Enable pass-through authentication
Microsoft Entra pass-through authentication (PTA) was introduced in earlier training that examined user authentication options. This unit examines in greater detail the mechanics of how PTA works and how it's enabled.
So why should organizations implement PTA?
Well, users typically prefer to maintain one set of sign-in credentials for both cloud and on-premises resources. The common sentiment is the fewer usernames and passwords to remember, the better.
Many organizations achieve this goal by using Microsoft Entra Connect with password hash synchronization. With this feature, password validation is completed in the cloud.
However, some organizations prefer to have all authentication done on-premises. Companies that prefer on-premises authentication usually have a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours. In the past, organizations who preferred on-premises authentication would deploy Active Directory Federation Services (AD FS) and configure their Microsoft Entra tenant in federated mode. Each authentication request for resources on-premises or in the cloud was then directed to the AD FS server that was deployed locally.
The problem with this AD FS solution is that deployment and management of the locally deployed AD FS infrastructure was often too demanding, costly, and complex for many organizations. To address this issue, Microsoft updated Microsoft Entra Connect to include an optional feature called Microsoft Entra pass-through authentication.
Microsoft Entra pass-through authentication helps ensure that password validation for services that rely on Microsoft Entra ID is always run against an on-premises Active Directory. If PTA fails, automatic failover to password hash synchronization is run if it’s enabled. Unlike the AD FS solution, PTA is easy to implement and maintain.
The Microsoft Entra pass-through authentication process
Microsoft Entra pass-through authentication is configured by using Microsoft Entra Connect. It works by using an on-premises agent that listens for external password validation requests. This agent can be deployed to one or more servers to provide high availability. There's no need to deploy this server to the perimeter network, as all communication is outbound only. A server that runs the agent for pass-through authentication should be joined to the Active Directory domain where users are located.
The following graphic shows how the user sign-in process works when implementing PTA. In summary:
- A user is presented with a Microsoft Entra sign-in page when they access a cloud service that relies on Microsoft Entra ID.
- After the user enters their credentials, the Microsoft Entra service checks if the connector for pass-through authentication is configured for the user’s domain.
- If it is, credentials are placed on the connector queue for validation.
- A connector agent deployed on-premises then retrieves the user's credentials and authenticates them against the locally deployed Active Directory.
- The Active Directory's response is returned to the connector, which in turn provides this response to Microsoft Entra ID.
Enabling Microsoft Entra pass-through authentication
To enable Microsoft Entra pass-through authentication, an organization must:
- Run the Microsoft Entra Connect Setup Wizard.
- Select the Pass-through authentication option on the User Sign-in page.
The first connector for pass-through authentication is deployed on the same server where Microsoft Entra Connect runs. It's recommended that organizations deploy an extra connector on at least one more server. Doing so will help achieve load balancing between the set of available connectors for both high availability and redundancy. The Microsoft Entra application proxy Connector can be downloaded as a separate installation for other servers.
All ports required by Microsoft Entra pass-through authentication must be available. These ports are listed in the following table.
Port
Description
80
Enables outbound HTTP traffic for security validation such as TLS/SSL certificate revocation lists.
443
Enables user authentication against Microsoft Entra ID.
8080/443
Enables the Connector bootstrap sequence and Connector automatic update.
9090
Enables Connector registration (required only for the Connector registration process).
9091
Enables Connector trust certificate automatic renewal.
9352, 5671
Enables communication between the Connector and the Microsoft Entra service for incoming requests.
9350
[Optional] Enables better performance for incoming requests.
10100–10120
Enables responses from the connector back to Microsoft Entra ID.
Additional reading. For more information, see User sign-in with Microsoft Entra pass-through authentication.