![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 96%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
25,081 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Thank you for reaching out to us.
Usually, when you talk about ADFS for authentication, it means user authentication happens in on-premises via ADFS. Where ADFS acts as an identity provider. When you use ADFS in your environment, you need minimum of 2 servers (1 ADFS and 1 WAP). If you want to implement high availability then depending on the load you increase the server to 4, 6, 8 etc.
So, in ADFS environment the number of servers are more.
In terms of cost, there is no cost utilized for the authentication via ADFS. Cost comes into picture only when you deploy more and more servers.
When you talk about PTA (pass through authentication), authentication happens in on-premises through authentication connector. This authentication connector is by default installed in AD connect server. If you are looking for high availability then you will have to install the connector on another server. This reduces number of servers in on-premises. In this as well there is no extra cost involved for authentication requests.
And about password hash sync, in this authentication happens in Azure. User password get’s synced from on-premises to Azure AD. When user tries to access any Azure resources, authentication happens in Azure AD. Password get’s synced to Azure AD via AD connect. There is only 1 or 2 servers required for PHS. In on-premises you only required maximum of 2 servers for passwords to be synced to Azure AD.
In this as well there is no extra cost involved for authentication requests.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.