The Pass-through Authentication
This authentification allows you to use the same password for the on-premise and Cloud-based applications. However, it’s important to note that user authentication is done through the Active Directory on-premise and not through Azure Active Directory. It’s a good alternative to Azure AD Password Hash Synchronization. However, it makes it easier to apply a security policy to passwords.
Benefits of the solution
This solution offers the following benefits :
- The same password for cloud-based applications and on-premise applications
- When user change password, the modification for cloud-based application is instantaneous
- Easy to deploy: only one agent to install
- Passwords are never stored in the cloud
- Agents can be installed on multiple on-premises servers to provide high availability
Pass-through Authentication requires some Prerequisites :
- Server with Windows Server 2012 R2 or later for Azure AD Connect (in production, it’s recommended to install agent on three servers.
- Authentication Agents can make outbound requests to Azure AD (Port 80 for Download Revocation list to permit validate SSL certificate, port 443 for handles all outbound communication with the service and port 8080 for authentication Agents report their status every ten minutes).
- If you use DNS whitelisting on your Proxy or firewall, you need to add this URL (*.msappproxy.net and *.servicebus.windows.net)
- On your on-premise servers where Authentication Agents is installed, allow this URL on the windows firewall (login.windows.net and login.microsoftonline.com).
Install and configure Pass-through Authentication
On your server, download Azure AD Connect, you can use this following link Azure Ad Connect Download.
After downloading, run exe file. Check the box I agree to the licence terms and privacy notice and click on Continue.
Click on Customize into Windows Express Settings
Click Install into Install required components Windows(you can select sql server or change installation location on this windows). Installation begin.
Into User sign-in windows, select Pass-through Authentication and click on Next.
Enter your Azure AD and On-premise Active Directory Credential.
Select Continue without matching all UPN suffixes to verified domains and click on Next (internal upn suffixes are not present into Azure AD).
The filtering will be done by a security group, leave the default choice in the Domain and OU filtering window and click on Next.
Enter the name of your group and click on Resolve. This group permit to choice how group or user has been synchronized into your Azure AD Database.
Leave the default choices then click on Next into Optional features wizard then on Install to launch the configuration of Azure AD Connect.
On your azure portal, select Azure Active Directory and Azure AD Connect. One agent has been installed for Pass-through Authentication. if you click on the link, you can download agent for install on two other on premise server.