Azure password sync vs pass through authentication

Can anyone tell me the difference between password sync vs azure pass through authentication in the context of office 365 user experience. I can google! But it’s to specifically know what the difference is for users thanks
LVL 6
Sid_FAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
Azure  AD Pass-through Authentication  is an additional feature for Azure AD Sync as far as the user is concerned there is no difference. There is a difference in the security context though.
This feature is an alternative to Azure AD Password Hash Synchronization, which provides the same benefit of cloud authentication to organizations. However, security and compliance policies in certain organizations don't permit these organizations to send users' passwords, even in a hashed form, outside their internal boundaries.

The password is NEVER stored in the cloud
It uses a lightweight on-premises agent that listens for and responds to password validation requests.
Installing multiple agents provides high availability of sign-in requests.
It protects your on-premises accounts against brute force password attacks in the cloud.

The authentication is done on-premises
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication
0
Todd NelsonSystems EngineerCommented:
Seamless single sign-on (SSSO) with pass-through authentication (PTA) has the benefits of AD FS without all of the required servers (only need one).  However, SSSO w PTA still has one large caveat that if the internet connection between your DCs and O365 goes down, then no one is going to be able to login to access the O365 resources.

SSSO with password hash sync is still a great option because it works even if the internet connection between your DCs and O365 goes down.  The recent testing I've done indicates that it works much more like AD FS and SSSO/PTA than before in that there are no logins or prompts for credentials--it uses the credentials of the currently logged on user.  Personally, I prefer password hash sync because in most cases it is more dynamic than AD FS or PTA in that users can still work with their O365 resources if the internet goes down between AD and O365.  I have read that about 95% of O365 customers use password hash sync.  

With that said, both solutions will need to add the following URLs to the local intranet zone of IE or other browsers.


To get this working you will need to ensure you have AAD Connect version 1.1.654.0 (at a minimum).  Then, follow the SSSO Quick Start Guide to either enable SSSO PTA or PHS.

References...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sid_FAuthor Commented:
Thanks does pass through authentication make password write back any easier or is this still a premium feature
0
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

Todd NelsonSystems EngineerCommented:
Azure Premium is still required for password write back.
0
Sid_FAuthor Commented:
You mention with both solutions you need to add specific urls to local intranet zone... are you referring to password sync and ssso? If so I'm wondering why password sync requires it thanks
0
Todd NelsonSystems EngineerCommented:
The URLs are a requirement of Seamless SSO for Kerberos authenticarion.  Once SSSO is enabled, then you have a choice to use either Password Hash Sync or Pass-through Authentication.

It's documented in first the article listed I provided.  One change may be that I notice only one URL now in that article.
0
Todd NelsonSystems EngineerCommented:
Sufficient information provided for solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.