Azure password sync vs pass through authentication

Can anyone tell me the difference between password sync vs azure pass through authentication in the context of office 365 user experience. I can google! But it’s to specifically know what the difference is for users thanks
LVL 6
Sid_FAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
David Johnson, CD, MVPOwnerCommented:
Azure  AD Pass-through Authentication  is an additional feature for Azure AD Sync as far as the user is concerned there is no difference. There is a difference in the security context though.
This feature is an alternative to Azure AD Password Hash Synchronization, which provides the same benefit of cloud authentication to organizations. However, security and compliance policies in certain organizations don't permit these organizations to send users' passwords, even in a hashed form, outside their internal boundaries.

The password is NEVER stored in the cloud
It uses a lightweight on-premises agent that listens for and responds to password validation requests.
Installing multiple agents provides high availability of sign-in requests.
It protects your on-premises accounts against brute force password attacks in the cloud.

The authentication is done on-premises
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication
0
 
Todd NelsonSystems EngineerCommented:
Seamless single sign-on (SSSO) with pass-through authentication (PTA) has the benefits of AD FS without all of the required servers (only need one).  However, SSSO w PTA still has one large caveat that if the internet connection between your DCs and O365 goes down, then no one is going to be able to login to access the O365 resources.

SSSO with password hash sync is still a great option because it works even if the internet connection between your DCs and O365 goes down.  The recent testing I've done indicates that it works much more like AD FS and SSSO/PTA than before in that there are no logins or prompts for credentials--it uses the credentials of the currently logged on user.  Personally, I prefer password hash sync because in most cases it is more dynamic than AD FS or PTA in that users can still work with their O365 resources if the internet goes down between AD and O365.  I have read that about 95% of O365 customers use password hash sync.  

With that said, both solutions will need to add the following URLs to the local intranet zone of IE or other browsers.


To get this working you will need to ensure you have AAD Connect version 1.1.654.0 (at a minimum).  Then, follow the SSSO Quick Start Guide to either enable SSSO PTA or PHS.

References...
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
Sid_FAuthor Commented:
Thanks does pass through authentication make password write back any easier or is this still a premium feature
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
Todd NelsonSystems EngineerCommented:
Azure Premium is still required for password write back.
0
 
Sid_FAuthor Commented:
You mention with both solutions you need to add specific urls to local intranet zone... are you referring to password sync and ssso? If so I'm wondering why password sync requires it thanks
0
 
Todd NelsonSystems EngineerCommented:
The URLs are a requirement of Seamless SSO for Kerberos authenticarion.  Once SSSO is enabled, then you have a choice to use either Password Hash Sync or Pass-through Authentication.

It's documented in first the article listed I provided.  One change may be that I notice only one URL now in that article.
0
 
Todd NelsonSystems EngineerCommented:
Sufficient information provided for solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.