Q. What is Azure AD Pass-through Authentication?

A. Traditionally there have been two authentication options for Azure AD:

  • Authenticate in Azure by having the passwords for accounts stored in Azure AD (for on-premises replicated accounts a hash of the password hash is replicated to Azure AD by Azure AD Connect)
  • Authenticate on-premises by federating Azure AD with on-premises AD which requires a federation solution deployed on-premises such as ADFS

The new Azure AD Pass-through Authentication works as a feature of the new Azure AD Connect to enable authentication requests to Azure AD to be performed against on-premises Active Directory without having to deploy federation infrastructure. When an authentication is required it is placed on a queue with the username/password entered and then the agent that runs on-premises checks the queue, takes the request (fully encrypted during transport) then responds with success or failure.

More information can be found at https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication.