Setting up Azure AD Pass-trough authentication with Azure AD Connect
So today Microsoft released a public preview of Pass-trough authentication Azure AD which allows for SSO against Azure Active Directory without the hazzle of Active Directory Federation Services + Certificates and Public IP addresses. You can download the new version here –> https://www.microsoft.com/en-us/download/details.aspx?id=47594
Now a couple of cool things behind this concept, the Pass-trough authentication module is part of AzureAD Connect but is actually leveraging Azure Application Proxy component which is used by AzureAD to give remote access to web based application externally.
So how does it work?
So first of after the syncronziation is setup, when a user from domain1 want to access something in AzureAD, AzureAD looks at the domain name and sends a challenges the client, via a 401, to provide a Kerberos ticket, connects to Active Directory using the Application Proxy component, verifies the authentication against Active Directory. The client thensends the Kerberos ticket it acquired from Active Directory to the Azure AD.
Now setup of AzureAD connect with this extension is pretty simple, just select Pass-Trough authentication during the wizard and enable Single sign on.
Read the entire article here, Setting up Azure AD Pass-trough authentication with Azure AD Connect
via Marius Sandbu.