- September 29, 2017
- Posted by: Chris
- Category: Azure, Office 365
Azure Active Directory Pass-through Authentication Overview
Azure Active Directory pass-through authentication recently become generally available. This new technology allows users to have the benefits of seamless single sign on to applications as as Office 365 without the requirement of Active Directory Federation services (ADFS). This feature is bundled together with Azure Active Directory Connect (AADConnect). Pass-through authentication and seamless single sign on are free features.
Supported & Unsupported Scenarios
The following scenarios are currently supported at of time of writing this article.
- User sign ins to web browser applications
- User sign ins to Office 365 applications that support modern authentication
- Joining Windows 10 devices to Azure AD
- Exchange ActiveSync
These scenarios are not supported.
- Sign ins to Office 2013 or earlier where modern authentication is not used.
- Sign ins to Skype for Business applications
- Access to PowerShell v.1.0
- Application passwords for multi form factor authentication
- Detection of users with leaked credentials
Why change if I already have ADFS in place?
Single sign in utilises a light weight agent that initiates outbound connections. Due to this, there is no requirement to place the agent in a perimeter network.
Agents auto update and are self maintaining.
- Reduce infrastructure
ADFS deployments often require a number of servers. Azure AD pass-though authentication agents can be deployed on existing servers so you get the benefits of reducing server count without compromising availability.
- No complex authentication requirements
If your organisation requires the use of Smart Cards or uses third party multi form factor authentication providers with Office 365 and ADFS, this solution is not suitable.
Azure Active Directory Seamless Single Sign On
Seamless single sign on can be enabled together with pass-through authentication. Enabling this feature gives end users a great experience. Users are automatically signed into cloud or on-premises applications inside or outside your corporate network. If seamless single sign on fails the user will be presented with the normal sign in screen. The following browsers are supported for single sign on, which makes use of Kerberos authentication.
|OS\Browser||Internet Explorer||Edge||Google Chrome||Mozilla Firefox||Safari|
|Mac OS X||N/A||N/A||Yes*||Yes*||Yes*|
I believe that pass-through authentication is the new preferred method to enable seamless single sign in to Office 365 and other Azure AD applications. In certain cases AD FS will still be required but for simple Office 365 adoption products pass-through authentication with seamless single sign on is worth investigating.