AAD Pass-through OR Password Hash OR Office 365 modern authentication ?

AAD Pass-through OR Password Hash OR Office 365 modern authentication ?

Hi All,

We all know that there are multiple ways of authentication setup when we think of office apps or Azure or office365. But when we want to evaluate, we should know what exactly these process or authentication types provide as services and most importantly we should know on the suitability of needs and compliance of the organization on the authentication process.

As I know, major enterprises will not go with Password hash due to needs of controlling rights requirement at on-premises level. But its good option to choose if you keeping your office365 auth separate from ADFS. This will help to reduce the CAPEX and OPEX costs to companies.

** Again, its individual company decision to choose one.

Below is the summary of three different authentication process available and I have provided some of the links at the end if you require deep dive.

AAD Pass-Through

Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience – one less password to remember and reduces IT help-desk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users’ passwords directly against your on-premises Active Directory.

AAD passthrogh

This is a process which depends on the Domain Controller on premises and needs its availability.

Password Hash / Password Synchronization:

This is a process in which AD connect is in place and stores a password in an encrypted way in Azure AD with the secure channel. This sync will happen every two minutes between AD domain controller and Azure AD, this has the option right back and administrator should be using Azure portal not the Office portal if this solution is in place.  This is something we can opt for a solution at DRC.

password hash

Supported scenarios by Pass-through:

  • User sign-ins to all web browser-based applications
  • User sign-ins to Office applications that support modern authentication(Below Explained): Office 2016, and Office 2013 with modern authentication
  • User sign-ins to Skype for Business that support modern authentication, including Online & Hybrid topologies.
  • Azure AD domain joins for Windows 10 devices
  • Exchange Active-sync support

What is modern authentication?

Modern authentication brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers with Office client applications, smart card, and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol.

Unsupported scenarios:

  • User sign-ins to legacy Office client applications: Office 2010, and Office 2013 without modern authentication. Organizations are encouraged to switch to modern authentication, if possible. Modern authentication allows for Pass-through Authentication support. It also helps you secure your user accounts by using conditional access features, such as Azure Multi-Factor Authentication.
  • User sign-ins to Skype for Business client applications without modern authentication.
  • User sign-ins to Power-Shell version 1.0. We recommended that you use Power-Shell version 2.0.
  • App passwords for Multi-Factor Authentication. • Detection of users with leaked credentials.
  • Azure AD Domain Services needs Password Hash Synchronization to be enabled on the tenant. Therefore tenants that use Pass-through Authentication only don’t work for scenarios that need Azure AD Domain Services.

Important: As a workaround for unsupported scenarios only, enable Password Hash Synchronization on the Optional features page in the Azure AD Connect wizard.

Note: Enabling password hash synchronization gives you the option to fail-over authentication if your on-premises infrastructure is disrupted. This fail-over from Pass-through Authentication to Active Directory password hash synchronization is not automatic. You’ll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you’ll require help from Microsoft Support to turn off Pass-through Authentication.

Happy Reading


Below are some links, which will give you a deep dive:

OME – Office 365 Message Encryption (Safeguarding Email Communication, Next Game Changer by AIP)

OME – Office 365 Message Encryption (Safeguarding Email Communication, Next Game Changer by AIP)

Safeguarding Email Communication – Next Game Changer by AIP (Azure information Protection)

Safeguarding the email in Office 365 – eliminate the secure email!!! This is advanced solution from AIP team. Before we start exploring how security of email is structured, we will try to understand what is AIP?

Microsoft announced Azure Information Protection (AIP) last year, a new service that builds on both Microsoft Azure Rights Management (RMS) and their recent acquisition of Secure Islands.

Now AIP is Generally Available (GA)! and AIP will deliver the following:

– Classify, label, and protect data at the time of creation or modification.

– Persistent protection that travels with your data.

– Enable safe sharing with customers and partners.

– Simple, intuitive controls help users make the right decisions and stay productive.

– Visibility and control over shared data.

– Deployment and management flexibility. Protect data whether it is stored in the cloud or on-premises, and choose how your encryption keys are managed with Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) options.

Many changes have been made since AIP introduced, mainly on labeling and standardizing labels in global organization in data protection using Microsoft Cloud App Security (MCAS) tool and labels!

AIP team has new set of default labels within Azure.

  • Personal
  • Public
  • General
  • Confidential
  • Highly Confidential

You can have SUB labels too within the above listed labels.

Scope policies: This will help people to control specialized access policy which will have the default labels in it. There will be Global policy which is default and will have default labels.

Every policy which will be created, will also have default labels available and they are allowed to create their own labels likewise they create scope policy. These are all done under admin console in Azure.

Right User Behavior: Is large concern to organizations to allow users to manually classify something or automatically classify the data. Hence it is recommended to use R&R type!

  • Automatic: Automatically classified
  • User Set: User manually classified
  • Recommended & Reclassification: these two will use little bit of automation and user will be getting choice to choose the labeling automatically to classify the data properly if it is wrong.

Security of Email:

Be it a webmail, outlook or Gmail, yahoo etc. No need to buy an MS Office to read the secure email and reduce investment on the e-mail gateway!  This new feature is currently included under Azure Information Protection Premium P2 and some office 365 subscription might include this with Azure RMS.

Assume you sent a secure email to Gmail mailbox from your outlook/webmail using the exchange or office365,  the message say that buy/use a office product to decrypt the email, which was not having great customer experience and this had requirement of mail gateways.

All will be gone soon!

Moving forward AIP will give an option to read the encrypted mail by giving choice to prove who you are.


When a person sends a encrypted email to any end-user, who does not have outlook/webmail to decrypt the message, will be sent email with link, which allows user to access email in HTML format.

The link will have message similarly like below:

 ABC (ABC@office365contoso.onmicrosoft.com) has sent you a message that was protected with Microsoft Office 365.

——-> Click Here to read your message <——-

  (This link will have 3 months validity)

We will Assume that the user is using google mail for now, when he/she hits the link above, it takes request to another tab of browser hitting source of encrypted message. It will allow user to use google account to view the encrypted message by similar process to SSO.

User will receive the code in email and user has to paste the same code in the link to read email online.

There you go! happy reading your secure emails!