If you regularly follow this blog, you should remember that back in December 2016 I wrote a blog post about Azure AD Pass Through Authentication, which was in Public Preview, https://spanougakis.wordpress.com/2016/12/08/azuread-pass-through-authentication-and-seamless-single-sign-on-is-here/
A few days ago the Azure AD product group announced some new improvements related to that service, so let’s take a look.
What is Pass Through Authentication? It lets users sign in to your cloud apps while getting rid of the need to store any user passwords in the cloud or deploy new server infrastructure. The new key improvements we’ve have today include:
- Security: Improved user sign-on security with public key / private key encryption between Azure AD and on-premises agents. That’s in addition to secure HTTPS, which is always used to transfer usernames and passwords.
- Usability: They enabled support for using any attribute, configured as Alternate ID in Azure AD Connect, as the username.
- Easier deployment: Now you only need to open two ports to deploy pass-through authentication—the standard ports 80 and 443.
But let’s not forget SSO (Single sign-on) which is great (and seamless), because it gives users on your corporate network the ability to access cloud apps from their domain-joined devices without needing to re-enter their passwords. This feature uses Kerberos authentication instead. Azure AD guys at Microsoft simplified the end user sign-on experience by removing the need for your users to enter their usernames when they access cloud apps with tenant-specific URLs (like outlook.office365.com/owa/contoso.com).
I strongly suggest that you go through this additional documentation about pass through authentication and seamless single sign-on, to better understand how you can use these features today.