Skip to content
Key benefits of using Azure AD Pass-through Authentication
- Great user experience
- Users use the same passwords to sign into both on-premises and cloud-based applications.
- Users spend less time talking to the IT helpdesk resolving password-related issues.
- Users can complete self-service password management tasks in the cloud.
- Easy to deploy & administer
- No need for complex on-premises deployments or network configuration.
- Needs just a lightweight agent to be installed on-premises.
- No management overhead. The agent automatically receives improvements and bug fixes.
- On-premises passwords are never stored in the cloud in any form.
- The agent only makes outbound connections from within your network. Therefore, there is no requirement to install the agent in a perimeter network, also known as a DMZ.
- Protects your user accounts by working seamlessly with Azure AD Conditional Access policies, including Multi-Factor Authentication (MFA), and by filtering out brute force password attacks.
- Highly available
- Additional agents can be installed on multiple on-premises servers to provide high availability of sign-in requests.
- Supports user sign-in into all web browser-based applications and into Microsoft Office client applications that use modern authentication.
- Sign-in usernames can be either the on-premises default username (
userPrincipalName) or another attribute configured in Azure AD Connect (known as
- The feature works seamlessly with conditional access features such as Multi-Factor Authentication (MFA) to help secure your users.
- Integrated with cloud-based self-service password management, including password writeback to on-premises Active Directory and password protection by banning commonly used passwords.
- Multi-forest environments are supported if there are forest trusts between your AD forests and if name suffix routing is correctly configured.
- It is a free feature, and you don’t need any paid editions of Azure AD to use it.
- It can be enabled via Azure AD Connect.
- It uses a lightweight on-premises agent that listens for and responds to password validation requests.
- Installing multiple agents provides high availability of sign-in requests.
- It protects your on-premises accounts against brute force password attacks in the cloud.