Hi @Tobi ,
1 - Yes, you need at least one for each tenant.
"Pass-through Authentication is a tenant-level feature."
It's associated with Azure AD Connect as well, and Azure AD Connect has a 1:1 relationship with the Azure AD tenant. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-quick-start
2 - It means that the same device object cannot exist in more than one tenant and cannot be registered in multiple Azure AD tenants. When you register a device it creates a device object in Azure and maps this to the user account. If you want to join a machine to a different tenant, you need to disconnect from the first tenant and register again with the new tenant.
3 - "The single sign-on (SSO) option for password hash synchronization and pass-through authentication can be used with only one Azure AD tenant." This means that you can't have multi-tenant/cross-tenant single sign-on for password hash synchronization and pass-through authentication.