Implementing Pass-Through Authentication (PTA) with PHS Fallback - Hybrid Identity:
If you are managing Microsoft Entra ID (formerly Azure AD) in a hybrid environment, getting your on-premises Active Directory users synced to the cloud is usually step one. Many engineers start by enabling Password Hash Synchronization (PHS). It is fast, reliable, and handles authentication completely in the cloud.
But what if your security compliance team demands that all authentications be validated against your on-premises domain controllers in real-time? What if you need local Active Directory logon hours or account lockouts enforced instantly in the cloud?
That is where Pass-Through Authentication (PTA) comes in.
In this walkthrough, we are going to look at how to upgrade an existing Entra Connect setup from PHS to PTA, while brilliantly keeping PHS running in the background as a high-availability disaster recovery mechanism.
The Architecture: Why Both?
It might seem redundant to run both PTA and PHS, but Microsoft highly recommends this architecture.
The Primary Engine (PTA): Handles live, day-to-day logins. When a user tries to access the Azure portal or Microsoft 365, the cloud hands the request down to a lightweight PTA agent installed on your local server. That agent validates the password directly against your local Active Directory.
The Safety Net (PHS): If your company internet drops, or your local servers go offline, the PTA agents can no longer communicate with the cloud. In this scenario, Entra ID automatically detects the timeout and falls back to checking the hashed passwords it synced via PHS. Your users keep working seamlessly during a local outage.
The Golden Rule: UPN Matching
Before touching your Entra Connect server, you must ensure your environment meets the most critical prerequisite for PTA: A perfect 1:1 UPN match.
Because PTA validates passwords in real-time, it passes the exact cloud login name directly down to your local Active Directory.
Let's say your custom domain is labson.cloud. If your test user is syncing to the cloud as user12@labson.cloud, their local Active Directory logon name must also be explicitly set to @labson.cloud in the account properties dropdown.
If the suffixes match perfectly, PTA will process the login flawlessly.
Step-by-Step: Flipping the Switch to PTA
Assuming you already have Microsoft Entra Connect Sync running with Password Hash Sync, you do not need to uninstall or rebuild anything. You simply modify the existing configuration "in-flight."
Launch the Wizard
Log into the Windows Server hosting your Entra Connect engine. Open the Microsoft Entra Connect application from your desktop or Start menu and click Configure.
Modify the Sign-in Method
Under the "Additional tasks" list, select Change user sign-in and click Next. You will be prompted to enter your cloud-only Global Administrator credentials to authorize the architecture change.
Select Pass-Through Authentication
On the User Sign-in page, change the selected radio button from Password Hash Synchronization to Pass-through authentication.
Install the Agent
The wizard will prompt you for your local Enterprise Admin credentials (e.g., for labson.cloud). The system uses these credentials to automatically download, install, and register the lightweight PTA agent onto this server.
Verify and Apply
On the Ready to Configure page, review the summary. You should notice a crucial detail: the wizard notes that PTA is being enabled, but it explicitly shows that Password Hash Sync will remain active. Click Configure to finalize the setup.
Verifying the Magic
Once the configuration finishes, it is time to prove the architecture works.
Check the Cloud Status
Log into the Microsoft Entra Admin Center and navigate to Identity > Hybrid Management > Microsoft Entra Connect > Connect Sync.
Under the Pass-through authentication section, the status should read Enabled. Clicking on that status will reveal your local server listed as an Active Agent.
The Failover Test
The best way to validate this setup is to break it intentionally:
Open an incognito browser window and log into
portal.azure.comusing your test credentials (user6@labson.cloud). It should let you right in via the local PTA agent.Now, go to your Entra Connect server, open
services.msc, and manually stop the Microsoft Entra Connect Authentication Agent service. You have just simulated a server crash.Open a fresh incognito window and try to log in again.
You will notice a slight delay as Azure attempts to reach your local network. When it fails, it will seamlessly fall back to the cloud-stored hash, and log you in anyway.
Ways to Verify PTA is Processing Local Logins
1. The Instant Disable Test Because PTA checks credentials in real-time, it bypasses the standard 30-minute sync delay.
Log into Azure with your test user, then sign out.
On your local Domain Controller, right-click the user in Active Directory and select Disable Account.
Try logging into Azure again. It will be instantly blocked, proving Azure is checking your local server live.
2. The Event Viewer Test You can watch the local server process the cloud request.
On your PTA server, open Event Viewer and navigate to:
Applications and Services Logs>Microsoft>AzureAdConnect>AuthenticationAgent>Admin.Clear the log, then log into Azure with your test user.
Refresh Event Viewer. You will immediately see a log confirming the local credential validation.
3. The Entra ID Sign-In Logs Azure explicitly records the method used for every login.
In the Entra Admin Center, go to Users, select your test user, and click Sign-in logs.
Click your recent login and go to the Authentication Details tab.
The "Authentication Method" column will explicitly state Pass-through authentication.
Conclusion
By layering Pass-Through Authentication over Password Hash Sync, you bridge the gap between strict on-premises security compliance and high-availability cloud resilience. It takes less than ten minutes to configure but provides an enterprise-grade identity foundation for your entire organization.