Azure Active Directory Pass-through authentication, or simply PTA, is a great feature, designed to close the gap between the “same sign-on” and “seamless single sign-on” experience. In other words, it gives you the benefits of the same end-user experience as AD FS, and it ensures that passwords are validated against your on-premises AD, without the overhead of a typical AD FS deployment. When the feature was first released in Public Preview at the end of 2016, one major limitation existed, namely only applications that supported Modern authentication could leverage PTA.
Now, in July 2018, the feature has been updated to support legacy authentication protocols and applications. Here are the relevant bits from the Azure AD Changelog:
Pass-through Authentication now supports legacy protocols and apps. The following limitations are now fully supported:
- User sign-ins to legacy Office client applications, Office 2010 and Office 2013, without requiring modern authentication.
- Access to calendar sharing and free/busy information in Exchange hybrid environments on Office 2010 only.
- User sign-ins to Skype for Business client applications without requiring modern authentication.
- User sign-ins to PowerShell version 1.0.
- The Apple Device Enrollment Program (Apple DEP), using the iOS Setup Assistant.
While the notes above don’t explicitly mention protocols such as POP3, IMAP or Exchange ActiveSync, the AAD PTA Current limitations article has been updated to state the following:
The following scenarios are supported:
- User sign-ins to web browser-based applications.
- User sign-ins to Outlook clients using legacy protocols such as Exchange ActiveSync, EAS, SMTP, POP and IMAP.
- User sign-ins to legacy Office client applications and Office applications that support modern authentication: Office 2010, 2013 and 2016 versions.
- User sign-ins to legacy protocol applications such as PowerShell version 1.0 and others.
- Azure AD joins for Windows 10 devices.
- App passwords for Multi-Factor Authentication.
As support for legacy authentication scenarios was probably the biggest blocker for most organizations in regards to embracing PTA, we should see an increase of the PTA adoption and a big decrease in AD FS usage in the Azure AD login statistics Microsoft will share next month at Ignite. The last time such statistics were shared, the number of AD FS logins was almost at the 50% mark, my bet for this year’s stats is 30% or so 🙂