Explore cloud authentication using Microsoft Entra pass-through authentication


Pass-through authentication (PTA) provides a simple password validation for Microsoft Entra authentication services. Pass-through uses a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With PTA, enables users to sign in to both on-premises and Microsoft 365 resources and applications using their on-premises account and password.

This configuration validates users’ passwords directly against your on-premises Active Directory without sending password hashes to Microsoft 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign in hours would use this authentication method. With single sign-on, users are automatically signed in to Microsoft Entra ID when they are on their corporate devices and connected to your corporate network.

When planning for Microsoft Entra pass-through authentication, you should keep in mind the following considerations:

  • Key benefits
  • Feature highlights
  • Supported scenarios
  • Unsupported scenarios

Key benefits of using Microsoft Entra pass-through authentication

Key benefits of using Microsoft Entra pass-through authentication include:

  • User benefits
    • Users use the same passwords to sign into both on-premises and cloud-based applications.
    • Users spend less time talking to the IT helpdesk resolving password-related issues.
  • Administrator benefits
    • No need for complex on-premises deployments or network configuration.
    • Needs just a lightweight agent to be installed on-premises.
    • No management overhead. The agent automatically receives improvements and bug fixes.
  • Security benefits
  • Sign-In benefits
    • Extra agents can be installed on multiple on-premises servers to provide high availability of sign-in requests.

Feature highlights

Key features of Microsoft Entra pass-through authentication include:

  • Support for user sign-in into all web browser-based applications and into Microsoft Office client applications that use modern authentication.
  • Sign-in usernames can be either the on-premises default username (userPrincipalName) or another attribute configured in Microsoft Entra Connect (known as Alternate ID).
  • It works seamlessly with conditional access features such as multifactor authentication to help secure your users.
  • It's integrated with cloud-based self-service password management, including password writeback to on-premises Active Directory and password protection by banning commonly used passwords.
  • Multi-forest environments are supported if there are forest trusts between your AD forests and if name suffix routing is correctly configured.
  • It's a free feature, and you don't need any paid editions of Microsoft Entra ID to use it.
  • It can be enabled through your selected directory synchronization tool - either Microsoft Entra Connect Sync or Microsoft Entra Connect cloud sync.
  • It uses a lightweight on-premises agent that listens for and responds to password validation requests.
  • Installing multiple agents provides high availability of sign-in requests.
  • It uses Microsoft Entra Smart Lockout to protect on-premises accounts against brute force password attacks in the cloud.

Supported scenarios

The following scenarios are fully supported:

  • User sign-ins to all web browser-based applications.
  • User sign-ins to Office applications that support modern authentication: Office 2016, and Office 2013 with modern authentication.
  • User sign-ins to Outlook clients using legacy protocols such as Exchange ActiveSync, SMTP, POP, and IMAP.
  • User sign-ins to Skype for Business that support modern authentication, including online and hybrid topologies. Learn more about supported topologies here.
  • Microsoft Entra domain joins for Windows 10 devices.
  • Application passwords for multifactor authentication.

Unsupported scenarios

The following scenarios aren't supported:

  • User sign-ins to legacy Office client applications, excluding Outlook (see Supported scenarios above): Office 2010, and Office 2013 without modern authentication. Organizations are encouraged to switch to modern authentication, if possible. Modern authentication allows for Pass-through Authentication support. It also helps you secure your user accounts by using conditional access features, such as Microsoft Entra multifactor authentication.
  • Access to calendar sharing and free/busy information in Exchange hybrid environments on Office 2010 only.
  • User sign-ins to Skype for Business client applications without modern authentication.
  • User sign-ins to PowerShell version 1.0. We recommended that you use PowerShell version 2.0.
  • Detection of users with leaked credentials.
  • Microsoft Entra Domain Services needs Password Hash Synchronization to be enabled on the tenant. For tenants that use Pass-through Authentication only, PTA won't work in scenarios that require Microsoft Entra Domain Services.
  • Pass-through Authentication isn't integrated with Microsoft Entra Connect Health.
  • The Apple Device Enrollment Program (Apple DEP) using the iOS Setup Assistant doesn't support modern authentication. This service will fail to enroll Apple DEP devices into Intune for managed domains using Pass-through Authentication. Consider using the Company Portal app as an alternative.

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge


As the Enterprise Administrator for Contoso, you're planning its Microsoft 365 deployment. You're currently investigating authentication strategies. While you're interested in Microsoft Entra Connect Pass-through authentication, you're concerned whether Contoso's environment can support it. If you implement pass-through authentication, which of the following scenarios will it support?