KB ID 0001642
I’ve never really taken the time to look at pass-through authentication, I set up Azure AAD sync, then I either use ADFS or I don’t. It was only when looking at removing ADFS, that I even looked at it as an option.
How does Pass-through Authentication Work?
- Remote client attempts to authenticate to Office 365 (Azure Active Directory).
- Azure queues the request and sends it to an Azure Authentication Agent (on-prem), of which there may be many. Note: The requests will load balance.
- The Azure Authentication Agents check the authentication request against the load Active Directory.
- The Azure Authentication Agents sends its response back to Azure Active Directory.
- The client is authenticated (or denied!)
Why is that Good?
Well you don’t need to deploy ADFS, or WAP. The agent only needs https (outbound) on the firewall Note: If you have a proxy server, theres some URL’s you need to allow. And you don’t need to wait for the default 30 minute AAD replication cycle for changes etc.
I’m assuming you already have Azure AD sync setup and running, (Simply accept ‘Express settings’ and accept all the defaults), once you have your local AD replicated to Azure, then you can switch over to pass-through authentication.
Open Azure AS Sync > Configure > Change user sign-in > Proceed to ‘User sign-in’ >pass-through authentication > Finish the wizard.
What happens is the ‘first’ Azure Authentication Agent is installed on the Azure AAD server > Force an AAD Sync > Then look in your Azure Portal > Azure Active Directory > Azure Ad Connect > Pass-through authentication > You should see your first agent.
You can select it and check its details. Note: You can download the Azure Authentication Agent software form this page for you to deploy additional Azure Authentication Agents.
The additional agents are simple to deploy, they will require you to authenticate to Azure though.
They will appear one at a time as deployed.
Related Articles, References, Credits, or External Links