Please, check out this article for an Overview of Azure AD Pass-Through Authentication
What is required to configure Pass-through Authentication:
- One Windows Server machine with Server 2012 R2 or Server 2016
- Internet connectivity to the server machine
- If the network is configured with a proxy for internet connectivity, the server should get bypass access to the internet
- Microsoft PTA DNS Namespaces *.msappproxy.net and *.servicebus.windows.net should be whitelisted in the proxy if the proxy is configured. If the proxy is not capable to whitelist the URLs, you need to whitelist Azure Datacenter IP Ranges
- Microsoft URLs: mscrl.microsoft.com:80, crl.microsoft.com:80, ocsp.msocsp.com:80, and www.microsoft.com:80 should be whitelisted for the Certificate validations and revocation validations of Microsoft products and applications
- Port 443 and Port 80 outbound traffic should be allowed towards Azure AD. Ideally, these ports are generic ports and there are no block rules by default. For your firewall blocking, authentication agent needs to be allowed (authentication agent is the server which is configured with a pass-through package).
If the above prerequisites are checked and ready to begin, follow the below steps to configure.
Note
In the below installation steps, Seamless Single Sign-on (SSSO) is also selected to get the feature suite configured for the best Sign-on Experience for the Corporate Intranet Users. If you don't want this to be configured, you can uncheck SSSO options.
login to Portal.azure.com –> Azure Active Directory (Azure AD) — Azure AD Connect
By default, it will be in the Disabled state.
Click on Pass-through Authentication
Check the Verify Your Configuration which are the mandatory things required to further install.
As per the note provided by Microsoft, the PTA configuration will impact all managed domains in your tenant. Once validated, click on Download & Install Additional Pass-Through Authentication Connector(s)
You can find the Windows Installer Package in your download folder or the path you have mentioned to save the file.
Click on Install.
In the Welcome Page, check the I agree option and click on Continue
Click on Customize. By default use Express Settings where the PTA is not present, which enables only Directory synchronizations.
Select Use an existing service account and enter the service account or domain account in your On-premises directory and click on Install. You can specify custom sync groups if you need it for your domains.
Now, you can see User sign-in methods which are supported by the Microsoft (URL need to be) for Office 365 and Azure workloads.
Select Pass-through authentication and Enable single sign-on and click on Next
You can see the recommendation for the cloud-only global administrator requirements. Click on Next.
Enter Global administrator of the tenant and click on Next
By default, Cloud-only Global administrator will get UPN as [email protected].
Click on Add directory and add the domains and forest to sync.
Click Next, once active directory domains have been selected.
You can keep Username selection as UserPrincipalName (UPN) and click on Next.
If you do not want to use UPN, you can select the other attributes based on your organization for the username for the login process. Ideally, UPN is the best one as it is used across all the applications and services.
In the domain and OU Filtering, you can customize the syncing attributes to the cloud.
In my case, I have grouped all the users in the single OU and selected that particular OU to avoid pollution in the Azure Active directory.
Select the defaults and click on Next.
Select Synchronize all users and devices and click on Next.
Uncheck the Password Synchronization option as we are going to use PTA for authentication.
Enter On-premises Domain administrator credentials to enable single sign-on and click on Next.
Select Start the synchronization process when configuration completes and click on Install to begin the installation. You can select the sync options depending on your requirements.
The configuration has been completed successfully.
How to validate Pass-through authentication configuration
To verify what we installed, click on Azure AD Connect Icon.
Click on Configure.
Select View current configuration and click on Next
On the review page, you can see what you have configured in the Azure AD Connect server.
Now, you can see that the full Sync has been initiated and completed. Full sync will take time-based on your forest/domain size and attributes which are selected to sync to cloud.
In the Azure Portal, you can see now both Seamless single sign-on and Pass-through authentications are showing the status Enabled.
You can validate the Authentication agent status in the agent's panel.
In the On-premises directory, you can see an Azure AD computer object got created. It is a dummy one for the Pass-through authentication.
Please check the article for Overview of Azure AD Pass-Through Authentication
| | | | | | | | | |
Text-to-speech function is limited to 200 characters