Azure Active Directory Connect (AADC) Part 2— Pass-Through Authentication(PTA)

Configure AADC to Synchronize Windows AD to AAD via PTA

If you have followed through the steps, your AADC should be using PHS. The only way to configure AADC to use PTA is by reinstalling the AADC, to go through AADC installation user interface again.

  • Uninstall AADC
  • Download AADC installation execution again here if you have not
  • Once you agree the terms on the first page of the AADC installation user interface, you could select “Customize”
  • Select “Install” unless you have existing services ready for the implementation
  • Choose “Pass-through authentication” → select “Next”
  • Put down AAD Global Administrator credential
  • Put down Windows AD Enterprise Admin credential
  • Check “Continue with matching all UPN suffixes to verified domains” as our internal domain name is not verified on AAD and it should not be.
  • Select “Sync all domains and OUs” or “Sync selected domains and OUs”
  • If users are unique in the Windows AD forest, just use the default selection. Otherwise, choose accordingly.
  • Select “Synchronize all user and devices” unless other concerns
  • Select the optional features accordingly.
  • PHS here is acting as a backup option when PTA is not working. For example, AADC agent server lost connectivity and users are not able to authenticate themselves on Azure. If you have PHS as optional feature, there would be hashed content of each user’s password stored on the cloud, so users could use the existing data to authenticate themselves.
  • Password writeback allows users to change Windows AD users’ password from the cloud, but this would need extra attention on Windows AD group policy around password management.
  • When logging in on Azure portal, please remember to use Windows AD user credential with alternate domain suffix. If you are not clear how to do this, please refer to AADC Part 1 — PHS article. Inside the section of prerequisite steps, you would find the how to achieve this.
  • Check Azure AD Connect section, you should see “Pass-through authentication” showing “Enabled”
  • On AADC agent server, you could see a new service being created



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Learning new things about Kubernetes every day. Hopefully, the learning notes could help people on the same journey!