Implement Pass through Authentication PTA

In this lesson, we explore the pass-through authentication (PTA) method used in Azure AD Connect. PTA is a secure alternative to Password Hash Synchronization (PHS). Whereas PHS stores user credentials or their hash values in the cloud and handles authentication there, PTA validates credentials in real time against an on-premises Active Directory (AD) during sign-in. When a user accesses an application such as Outlook Web, the sign-in process begins at Azure Active Directory (Azure AD), which functions as the identity provider. Azure AD displays a webpage prompting the user to enter their username and password. Since the actual password is not stored in Azure AD because of PTA, it cannot independently verify the password. Instead, Azure AD forwards the authentication request to the on-premises AD for validation.

The following outlines the PTA authentication process on the on-premises side:

PTA Authentication Process

The user’s authentication request is enqueued.
A dedicated PTA agent continuously polls the queue for pending authentication requests.
Upon retrieving a request, the PTA agent forwards the credentials to the on-premises AD.
The on-premises AD verifies the username and password:
- If valid, it notifies Azure AD of successful authentication, granting the user access to the application.
- If invalid, it informs Azure AD, which then denies access.

The image illustrates the process of implementing Pass-Through Authentication (PTA) with Azure Active Directory, showing how user credentials are validated against on-premises Active Directory in real-time during sign-in. It includes components like Outlook Web, Azure AD, and an on-premises authentication agent.

Summary

In summary, pass-through authentication ensures that user authentication is performed directly against an on-premises Active Directory with the help of a continuously active PTA agent. This method offers a secure and efficient way to validate user credentials in real time, contrasting with the cloud-based approach of Password Hash Synchronization.

Another authentication method, Active Directory Federation Services (AD FS), exists but introduces a higher level of complexity compared to PTA. Be sure to evaluate your infrastructure requirements before choosing an authentication method.

Introduction

Secure Azure solution with Azure Active Directory

Hybrid Identity

Identity Protection

Azure AD Privileged Identity Management

Enterprise Governance

Perimeter Security

Network Security

Host Security

Container Security

Key Vault

App Security

Storage Security

Database Security

Azure Monitor

Microsoft Defender for Cloud

Microsoft Sentinel

Implement Pass through Authentication PTA

PTA Authentication Process

Summary

Further Reading

Watch Video

Introduction

Secure Azure solution with Azure Active Directory

Hybrid Identity

Identity Protection

Azure AD Privileged Identity Management

Enterprise Governance

Perimeter Security

Network Security

Host Security

Container Security

Key Vault

App Security

Storage Security

Database Security

Azure Monitor

Microsoft Defender for Cloud

Microsoft Sentinel

​PTA Authentication Process

​Summary

​Further Reading

Watch Video

PTA Authentication Process

Summary

Further Reading