD Connect.

Recently Microsoft released Azure AD Connect build 1.1.377.0, that introduced “Azure Pass-Through Authentication” (It is currently in public preview). Azure Pass-Through Authentication aimed to provide the following features:

  • SSO capabilities with passwords that are managed on-premises
  • Does not increase the on-prem IT footprint like AD FS does
  • Eliminates requirements for un-authenticated end points on the Internet
  • Super simple to implement

So, what is Pass-Through Authentication and How Does It Work?

Azure Pass-Through Authentication routes authentication requests from Office 365 through a simple connector deployed on-premises to our on-prem Active Directory. The connector uses only secure outbound communications, so no DMZ or Internet-facing endpoint is required.

Pass-through Authentication uses Kerberos authentication between the on-prem connector and AD, so it offers a true SSO experience for users on domain-joined computers.

Note: SSO can be enabled by clicking the “Enable single sign on” check box.

If you want to install Azure Pass-Through Authentication manually, the installer is located at

C:\Program Files\Microsoft Azure Active Directory Connect\SetupFiles\AADApplicationProxyConnectorInstaller.exe

on the same server, where AAD Connect is installed.

What to remember about Azure Pass-Through Authentication

Azure Pass-Through Authentication only works with Office 365. If our organisation requires an authentication solution that also works with other claims-based cloud applications like Okta, AWS, Salesforce and etc., we’ll need to use a claims-based solution like ADFS!

Download the latest version of Azure AD Connect from http://aka.ms/aadconnect