Microsoft recently announced Seamless Sign On with Azure AD for Password Sync or Pass Through Authentication (PTA) organizations. SSO allows users on domain-joined computers which can contact a domain controller to authenticate with Azure AD via ADAL without typing in their password. The end user experience is very similar to that of an organization that has federated with Azure AD via AD FS or other SAML system.
Existing Password Sync organizations do not need to deploy the new PTA agent to enable SSO. PTA allows for Azure AD authentication without copying password hashes to Azure AD. Additional pros and cons of PW Sync vs PTA are below.
Deployment of SSO is exceptionally easy, and is done in the AAD Connect setup wizard. SSO is enabled with the same process regardless of PTA or PW Sync. Multiple forests are supported if they have trusts between them.
After configuring SSO in AAD Connect, workstations need to have two sites added to their Intranet Security Zone, which can be done easily via Group Policy:
When SSO is enabled a computer account is created in AD called AZUREADSSOACCT. The on premises Kerberos decryption key is securely sent to Azure AD, and two SPNs are created in the domain.
The below table compares PW Sync to Pass Through Authentication, and does not consider Seamless Sign On, which is equally available for either method.
|Auth Option||PW Sync||Pass Through Authentication|
|Deployment Complexity||Very low. Express configuration requires no additional config. Custom configuration requires two domain permissions granted for the service account||Very Low. Can be deployed as part of AAD Connect configuration. HA can be achieved by deploying additional agents, which has minimal increase in complexity|
|Dependency||A full on-premises outage would not affect PW Sync. The most recent passwords sent to Azure AD would remain in effect during an outage||Connectivity to at least one PTA agent on-premises is required. In the event of an outage for AD and/or all PTA agents, sign in would cease to work|
|Supported Clients||All clients including Office 2013, 2016, browsers, Activesync, etc||Only Modern Auth clients and browsers, which does not include ActiveSync and Office 2013 in non-modern-auth mode. Note that PW Sync can be configured as a failback for those clients|
|Availability||Only one AAD Connect instance running PW Sync can be Active, but Staging instances can be deployed and quickly (manually) turned on in the event of a disaster. Note that all previously synced passwords would continue to function if the Active AAD Connect server became unavailable||Multiple PTA agents can be deployed and Active for HA. Agents need only outbound connectivity and access to a Domain Controller, so they can be placed in separate datacenters from one another|
|Speed||Passwords sync from AD on premises to Azure AD in less than 3 minutes, however user accounts that are disabled/blocked on premises won’t be blocked in Azure AD until the next sync cycle, which is 30 minutes or less by default||Users who are disabled/blocked on premises are immediately blocked in Azure AD, as every authentication request is validated by a PTA agent directly against a DC in realtime|
Reference article for more info and screenshots: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnect-sso