Azure Active Directory Pass-through Authentication: Technical deep dive
This article is an overview of how Azure Active directory (Azure AD) Pass-through Authentication works. For deep technical and security information, see the Security deep dive article.
How does Azure Active Directory Pass-through Authentication work?
As a pre-requisite for Pass-through Authentication to work, users need to be provisioned into Azure AD from on-premises Active Directory using Azure AD Connect. Pass-through Authentication does not apply to cloud-only users.
When a user tries to sign in to an application secured by Azure AD, and if Pass-through Authentication is enabled on the tenant, the following steps occur:
- The user tries to access an application, for example, Outlook Web App.
- If the user is not already signed in, the user is redirected to the Azure AD User Sign-in page.
- The user enters their username into the Azure AD sign in page, and then selects the Next button.
- The user enters their password into the Azure AD sign in page, and then selects the Sign in button.
- Azure AD, on receiving the request to sign in, places the username and password (encrypted by using the public key of the Authentication Agents) in a queue.
- An on-premises Authentication Agent retrieves the username and encrypted password from the queue. Note that the Agent doesn't frequently poll for requests from the queue, but retrieves requests over a pre-established persistent connection.
- The agent decrypts the password by using its private key.
- The agent validates the username and password against Active Directory by using standard Windows APIs, which is a similar mechanism to what Active Directory Federation Services (AD FS) uses. The username can be either the on-premises default username, usually
userPrincipalName, or another attribute configured in Azure AD Connect (known as
- The on-premises Active Directory domain controller (DC) evaluates the request and returns the appropriate response (success, failure, password expired, or user locked out) to the agent.
- The Authentication Agent, in turn, returns this response back to Azure AD.
- Azure AD evaluates the response and responds to the user as appropriate. For example, Azure AD either signs the user in immediately or requests for Azure Multi-Factor Authentication.
- If the user sign-in is successful, the user can access the application.
The following diagram illustrates all the components and the steps involved:
- Current limitations: Learn which scenarios are supported and which ones are not.
- Quick Start: Get up and running on Azure AD Pass-through Authentication.
- Migrate from AD FS to Pass-through Authentication - A detailed guide to migrate from AD FS (or other federation technologies) to Pass-through Authentication.
- Smart Lockout: Configure the Smart Lockout capability on your tenant to protect user accounts.
- Frequently Asked Questions: Find answers to frequently asked questions.
- Troubleshoot: Learn how to resolve common problems with the Pass-through Authentication feature.
- Security Deep Dive: Get deep technical information on the Pass-through Authentication feature.
- Azure AD Seamless SSO: Learn more about this complementary feature.
- UserVoice: Use the Azure Active Directory Forum to file new feature requests.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.