Hi @David Turner ,
You would need to choose one SSO method, and the best SSO method would depend on your environment. If you do not have a routable suffix and two-way trust for a domain with some users, the setup is more challenging. If you have a requirement to only check on premises for passwords, then pass-through authentication would be the best. If you do not have a requirement for on-premises password checks, you could sync all users and let Azure AD compare password hash, in which case password hash sync would be simpler
If you use pass-through authentication, any user will go to any available PTA agent. That agent must be able to reach out to the nearest DC and to validate credentials or any user in the forest. The agent does not have to be installed on a DC. (I have a blog post here that goes through the wizard setup for PTA, though in my case I was only dealing with a single-forest configuration.)
You must have a routable domain suffix with a two-way trust. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-faq#can-i-use-pass-through-authentication-in-a-multi-forest-active-directory-environment-
Let me know if this helps and if you have further questions.
-
If the information helped you, please Accept the answer. This will help us and other members of the community who might be researching similar information.