Azure Active Directory Pass-through Authentication: Current limitations


Azure Active Directory (Azure AD) Pass-through Authentication is a free feature, and you don't need any paid editions of Azure AD to use it. Pass-through Authentication is only available in the world-wide instance of Azure AD, and not on the Microsoft Azure Germany cloud or the Microsoft Azure Government cloud.

Supported scenarios

The following scenarios are supported:

  • User sign-ins to web browser-based applications.
  • User sign-ins to Outlook clients using legacy protocols such as Exchange ActiveSync, EAS, SMTP, POP and IMAP.
  • User sign-ins to legacy Office client applications and Office applications that support modern authentication: Office 2013 and 2016 versions.
  • User sign-ins to legacy protocol applications such as PowerShell version 1.0 and others.
  • Azure AD joins for Windows 10 devices.
  • App passwords for Multi-Factor Authentication.

Unsupported scenarios

The following scenarios are not supported:

  • Detection of users with leaked credentials.
  • Azure AD Domain Services needs Password Hash Synchronization to be enabled on the tenant. Therefore tenants that use Pass-through Authentication only don't work for scenarios that need Azure AD Domain Services.
  • Pass-through Authentication is not integrated with Azure AD Connect Health.


As a workaround for unsupported scenarios only (except Azure AD Connect Health integration), enable Password Hash Synchronization on the Optional features page in the Azure AD Connect wizard.


Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication.

Next steps