Should you ditch ADFS for Azure AD Pass-through Authentication?

Azure Active Directory Pass-through Authentication Overview

Azure Active Directory pass-through authentication recently become generally available. This new technology allows users to have the benefits of seamless single sign on to applications as as Office 365 without the requirement of Active Directory Federation services (ADFS). This feature is bundled together with Azure Active Directory Connect (AADConnect). Pass-through authentication and seamless single sign on are free features.

Supported & Unsupported Scenarios

The following scenarios are currently supported at of time of writing this article.

  • User sign ins to web browser applications
  • User sign ins to Office 365 applications that support modern authentication
  • Joining Windows 10 devices to Azure AD
  • Exchange ActiveSync

These scenarios are not supported.

  • Sign ins to Office 2013 or earlier where modern authentication is not used.
  • Sign ins to Skype for Business applications
  • Access to PowerShell v.1.0
  • Application passwords for multi form factor authentication
  • Detection of users with leaked credentials

Why change if I already have ADFS in place?

  • Simplicity 
    Single sign in utilises a light weight agent that initiates outbound connections. Due to this, there is no requirement to place the agent in a perimeter network.
  • Management 
    Agents auto update and are self maintaining.
  • Reduce infrastructure
    ADFS deployments often require a number of servers. Azure AD pass-though authentication agents can be deployed on existing servers so you get the benefits of reducing server count without compromising availability.
  • No complex authentication requirements 
    If your organisation requires the use of Smart Cards or uses third party multi form factor authentication providers with Office 365 and ADFS, this solution is not suitable.

Azure Active Directory Seamless Single Sign On

Seamless single sign on can be enabled together with pass-through authentication. Enabling this feature gives end users a great experience. Users are automatically signed into cloud or on-premises applications inside or outside your corporate network.  If seamless single sign on fails the user will be presented with the normal sign in screen. The following browsers are supported for single sign on, which makes use of Kerberos authentication.

OS\Browser Internet Explorer Edge Google Chrome Mozilla Firefox Safari
Windows 10 Yes No Yes Yes* N/A
Windows 8.1 Yes N/A Yes Yes* N/A
Windows 8 Yes N/A Yes Yes* N/A
Windows 7 Yes N/A Yes Yes* N/A
Mac OS X N/A N/A Yes* Yes* Yes*


I believe that pass-through authentication is the new preferred method to enable seamless single sign in to Office 365 and other Azure AD applications. In certain cases AD FS will still be required but for simple Office 365 adoption products pass-through authentication with seamless single sign on is worth investigating.

Leave a Reply