The identity model for Azure Active Directory and all of the connected services has been adapting to customer needs for years. The first approach for most organizations was to use federated identities and it has required a significant investment for availability requirements; if the federation infrastructure is unavailable, nobody signs in. However, this capability offered all of the valuable options like multi-factor authentication, conditional access, and single sign on.
Next came Password Synchronization. This offered smaller organizations and others that don’t want to manage a federation infrastructure the ability to have the same credentials as on-premises Active Directory. This has some security concerns because a hashed copy of the password is in the cloud. However, this isn’t single sign on and it doesn’t have these other capabilities.
Azure Active Directory Premium offers many of the advanced capabilities that federated identities offer, with the exception of single sign on, like multi-factor authentication and conditional access.
Finally, Azure AD Pass-Through Authentication has now been made generally available. Working together with Azure Active Directory Premium, the features available with federated identities are now available entirely without the infrastructure requirements.
There are basically a few components:
1. Connector agent – an agent is installed, first on the Azure AD Connect system, but additional agents can be installed on domain controllers (I envision that this just becomes a feature of domain controllers in the future).
2. A Queue – an authentication queue, or pipeline, is created in the cloud. The connector reaches out of your network and processes authentication requests from the queue.
3. Seamless sign on – a domain joined computer with some Azure AD URLs added to the intranet zone list will sign on with their Kerberos ticket.
Beyond reduced infrastructure, which is significant (redundant servers, redundant datacenters, all load balanced), it also requires no special firewall rules or certificates be acquired because communication is outbound from your connectors.