News

Pass-Through Authentication Preview Added to Azure AD

No DMZ is required for the new service.

• By Kurt Mackie
• 12/08/2016

Shops that want the benefits of Microsoft's Azure public cloud, but still want to maintain local control of authentication, will soon have a new option.

Microsoft announced a preview of a new Azure Active Directory Pass-Through Authentication capability, as well as a preview of a "seamless" single sign-on feature.

These two identity and access management improvements are big news for organizations that don't want to use "cloud" datacenters outside their premises to handle passwords, but instead want to tap their local Active Directory infrastructure for the purpose. Microsoft already has a way to do that using its Active Directory Federation Server on premises. However, Microsoft is promising an even more simplified approach with the new previews.

"Today's news might well be our biggest news of the year," commented Alex Simons, director of program management for the Microsoft Identity Division, in Microsoft's announcement. Organizations typically have requested a simple way to have single sign-on access, but they also want the password information to stay on premises, he noted.

Pass-Through Authentication
Azure AD Pass-Through Authentication, available as a preview, uses a connector located on an organization's on-premises infrastructure to validate an end user requesting network access. This system works with "absolutely no caching of the password in the cloud," according to Microsoft's announcement.

"The system works by passing the password entered on the Azure AD login page down to the on-premises connector," the announcement explained. "That connector then validates it against the on-premises domain controllers and returns the results."

Even password resets carried out by end users get validated on local infrastructure with this approach. The system has automatic load balancing for high availability "without requiring additional infrastructure." There's also no requirement to set up a demilitarized zone (DMZ) to support the service.

Pass-Through Authentication permits organizations wanting to use their own infrastructure to avoid using Active Directory Federation Server, as well as third-party solutions, according to Andrew Conway, general manager of EMS product marketing at Microsoft.

"This feature allows customers that cannot or do not want to store passwords in the cloud (even encrypted ones) to onboard Azure Active Directory and Office 365 without having to modify their corporate network infrastructure and install products such as Active Directory Federation Services (AD FS) or similar third party federation solutions," Conway stated, in a blog post.

Organizations can test the Pass-Through Authentication feature by installing Azure Active Directory Connect, which is Microsoft's wizard-like tool for setting up identity and access management using Azure AD. The Pass-Through Authentication feature gets added by selecting a custom installation of Azure AD Connect.

Seamless Single Sign-On
The seamless single sign-on capability, also at preview, lets end users with domain-joined machines connect to Azure AD and other Azure services with the same facility as accessing local network resources, according to a Microsoft video. The single sign-on capability works using an organization's local Azure AD infrastructure. For instance, the request for a Kerberos ticket happens between the end user and the organization's local infrastructure, per the video.

The seamless single sign-on capability is an addition to Azure AD Connect tool. Organizations using Azure AD Connect or password hash synchronization can test it.

The new previews have some limitations with regard to supported clients and operating systems, as described in this Microsoft document on Pass-Through Authentication. Older Office clients and clients that use Exchange Active Sync aren't supported by the Pass-Through Authentication preview, for instance, and it's not supported when using Windows 10 clients "joined to Azure AD" right now. Organizations need Windows Server 2012 R2 or newer Windows Server OSes to run the Azure AD Connect tool.