Azure AD Pass-through Authentication
Using the same credential to login your company resources and cloud based services.
Reduce the chances of forgetting credential and reducing the workload of helpdesk for resetting the user’s credential.
Azure AD pass-through authentication provides a simple solution for customers, it ensures that password validation for Azure AD services is performed against their on-premises Active Directory.
Passwords validated without the need for complex network infrastructure or for the on-premises passwords to exist in the cloud in any form.
When combine with SSO option, users do not need to type their password to sign in to azure ad or other cloud services. This feature provides these customers with a truly integrated experience on their corporate machines.
Pass-through authentication can be configured with Azure AD Connect and utilizes a simple on-premises agent that listens for password validation requests. The agent can be easily deployed to multiple machines to provide high availability and load balancing. Since all communications are outbound only, there is no requirement for a DMZ or for the connector to be installed in a DMZ.
- Windows Server 2012 R2 or above
- Joined to a domain in the forest that users are validated in
How Azure AD Pass-through Authentication works?
When a user enters their username and password into Azure AD sign-in page, Azure AD places the username and password on the appropriate on-premises connector queue for validation. One of the available on-premises connectors then retrieves the username and password and validates it against Active Directory. The validation occurs over standard Windows APIs similar to how Active Directory Federation Services validates password.
Pre-requisites for Azure AD Pass-Through
- Azure AD Connect
- Azure AD Tenant with Global Admin
- Windows Server 2012 R2 or higher to run Azure AD Connect. (Machine must be in same forest)
- If have more than one forest containing users have to be validated with Azure AD, the forest must have trust between them
- On-premises UserPrincipalName must be used as the Azure AD username
- Second server running windows server 2012 r2 or higher on which to run a second connector for high availability and load balancing.
- If there is firewall between the connector and Azure AD, make sure do filtering:
- The connector also makes connection on direct IP connections to the Azure data center IP ranges.
- Ensure the firewall does not perform SSL inspection as the connector uses client certificates to communicate with Azure AD.
- Ensure the connector can make HTTPS(TCP) requests to Azure AD on the ports
- Port 80 – Enables outbound HTTP traffic for security validation such as SSL cert
- Port 443 – Enables user authentication against Azure AD
- 8080/443 – Enables the connector bootstrap sequence and Connector automatic update
- 9090 – Enables Connector registration (required only for the Connector registration process).
- 9091 – Enables Connector trust certificate automatic renewal.
- 9352 , 5671 – Enable communication between the Connector and the Azure AD service for incoming requests.
- 9350 – [Optional] Enables between performance for incoming request
- 10100 – 10120 – Enables responses from the connector back to Azure AD.
- If your firewall enforces traffic according to originating users, open these ports for traffic coming from Windows Services running as a Network Service. Also, make sure to enable port 8080 for NT Authority\System.
Enable Pass-through authentication
Azure AD pass-through authentication is enabled via Azure AD Connect. Enabling pass-through authentication deploys the first connector on the same server as Azure AD connect. When installing Azure AD Connect, select a custom installation and select Pass-through authentication on the sign-in options page.