MSExchangeGuru.com

Using the same credentials to access your office resources and cloud based services ensure that people / users will not have to remember different credentials for different services.

It reduces the chance of forgetting how they are going to sign in and it also has the benefit of reducing the involvement of Helpdesk/password reset team that fix such issues for them.

While most of the organizations are happy the Password sync to provide users with single credential to access both on premise and cloud services, some of the organizations requires that password in any form (such as hashed), do not leave their internal organization.

Azure AD pass-through authentication provides a simple solution for these customers. It ensure that password validation is performed against the on premise Active Directory.

When Azure AD pass through is combined with single sign on option (still in preview), user will not have to type their password to sign in to any azure applications such as office 365.

Pass-through authentication is configured with Azure AD Connect and it utilizes a simple on-prem agent, which listens for password validation requests. The agent can be easily deployed to multiple machines to provide high availability and load balancing. Since all communications are outbound only, there is no need for a DMZ.

Azure AD Pass-through prerequisites:

• Azure AD connect.
  
• Azure AD tenant, for which you are the Global administrator.
  
• Server that runs with Windows server 2012 R2 or higher, on which Azure AD connect will be installed. (Must be a member of same forest).
  
• A second server running Windows Server 2012 R2 or higher on which to run a second connector for high availability and load balancing. (Optional).
  

How do I enable Azure Pass-through authentication:

It is enabled through Azure AD connect. While enabling pass through authentication, it deploys the first connector on same server as azure AD connect.

Azure AD connect Installation and Configuration: https://msexchangeguru.com/2017/04/17/azure-ad-connect/

We can deploy a second connector on a different server to get the high availability.

How to install the second connector, if required?

Step1: Install the connector:

1. Download the latest connector from :
   

https://download.msappproxy.net/subscription/d3c8b69d-6bf7-42be-a529-3fe9c2e70c90/connector/download

1. Open command prompt as an admin.
   
2. Run the following command in which /q means quiet installation – the installation does not prompt you to accept the End User License Agreement.
   
   1. AADApplicationProxyConnectorInstaller.exe REGISTERCONNECTOR=”false” /q
      

Step 2: Register Connector with Azure AD for pass-through authentication

1. Open a PowerShell window as an administrator
   
2. Navigate to C:Program FilesMicrosoft AAD App Proxy Connector and run the script.
   

   .RegisterConnector.ps1 -modulePath “C:Program FilesMicrosoft AAD App Proxy ConnectorModules” -moduleName “AppProxyPSModule” -Feature PassthroughAuthentication
   

   1. When requested, enter the azure AD credentials
      

How do I configure Azure AD connect pass-through?

1. Once the Azure AD connect wizard starts, click on Customize
   

1. On next screen of install required components, leave all the boxes unchecked and click install
   

1. After installing the required components, you will be asked to select your users single sign-on method, select Pass through authentication and hit next.
   

1. On the next screen, enter your Azure AD credentials and hit next.
   

1. In the Sync>connect directories tab, for connecting to your active directory you need to either enter the details of enterprise Admin and hit next
   

1. In Domain/OU Filtering screen you can select the OU’s that you would like to be synchronized and hit next.
   

1. On the optional Features screen, you can select the optional features that you would like to enable and hit next.
   

1. On the configuration page Hit configure to ensure all the selections are applied :
   

User sign in experience with Azure AD past-through:

1. User goes to the portal that is portal.office.com
   
2. User enters his credentials :
   

1. Here once the user clicks on Sign in, his credentials are validated against his account that is in active directory and gets logged in ( please make a note, password sync is not enabled, hence there is no form of password is shared on cloud)
   

Difference between the AD connect pass-through & AD connect pass-through with Single sign on:

Single sign on with Azure AD pass-through feature is still in preview. The Difference between both of them is, that user will not have to remember the password if Pass-through authentication is combined with single sign on.

How do I configure Azure Single Sign on?

In step 3 of this blog, click on “Enable single sign on” along with AD connect pass through

How is the user experience if pass-through authentication is enabled with Single sign-on?

The difference between both of them is, when the user are logged in within the corporate network, they will not have to enter the password, for logging into office 365

Ratish Nair

Microsoft MVP | Exchange Server

Team @MSExchangeGuru.com

Posted April 28th, 2017 under Azure. RSS 2.0 feed. Leave a response, or trackback.