Microsoft Entra pass-through authentication: Current limitations

Supported scenarios

The following scenarios are supported:

• User sign-ins to web browser-based applications.
• User sign-ins to legacy Office client applications and Office applications that support modern authentication: Office 2013 and 2016 versions.
• User sign-ins to legacy protocol applications such as PowerShell version 1.0 and others.
• Microsoft Entra joins for Windows 10 and later devices.
• Hybrid Microsoft Entra joins for Windows 10 and later devices.

Unsupported scenarios

The following scenarios are not supported:

• Detection of users with leaked credentials.
• Microsoft Entra Domain Services needs Password Hash Synchronization to be enabled on the tenant. Therefore tenants that use Pass-through Authentication only don't work for scenarios that need Microsoft Entra Domain Services.
• Pass-through Authentication is not integrated with Microsoft Entra Connect Health.
• Signing in to Microsoft Entra joined (AADJ) devices with a temporary or expired password is not supported for Pass-through authentication users. The error "the sign-in method you're trying to use isn't allowed" will appear. These users must sign in to a browser to update their temporary password.

Important

As a workaround for unsupported scenarios only (except Microsoft Entra Connect Health integration), enable Password Hash Synchronization on the Optional features page in the Microsoft Entra Connect wizard.

Note

Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Microsoft Entra Connect. If the server running Microsoft Entra Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication.

Next steps

• Quick start: Get up and running with Microsoft Entra pass-through authentication.
• Migrate your apps to Microsoft Entra ID: Resources to help you migrate application access and authentication to Microsoft Entra ID.
• Smart Lockout: Learn how to configure the Smart Lockout capability on your tenant to protect user accounts.
• Technical deep dive: Understand how the Pass-through Authentication feature works.
• Frequently asked questions: Find answers to frequently asked questions about the Pass-through Authentication feature.
• Troubleshoot: Learn how to resolve common problems with the Pass-through Authentication feature.
• Security deep dive: Get deep technical information on the Pass-through Authentication feature.
• Microsoft Entra hybrid join: Configure Microsoft Entra hybrid join capability on your tenant for SSO across your cloud and on-premises resources.
• Microsoft Entra seamless SSO: Learn more about this complementary feature.
• UserVoice: Use the Microsoft Entra Forum to file new feature requests.