Azure Pass-through Authentication

KB ID 0001642


I’ve never really taken the time to look at pass-through authentication, I set up Azure AAD sync, then I either use ADFS or I don’t. It was only when looking at removing ADFS, that I even looked at it as an option. 

How does Pass-through Authentication Work?

  1. Remote client attempts to authenticate to Office 365 (Azure Active Directory).
  2. Azure queues the request and sends it to an Azure Authentication Agent (on-prem), of which there may be many. Note: The requests will load balance.
  3. The Azure Authentication Agents check the authentication request against the load Active Directory.
  4. The Azure Authentication Agents sends its response back to Azure Active Directory.
  5. The client is authenticated (or denied!)

Why is that Good?

Well you don’t need to deploy ADFS, or WAP. The agent only needs https (outbound) on the firewall Note: If you have a proxy server, theres some URL’s you need to allow. And you don’t need to wait for the default 30 minute AAD replication cycle for changes etc.


I’m assuming you already have Azure AD sync setup and running, (Simply accept ‘Express settings’ and accept all the defaults), once you have your  local AD replicated to Azure, then you can switch over to pass-through authentication.

Open Azure AS Sync > Configure > Change user sign-in > Proceed to ‘User sign-in’ >pass-through authentication > Finish the wizard.

Enable Pass Through Auth

What happens is the ‘first’ Azure Authentication Agent is installed on the Azure AAD server > Force an AAD Sync > Then look in your Azure Portal > Azure Active Directory > Azure Ad Connect > Pass-through authentication > You should see your first agent.

Azure Passthrough Auth

You can select it and check its details. Note: You can download the Azure Authentication Agent software form this page for you to deploy additional Azure Authentication Agents.

Azure Pass-through Authentication agent

The additional agents are simple to deploy, they will require you to authenticate to Azure though.

Download Azure Pass-through Authentication agent

They will appear one at a time as deployed.

Additional Azure Pass-through Authentication agents


Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *