question

afsarshariff-0182 avatar image
0 Votes"
afsarshariff-0182 asked ·

Pass through authentication | AAD connect

Hello All

Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords.

Users are provisioned into Azure AD from on-premises Active Directory using Azure AD Connect.

When a user tries to sign in to an application secured by Azure AD, and if Pass-through Authentication is enabled on the tenant, the following steps occur:

  1. The user tries to access an application, for example, Outlook Web App.

  2. If the user is not already signed in, the user is redirected to the Azure AD User Sign-in page.

  3. The user enters their username into the Azure AD sign in page, and then selects the Next button.

  4. The user enters their password into the Azure AD sign in page, and then selects the Sign in button.

  5. Azure AD, on receiving the request to sign in, places the username and password (encrypted by using the public key of the Authentication Agents) in a queue.

  6. An on-premises Authentication Agent retrieves the username and encrypted password from the queue. Note that the Agent doesn't frequently poll for requests from the queue, but retrieves requests over a pre-established persistent connection.

  7. The agent decrypts the password by using its private key.

  8. The agent validates the username and password against Active Directory by using standard Windows APIs, which is a similar mechanism to what Active Directory Federation Services (AD FS) uses. The username can be either the on-premises default username, usually userPrincipalName, or another attribute configured in Azure AD Connect (known as Alternate ID).

  9. The on-premises Active Directory domain controller (DC) evaluates the request and returns the appropriate response (success, failure, password expired, or user locked out) to the agent.

  10. The Authentication Agent, in turn, returns this response back to Azure AD.

  11. Azure AD evaluates the response and responds to the user as appropriate. For example, Azure AD either signs the user in immediately or requests for Azure Multi-Factor Authentication.

  12. If the user sign-in is successful, the user can access the application.



My question is when the agent validates the username and password against Active Directory by using standard Windows APIs, which is a similar mechanism to what Active Directory Federation Services (AD FS) uses.Does it registers the lastlogontimestamp in active directory (Onpremises) ?


Kindly advice. Thanks!!




7242-pta2.png


azure-active-directory
pta2.png (92 B)
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

jLight avatar image
0 Votes"
jLight answered ·

This is funny.. because we are on a similar boat. From our experience, it doesn't update the on-prem time stamp. A similar attribute used to be available via Get-AzureADUser, although it is gone now.

Take a look at this thread too (I'm personally checking if I can use Graph API Sign In logs).

https://www.reddit.com/r/Office365/comments/c91yt9/finding_real_last_logon_time_for_office_365/

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jerome,


I agree with Get-AzureADuser command, which is something we use to get from Azure AD.

Since PTA agent validates the password against on-prem active directory, it will register the lastlogontimestamp. I checked it today in my Lab.

I Synced the user, the same user i logged in to portal.office.com and the checked the lastlogon attribute value in On-prem active directory it got updated.

1 Vote 1 · ·