Pass-through authentication for your Microsoft 365 test environment
Organizations that want to directly use their on-premises Active Directory Domain Services (AD DS) infrastructure for authentication to Microsoft cloud-based services and applications can use pass-through authentication. This article describes how you can configure your Microsoft 365 test environment for pass-through authentication, resulting in the following configuration:
There are two phases to setting up this test environment:
- Create the Microsoft 365 simulated enterprise test environment with password hash synchronization.
- Configure Azure AD Connect on APP1 for pass-through authentication.
Click here for a visual map to all the articles in the Microsoft 365 Enterprise Test Lab Guide stack.
Phase 1: Configure password hash synchronization for your Microsoft 365 test environment
Follow the instructions in password hash synchronization for Microsoft 365. Here is your resulting configuration.
This configuration consists of:
- Office 365 E5 and EMS E5 trial or paid subscriptions.
- A simplified organization intranet connected to the Internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network. Azure AD Connect runs on APP1 to synchronize the TESTLAB AD DS domain to the Azure AD tenant of your Office 365 and EMS E5 subscriptions periodically.
Phase 2: Configure Azure AD Connect on APP1 for pass-through authentication
In this phase, you configure Azure AD Connect on APP1 to use pass-through authentication, and then verify that it works.
Configure Azure AD Connect on APP1
From the Azure portal, sign in with your global administrator account, and then connect to APP1 with the TESTLAB\User1 account.
From the desktop of APP1, run Azure AD Connect.
On the Welcome page, click Configure.
On the Additional tasks page, click Change user sign-in, and then click Next.
On the Connect to Azure AD page, type your global administrator account credentials, and then click Next.
On the User sign-in page, click Pass-through authentication, and then click Next.
On the Ready to configure page, click Configure.
On the Configuration complete page, click Exit.
From the Azure portal, in the left pane, click Azure Active Directory > Azure AD Connect. Verify that the Pass-through authentication feature appears as Enabled.
Click Pass-through authentication. The Pass-through authentication pane lists the servers where your Authentication Agents are installed. You should see APP1 in the list. Close the Pass-through authentication pane.
Next, test the ability to sign in to your Office 365 subscription with the user1@testlab.<your public domain> user name of the User1 account.
From APP1, sign out of Office 365, and then sign in again, this time specifying a different account.
When prompted for a user name and password, specify user1@testlab.<your public domain> and the User1 password. You should successfully sign in as User1.
Notice that although User1 has domain administrator permissions for the TESTLAB AD DS domain, it is not an Office 365 global administrator. Therefore, you will not see the Admin icon as an option.
Here is your resulting configuration:
This configuration consists of:
- Office 365 E5 and EMS E5 trial or paid subscriptions with the DNS domain testlab.<your domain name> registered.
- A simplified organization intranet connected to the Internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network. An Authentication Agent runs on APP1 to handle pass-through authentication requests from the Azure AD tenant of your Office 365 and EMS E5 subscriptions.
Explore additional identity features and capabilities in your test environment.
Send feedback about: