News

Microsoft Updates Preview of Azure Active Directory Pass-Through Authentication

• By Kurt Mackie
• 04/28/2017

Microsoft this week announced that it has updated its preview of Azure Active Directory Pass-Through Authentication.

Pass-Through Authentication is Microsoft's more simplified means of accessing services such as Office 365 services, and Microsoft claims it's done without having to store passwords on Microsoft's datacenter infrastructure. Under this scheme, organizations can access Microsoft's services using their own local Active Directory infrastructure. Pass-Through Authentication is billed as being simpler to set up than Active Directory Federation Server (AD FS), a Windows Server role that's used on premises to enable single sign-on access to Office 365 and other services.

Microsoft's announcement indicated that it has now improved a basic aspect of the Pass-Through Authentication preview, namely user access via "public key/private key encryption between Azure AD and on-premises agents." It's also using HTTPS for secure connections.

The preview now supports "any attribute" when configuring an "Alternate ID in Azure AD Connect," Microsoft indicated. Azure AD Connect is Microsoft's wizard-like tool for setting up identity and access management connections with Azure Active Directory. When organizations add Pass-Through Authentication, it gets done by specifying a custom installation of the Azure AD Connect tool.

Lastly, Microsoft's announcement explained that just two ports, Port 80 and Port 443, are now needed to deploy Pass-Through Authentication.

Microsoft's Seamless Single Sign-On preview also got a bit of tweaking this week. Seamless Single Sign-On is another Azure AD Connect option. It enables domain-joined machines to connect to Microsoft's services by authorizing the user's identity. This week, Microsoft improved the Seamless Single Sign-On preview by making it such that end users no longer have to enter their user names to access services when using "tenant-specific URLs." An example of a tenant-specific URL might be "outlook.office365.com/owa/contoso.com," according to Microsoft.

Microsoft had announced previews of both Pass-Through Authentication and Seamless Single Sign-On as back in December. The two technologies, in combination, promise to avoid the complexity of installing AD FS to access services. At least that's how Microsoft Most Valuable Professional Sean Deuby explained it in a January Semperis blog post.

"If you're using password synchronization, adding 3SO [Seamless Single Sign-On] will eliminate password challenges for your on-network corporate users," Deuby wrote. "If instead you enable PTA [Pass-Through Authentication] along with 3SO, you have practically the same value as AD FS for the specific Azure AD authentication use case."

Deuby, an identity architect at Edgile Inc. and an advisor to Semperis, added that there still are reasons to use AD FS. One reason to use it is when an organization wants to use third-party multifactor authentication providers. Another reason to use AD FS is when an organization wants to use Windows 10 device-based conditional access. Also, AD FS is for organizations that never want passwords to leave their premises, not even once.

"Unlike AD FS, in PTA the user's password is entered into Azure AD before it goes on premises," Deuby explained.

Deuby noted that Pass-Through Authentication and Seamless Single Sign-On are both free tools because Microsoft wants to reduce barriers to using its services. Moreover, he said that the tools are "even simpler to use than third-party offerings that have been taking advantage of AD FS' complexity."

If an organization does want to use AD FS, though, there's now a newly published guide from Microsoft on how to install and configure AD FS 2016 for use with Office 365 services.