Enable Pass-through Authentication in office 365 Managed Identity
In this article, I would like to go through step by step process of enabling very usable and less known feature of Azure which is Pass-through authentication.
This feature is recently introduced and most of office e365 admins are not aware how this works and how they can get the advantage of this.
What is Pass-through Authentication
It is authentication bridge and a new powerful way of cloud authentication while still keeping your passwords on-premise. It securely validates user passwords with on-premise Active Directory without the need for extra on-premise infrastructure like ADFS.
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience – one less password to remember and reduces IT help desk costs because your users are less likely to forget how to sign in.
When users sign in using Azure AD, this feature validates users’ passwords directly against your on-premises Active Directory.
Assuming that you have just a new subscription to office 365
1. Log into the portal and add your customer domain.
2. Verify your domain (Publish the text record on your domain registrar).
Once the domain is verified you are good to go to set up office 365 managed identity.
Because I am covering here only pass-through authentication, so I will not go about how verifying a domain in office 365.
Go to your local Domain controller or any server domain joined where you will install azure AD connect appliance and sync your objects to the cloud.
4. Download Azure AD connect Tool.
5. Run the setup wizard.
6.Click on Customize and click Install.
7. On Install required components page below let all these “Default” and click Install.
8. On User Sign-in page below Select Passthrough authentication
9.On Connect to Azure AD page type in your office 365 Global Admin credentials and click Next
10.On Connect your directories page>Click Add Directory and in “AD forest account” window type in Enterprise credentials of your local AD
(either NetBIOS or FQDN credentials)
Click OK to Add the directory
11.Once the directory is added click Next
12.On Azure AD Sign-in Configuration Page let all as default and click Next
13. On Domain and OU Filtering page, you can exclude any OU from synching to cloud or let all to sync.
14. On Uniquely identifying your user’s page keep all as default and click Next.
15. For Filter users and devices, pager keep all as default.
16. On Optional features, page keep ALL Unchecked and click Next.
Because we are implementing pass-through authentication, so we do not need to select “Password Synchronization”.
17. On Reading to configure page Click install.
18. Once done you are ready to roll on, any user with on-premise inside co-operative AD can use the same password to sign into office e365.
19. To check if passthrough authentication is enabled for the tenant, Go to https://Portal.azure.com with global admin credentials.
20. Click Azure Active Directory plate>Azure AD Connect and see the status.
You can also implement Single sign on with this pass-through authentication, so the users inside cooperative network can get an advantage to log in automatically in cloud application portal https://myapps.microsoft.com without typing in their passwords.