Azure Active Directory Pass-through Authentication: Current limitations

Important

Azure Active Directory (Azure AD) Pass-through Authentication is a free feature, and you don't need any paid editions of Azure AD to use it. Pass-through Authentication is only available in the world-wide instance of Azure AD, and not on the Microsoft Azure Germany cloud or the Microsoft Azure Government cloud.

Supported scenarios

The following scenarios are fully supported:

  • User sign-ins to all web browser-based applications.
  • User sign-ins to Office applications that support modern authentication: Office 2016, and Office 2013 with modern authentication.
  • User sign-ins to Outlook clients using legacy protocols such as Exchange ActiveSync, SMTP, POP and IMAP.
  • User sign-ins to Skype for Business that support modern authentication, including online and hybrid topologies. Learn more about supported topologies here.
  • Azure AD domain joins for Windows 10 devices.
  • App passwords for Multi-Factor Authentication.

Unsupported scenarios

The following scenarios are not supported:

  • User sign-ins to legacy Office client applications, excluding Outlook (see Supported scenarios above): Office 2010, and Office 2013 without modern authentication. Organizations are encouraged to switch to modern authentication, if possible. Modern authentication allows for Pass-through Authentication support. It also helps you secure your user accounts by using conditional access features, such as Azure Multi-Factor Authentication.
  • Access to calendar sharing and free/busy information in Exchange hybrid environments on Office 2010 only.
  • User sign-ins to Skype for Business client applications without modern authentication.
  • User sign-ins to PowerShell version 1.0. We recommended that you use PowerShell version 2.0.
  • Detection of users with leaked credentials.
  • Azure AD Domain Services needs Password Hash Synchronization to be enabled on the tenant. Therefore tenants that use Pass-through Authentication only don't work for scenarios that need Azure AD Domain Services.
  • Pass-through Authentication is not integrated with Azure AD Connect Health.
  • The Apple Device Enrollment Program (Apple DEP) using the iOS Setup Assistant does not support modern authentication. This will fail to enroll Apple DEP devices into Intune for managed domains using Pass-through Authentication. Consider using the Company Portal app as an alternative.

Important

As a workaround for unsupported scenarios only, enable Password Hash Synchronization on the Optional features page in the Azure AD Connect wizard. When users sign into applications listed in the "unsupported scenarios" section, those specific sign-in requests are not handled by Pass-through Authentication Agents, and therefore will not be recorded in Pass-through Authentication logs.

Note

Enabling password hash synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Active Directory password hash synchronization is not automatic. You'll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication.

Next steps

  • Quick start: Get up and running with Azure AD Pass-through Authentication.
  • Smart Lockout: Learn how to configure the Smart Lockout capability on your tenant to protect user accounts.
  • Technical deep dive: Understand how the Pass-through Authentication feature works.
  • Frequently asked questions: Find answers to frequently asked questions about the Pass-through Authentication feature.
  • Troubleshoot: Learn how to resolve common problems with the Pass-through Authentication feature.
  • Security deep dive: Get deep technical information on the Pass-through Authentication feature.
  • Azure AD Seamless SSO: Learn more about this complementary feature.
  • UserVoice: Use the Azure Active Directory Forum to file new feature requests.