Unit 4: Implement and Manage Pass-Through Authentication (PTA)

1. Overview of Pass-Through Authentication

Microsoft Entra Pass-Through Authentication (PTA) is a sign-in method that allows users to log into Microsoft cloud services using their on-premises passwords, without storing password hashes in the cloud.

Instead of synchronizing password hashes (as in Password Hash Synchronization), PTA validates users’ credentials directly against your on-premises Active Directory (AD) whenever they sign in to Microsoft 365 or any Entra-integrated cloud application.

In simple terms:

PHS = “store a secure copy of the password hash in the cloud.”
PTA = “ask AD directly every time the user signs in.”

This method gives the same password experience as PHS, but with the added advantage of real-time policy enforcement — password changes, expirations, and account lockouts are recognized instantly.

2. How Pass-Through Authentication Works

When a user attempts to sign into a Microsoft cloud app, the authentication process goes through several secure steps:

The user enters their credentials (username and password) on the Microsoft Entra sign-in page.
Microsoft Entra ID encrypts the password using a public key from your tenant.
The encrypted credentials are placed in a secure queue in Entra ID.
An on-premises PTA Agent — a lightweight component installed on one or more Windows servers — retrieves the encrypted credentials from the queue over HTTPS (port 443).
The agent decrypts the credentials using its private key and validates them against Active Directory Domain Services (AD DS).
AD DS confirms whether the credentials are valid and returns a “Success” or “Failure” response to Microsoft Entra ID via the agent.
If authentication is successful, Microsoft Entra ID issues a token to the user, granting access to the cloud application.

Key point: The password never leaves the corporate network in plain or hashed form — only an encrypted credential validation occurs.

3. Infrastructure Components

To implement PTA successfully, the following components are required:

Component	Purpose
Microsoft Entra Connect	Used to configure and enable PTA for your tenant. It installs the first authentication agent automatically.
PTA Agent	A lightweight service that validates users’ passwords against on-prem AD DS. Multiple agents can be installed for high availability.
Active Directory Domain Controllers	Store the user accounts and perform the actual password validation.
Microsoft Entra ID (Cloud)	Handles the initial authentication request, stores the queue, and issues the access token after successful validation.

Ports:

The agents communicate outbound to Microsoft Entra ID via TCP 443 (HTTPS).
No inbound ports or DMZ exposure is needed, which makes it firewall-friendly.

4. Enabling Pass-Through Authentication

You can enable PTA during or after the Microsoft Entra Connect installation.

Option 1: During Initial Installation (Custom Setup)

Launch the Microsoft Entra Connect installer.
Select Customize instead of Express.
In the User sign-in section, choose Pass-Through Authentication.
Complete domain verification and connection steps.
Once setup finishes, Entra Connect automatically installs a PTA Agent on the same server and enables the feature for the tenant.

Option 2: Changing Sign-In Method Later

If you already have Entra Connect installed (e.g., with Password Hash Sync) and want to switch:

Open the Microsoft Entra Connect Wizard.
Select Change user sign-in under Additional Tasks.
Choose Pass-Through Authentication as the new sign-in method.
Click Next and follow the prompts to complete the configuration.
A PTA Agent will be installed automatically if not already present.

Important: PTA is a tenant-wide setting — enabling it affects authentication for all users across managed domains.

5. Agent Deployment and Redundancy

For resilience and load balancing, Microsoft recommends deploying at least three PTA agents on separate servers.

The first agent is installed automatically with Microsoft Entra Connect.
Additional agents can be installed manually using the stand-alone agent installer.
Each agent must be domain-joined and have outbound connectivity to Microsoft Entra ID.

Load Balancing: Entra ID automatically distributes authentication requests across all available agents. If one agent becomes unavailable, the next one in the pool handles requests automatically.

High Availability Example:

Agent Location	Purpose
PTA-Server1 (Main site)	Installed with Entra Connect
PTA-Server2 (Secondary site)	Redundant agent for load balancing
PTA-Server3 (DR site)	Backup agent for disaster recovery

This setup ensures that authentication continues seamlessly even if one data center or network segment is offline.

6. Combining PTA with Seamless Single Sign-On (SSO)

PTA integrates tightly with Microsoft Entra Seamless SSO, providing users with an even smoother login experience.

With Seamless SSO enabled:

Users on domain-joined corporate devices don’t have to re-enter their credentials when accessing Microsoft 365 or Entra-integrated apps.
Authentication still happens via PTA, but the credentials are obtained automatically from the user’s Windows logon session using Kerberos.

Example: Contoso Ltd enables PTA with Seamless SSO. When employees log in to their domain-joined laptops and open Outlook or Teams, they’re automatically signed in — no additional password prompts. However, if they connect from a personal device at home, they must enter their credentials manually.

7. PTA Security Model

PTA is designed with multiple layers of protection:

Security Feature	Purpose
No inbound ports	Agents only make outbound HTTPS calls — reducing attack surface.
Password encryption	Passwords are encrypted with a public key before leaving Microsoft Entra ID.
Private key isolation	Only the agent holds the private decryption key — even Microsoft cannot access it.
No password caching	Agents validate credentials in real time against AD DS. No password data is stored.
Agent authentication	Agents authenticate securely to Entra ID using certificates.

This architecture makes PTA suitable for organizations with strong compliance requirements or restrictions on password storage in the cloud.

8. Business Continuity and Backup (PHS + PTA)

A highly recommended best practice is to enable Password Hash Synchronization (PHS) as a backup even when using PTA as the primary sign-in method.

If your on-premises environment becomes unavailable (network outage, AD failure, etc.), users can still sign in using PHS.
Failover is manual — you must change the authentication method in Entra Connect to PHS during an outage.
Once your PTA agents are restored, you can switch back.

Real-world example: During a ransomware attack, Fabrikam’s AD environment was offline for two days. Because they had PHS enabled as a backup, users continued to access Microsoft 365, allowing IT to coordinate recovery efforts from the cloud.

9. Considerations for Pass-Through Authentication

Factor	Key Points
Infrastructure	Requires on-prem AD DS and at least one domain-joined Windows Server for the agent.
Network connectivity	Agents must reach Microsoft Entra ID endpoints via HTTPS (443).
Latency	Authentication depends on AD response time — ensure low latency between agents and domain controllers.
Maintenance	Agents update automatically through Microsoft’s update mechanism.
Compliance	Suitable for regulated industries that prohibit password hashes in the cloud.
Availability	Recommended to deploy 3 agents for redundancy.

10. Federation vs PTA vs PHS – Quick Comparison

Feature	Password Hash Sync (PHS)	Pass-Through Authentication (PTA)	Federation (AD FS)
Password storage	Hash of a hash stored in Entra ID	Password validated on-prem via agent	Password validated on-prem via AD FS
Infrastructure required	Minimal (Entra Connect only)	Moderate (agents required)	Complex (AD FS + WAP + certs)
Supports real-time lockout	No	Yes	Yes
High availability	Built-in (cloud-based)	Multi-agent deployment	Requires AD FS farm
Supports third-party MFA/smart cards	No	No	Yes
Setup complexity	Simple	Moderate	High
Best for	Most organizations	Organizations with password hash restrictions	Enterprises with advanced auth needs

11. Troubleshooting PTA

Common issues and their resolutions:

Issue	Possible Cause	Resolution
Users cannot sign in	PTA agents offline or disconnected	Verify agents in the Microsoft Entra admin center → Monitoring → Authentication methods → PTA
Delayed response	Network latency or overloaded domain controllers	Deploy additional agents or move them closer to DCs
Password expired but still accepted	Password policy not applied	Ensure AD password policies are configured correctly
“No agents available” alert	All agents stopped or removed	Restart PTA service or reinstall agent

Event Logs: Check under Applications and Services Logs → Microsoft → AzureAdConnect → AuthenticationAgent/Admin for detailed agent errors.

12. Exam Tips

PTA does not store passwords or hashes in the cloud.
Requires outbound TCP 443 only.
Minimum 3 agents are recommended for fault tolerance.
Combine with Seamless SSO for password-less user experience on domain-joined devices.
Enable PHS as a backup to survive on-prem outages.
Failover to PHS is manual.
Federation is required for smartcard or certificate-based logins — PTA does not support them.

13. Real-World Example

Scenario: A global bank, Northwind Finance, wants to adopt Microsoft 365 but cannot allow any password-related data in the cloud due to financial regulations. They still want users to have the same password for all systems.

Solution:

Deploy Microsoft Entra Connect and choose Pass-Through Authentication.
Install 3 PTA agents in different datacenters for redundancy.
Enable Seamless SSO for corporate devices.
Enable PHS as a backup for disaster recovery.
Use Entra Connect Health to monitor all agents and sync status.

Outcome: Users sign in to Microsoft 365 and other SaaS apps with their corporate credentials. Account lockouts, password resets, and policy changes are reflected instantly. If an agent fails, others automatically take over without service disruption.

14. Summary

Pass-Through Authentication provides real-time validation of on-prem AD credentials in the cloud — offering a secure, compliant, and low-latency sign-in experience.

It’s ideal for organizations that:

Want to avoid password hashes in the cloud.
Need immediate enforcement of password policies.
Have the infrastructure to support always-on agents.

When combined with Seamless SSO and a PHS backup, PTA provides security, reliability, and user convenience — an excellent middle ground between simplicity and control.

SC‑300 Study Portal Dark

Unit 4: Implement and Manage Pass-Through Authentication (PTA)