Azure Active Directory ~ Manage Identities Chapter 3 | PTA and AAD Connect

In this article, we will take a deeper look at PTA (Pass-through authentication), MFA (Multi-factor Authentication) and AAD Connect. AAD connect basically allows us to connect Azure AD to in-house Active directory which supports a great feature set. We'll cover all those in this article.

Pass-through authentication (PTA)


Password is validated with 
on-premises AD 
Password writeback (optional) 
Active Directory 
Pass-Through Authentication (PTA) 
Azure Active 
Your Apps 
Cloud sign-on 
Office 365 

Here are few key-points -

  • Here in PTA, whenever an application wants to authenticate the user, Azure AD goes to on-premises AD and ask to authenticate from there.
  • Users can sign-in to on-premises and cloud-based applications using the same password.
  • If password-writeback is enabled: If the password is changed on AAD, it will change in on-premises AD itself.
  • It is recommended to use for high-availability, if in case on-premises AD not working.


Different things you can do after installation of AAD Connect


  • Privacy Settings: Enabling/disabling application telemetry (send usage data to Microsoft).
  • View current configuration: Can't change anything inside this.
  • Customize synchronization options: Add new Active Directories, Domain/OU filtering, optional features. 
    • Exchange hybrid deployment
    • Exchange Mail public folders
    • Azure AD app and attribute filtering
    • Password hash synchronization
    • Password writeback
    • Group writeback
    • Device writeback
    • Directory extension attribute sync
  • 3 basic accounts created during the installation of AAD Connect are -
    • Msol_<random>   This is used for read/write operations in windows server AD
    • Sync_<random>   This is used for read/write operations in Azure AD
    • Service account (AAD sync account)


Multi-factor Authentication (MFA) overview


There are 2 versions of MFA are -

  • MFA in the cloud: Cloud only users and apps can use this.
  • MFA server on-premises: Hybrid deployments (MFA on-premises servers)

We're dividing MFA in Cloud into 3 versions -

  • Multifactor authentication for office 365 or Microsoft 365 business.
  • Multifactor authentication for Azure AD Global Administrators.
  • Azure multi-factor authentication (called as Full version).

Configuring MFA - 

Go to MFA inside AAD, and select user/s for MFA. Click Enforce to force users to configure app passwords for legacy apps (apps don't support MFA).

Manage user's settings -

  • Require selected users to provide contact methods again.
  • Delete all existing app passwords generated by the selected users.
  • Restore multi-factor authentication on all remembered devices.

Manage Azure MFA -

You can do many things using Azure MFA management console. Few examples are as follows -

  1. Account lock, 
  2. block/unblock users, 
  3. fraud alerts, 
  4. notifications, 
  5. phone call settings, etc.


This is all about the very basics of PTA, Azure Connect, and MFA. We'll cover more in upcoming articles. You can signup up updates on our article postings.