User sign-in with Azure Active Directory Pass-through Authentication – Key benefits

Key benefits of using Azure AD Pass-through Authentication

  • Great user experience
    • Users use the same passwords to sign into both on-premises and cloud-based applications.
    • Users spend less time talking to the IT helpdesk resolving password-related issues.
    • Users can complete self-service password management tasks in the cloud.
  • Easy to deploy & administer
    • No need for complex on-premises deployments or network configuration.
    • Needs just a lightweight agent to be installed on-premises.
    • No management overhead. The agent automatically receives improvements and bug fixes.
  • Secure
    • On-premises passwords are never stored in the cloud in any form.
    • The agent only makes outbound connections from within your network. Therefore, there is no requirement to install the agent in a perimeter network, also known as a DMZ.
    • Protects your user accounts by working seamlessly with Azure AD Conditional Access policies, including Multi-Factor Authentication (MFA), and by filtering out brute force password attacks.
  • Highly available
    • Additional agents can be installed on multiple on-premises servers to provide high availability of sign-in requests.

Feature highlights

  • Supports user sign-in into all web browser-based applications and into Microsoft Office client applications that use modern authentication.
  • Sign-in usernames can be either the on-premises default username (userPrincipalName) or another attribute configured in Azure AD Connect (known as Alternate ID).
  • The feature works seamlessly with conditional access features such as Multi-Factor Authentication (MFA) to help secure your users.
  • Integrated with cloud-based self-service password management, including password writeback to on-premises Active Directory and password protection by banning commonly used passwords.
  • Multi-forest environments are supported if there are forest trusts between your AD forests and if name suffix routing is correctly configured.
  • It is a free feature, and you don’t need any paid editions of Azure AD to use it.
  • It can be enabled via Azure AD Connect.
  • It uses a lightweight on-premises agent that listens for and responds to password validation requests.
  • Installing multiple agents provides high availability of sign-in requests.
  • It protects your on-premises accounts against brute force password attacks in the cloud.