AAD Pass-through OR Password Hash OR Office 365 modern authentication ?

AAD Pass-through OR Password Hash OR Office 365 modern authentication ?

Hi All,

We all know that there are multiple ways of authentication setup when we think of office apps or Azure or office365. But when we want to evaluate, we should know what exactly these process or authentication types provide as services and most importantly we should know on the suitability of needs and compliance of the organization on the authentication process.

As I know, major enterprises will not go with Password hash due to needs of controlling rights requirement at on-premises level. But its good option to choose if you keeping your office365 auth separate from ADFS. This will help to reduce the CAPEX and OPEX costs to companies.

** Again, its individual company decision to choose one.

Below is the summary of three different authentication process available and I have provided some of the links at the end if you require deep dive.

AAD Pass-Through

Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience – one less password to remember and reduces IT help-desk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users’ passwords directly against your on-premises Active Directory.

AAD passthrogh

This is a process which depends on the Domain Controller on premises and needs its availability.

Password Hash / Password Synchronization:

This is a process in which AD connect is in place and stores a password in an encrypted way in Azure AD with the secure channel. This sync will happen every two minutes between AD domain controller and Azure AD, this has the option right back and administrator should be using Azure portal not the Office portal if this solution is in place.  This is something we can opt for a solution at DRC.

password hash

Supported scenarios by Pass-through:

  • User sign-ins to all web browser-based applications
  • User sign-ins to Office applications that support modern authentication(Below Explained): Office 2016, and Office 2013 with modern authentication
  • User sign-ins to Skype for Business that support modern authentication, including Online & Hybrid topologies.
  • Azure AD domain joins for Windows 10 devices
  • Exchange Active-sync support

What is modern authentication?

Modern authentication brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers with Office client applications, smart card, and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol.

Unsupported scenarios:

  • User sign-ins to legacy Office client applications: Office 2010, and Office 2013 without modern authentication. Organizations are encouraged to switch to modern authentication, if possible. Modern authentication allows for Pass-through Authentication support. It also helps you secure your user accounts by using conditional access features, such as Azure Multi-Factor Authentication.
  • User sign-ins to Skype for Business client applications without modern authentication.
  • User sign-ins to Power-Shell version 1.0. We recommended that you use Power-Shell version 2.0.
  • App passwords for Multi-Factor Authentication. • Detection of users with leaked credentials.
  • Azure AD Domain Services needs Password Hash Synchronization to be enabled on the tenant. Therefore tenants that use Pass-through Authentication only don’t work for scenarios that need Azure AD Domain Services.

Important: As a workaround for unsupported scenarios only, enable Password Hash Synchronization on the Optional features page in the Azure AD Connect wizard.

Note: Enabling password hash synchronization gives you the option to fail-over authentication if your on-premises infrastructure is disrupted. This fail-over from Pass-through Authentication to Active Directory password hash synchronization is not automatic. You’ll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you’ll require help from Microsoft Support to turn off Pass-through Authentication.

Happy Reading


Below are some links, which will give you a deep dive: