Contoso’s IT team wants to allow users to access both on-premises and Azure resources through single sign-on (SSO). The Microsoft Entra Seamless SSO feature works with password hash synchronization or pass-through authentication.

Additionally, when Seamless SSO is enabled, users almost never need to enter their username, and never their password, to sign in to Microsoft Entra ID. This feature provides Contoso users with easy access to cloud applications without requiring additional on-premises components.

Supported Scenarios for Pass-Through Authentication

Microsoft Entra pass-through authentication ensures that services relying on Microsoft Entra ID always validate passwords against an on-premises AD DS instance.

You can configure this authentication through Microsoft Entra Connect, which uses an on-premises agent that listens for external password validation requests. This agent can be deployed on one or more servers to ensure high availability. It does not need to be deployed in a perimeter network because all communications are outbound only.

The server running the agent must be joined to the AD DS domain where the users reside. Before deployment, it is important to know which authentication scenarios are supported and which are not.

Supported Scenarios:

• User sign-ins to all web applications compatible with Microsoft Entra ID.
• User sign-ins to Office applications that support modern authentication.
• User sign-ins to Microsoft Outlook via legacy protocols: Exchange ActiveSync, SMTP, POP, IMAP.
• User sign-ins to Skype for Business with modern authentication (online and hybrid topologies).
• Microsoft Entra domain join for Windows 10 devices.
• App passwords for multi-factor authentication.

Unsupported Scenarios:

• User sign-ins to legacy Office applications, except Outlook.
  Examples: Office 2010 and Office 2013 without modern authentication.
• Access to calendar sharing and free/busy information in hybrid Exchange environments with Office 2010.
• User sign-ins to Skype for Business without modern authentication.
• User sign-ins to Windows PowerShell version 1.0.
• Compromised credential detection.
• Scenarios requiring Microsoft Entra Domain Services (requires password hash synchronization).
• Scenarios requiring Microsoft Entra Connect Health (not integrated with pass-through authentication).
• Apple DEP with iOS Setup Assistant: modern authentication is not supported, so enrollment fails.
  Alternative solution: use the Intune Company Portal app.

How Pass-Through Authentication Works

Before deployment, it is useful to understand how it works and how it differs from AD FS. It is not a simplified version of AD FS: both use on-premises infrastructure but in different ways.

Pass-through authentication uses an authentication agent installed by Microsoft Entra Connect.

Process Steps:

1. The agent registers with the Microsoft Entra ID tenant of Microsoft 365.
2. Microsoft Entra ID assigns it a unique digital identity certificate (public/private key) for secure communication.
3. The agent connects to Microsoft Entra ID via port 443 (HTTPS) with mutual authentication.
4. Microsoft Entra ID gives the agent access to an Azure Service Bus queue.
5. The agent retrieves password validation requests from this queue.

Example:
When a user tries to sign in to Outlook Web App:

• They are redirected to the Microsoft Entra sign-in page.
• The user enters their username and password.
• Microsoft Entra ID places these credentials in a queue.
• The STS service encrypts the credentials with the agent’s public key.
• The agent retrieves the encrypted credentials and decrypts them with its private key.
• The agent validates the credentials against on-premises AD DS (via Windows APIs).
• AD DS returns a response: success, failure, password expired, user locked out.
• The agent sends the response to Microsoft Entra ID.
• Microsoft Entra ID acts accordingly: sign-in, MFA prompt, etc.

📘 Further Reading

• Microsoft Entra Seamless Single Sign-On
• User Sign-In with Microsoft Entra Pass-through Authentication

📍 Next Unit: Enable Microsoft Entra Sign-In for Windows Virtual Machines in Azure