Disable pass-through authentication

In this article, you learn how to disable pass-through authentication by using Azure Active Directory (Azure AD) Connect or PowerShell.

Prerequisites

Before you begin, ensure that you have the following prerequisite.

  • A Windows machine with pass-through authentication agent version 1.5.1742.0 or later installed. Any earlier version might not have the requisite cmdlets for completing this operation.

    If you don't already have an agent, you can install it.

    1. Go to the Azure portal.
    2. Download the latest Auth Agent.
    3. Install the feature by running either of the following commands.
      • .\AADConnectAuthAgentSetup.exe
      • .\AADConnectAuthAgentSetup.exe ENVIRONMENTNAME=<identifier>

        Important

        If you're using the Azure Government cloud, pass in the ENVIRONMENTNAME parameter with the following value:

        Environment Name Cloud
        AzureUSGovernment US Gov
  • An Azure Hybrid Identity Administrator account for running the PowerShell cmdlets.

Use Azure AD Connect

If you're using pass-through authentication with Azure AD Connect and you have it set to Do not configure, you can disable the setting.

Note

If you already have password hash synchronization enabled, disabling pass-through authentication will result in a tenant fallback to password hash synchronization.

Use PowerShell

In a PowerShell session, run the following cmdlets:

  1. PS C:\Program Files\Microsoft Azure AD Connect Authentication Agent> Import-Module .\Modules\PassthroughAuthPSModule
  2. Get-PassthroughAuthenticationEnablementStatus
  3. Disable-PassthroughAuthentication

Next steps