Pass-Through Authentication — Solving Microsoft 365

Pass-Through Authentication (PTA) is a hybrid identity authentication method where password validation happens against on-premises Active Directory, not in Entra ID. PTA agents installed on on-prem servers receive authentication requests from Entra ID, validate against AD, and return results. No password hashes (or hashes-of-hashes) are stored in Entra. Useful for organisations with policy requirements that passwords stay on-prem (some regulatory regimes interpret this strictly). Downside: requires the agents to be online for any user sign-in. Microsoft's recommended approach for hybrid identity is Password Hash Sync for resilience; PTA exists for the cases that genuinely need it.