Azure AD pass-through authentication provides an alternative to the Azure AD password hash synchronization and a local ADFS infrastructure if all claims-based applications are connected to the Azure AD. Microsoft offers with this service the capabilities to reduce the on-premise complexity and operations of ADFS. Furthermore, in combination with the password hash synchronization, customers get a redundant and flexible authentication environment. You are also able to include password protection features for your local Active Directory.

Pass-through authentication supports the Azure AD conditional access policies, Azure MFA, and the blocking of legacy authentications to secure your organization's or customer environment. The communication of the on-premise agent and the Azure AD service is protected with certificate authentication. The feature can support multi forest infrastructures if forest trusts are enabled and the UPN-suffix routing is configured correctly. In combination with seamless SSO, users get a native SSO experience and are automatically signed into on-premise and cloud-based applications.

The following components are involved in the user sign-in process:

• Azure AD STS: Stateless security token service (STS) for processing sign-in requests and security token issuance
• Azure Service Bus: Communication component between cloud and on-premise
• Azure AD Connect Authentication Agent: Listener and responder to password validation requests
• Azure SQL Database: Storage for tenant associated authentication agents
• Active Directory: Store for local user accounts and passwords

Let's look at the following diagram to understand the functionality accessing the Outlook web app:

The flow runs with the following steps:

1. User tries to access Outlook web app
2. When the user is not signed in, he will be redirected to the Azure AD sign-in page
3. User enters his username, and selects Next
4. User enters his password, and selects Sign In
5. The Azure AD receives the sign in request and puts the username/password encrypted with the public key of the authentication agents in a queue
6. The on-premise authentication agent retrieves the encrypted credentials from the queue

7. The agent decrypts the password with his private key
8. The agent validates the username and credential against the local Active Directory, like ADFS
9. The Domain Controller evaluates the request and responds with the result the agent
10. The agent responds back to Azure AD
11. Azure AD validates the answer—the user will be signed in or Azure MFA will be executed
12. If all works fine, the user is signed in

To choose the best option for your hybrid authentication solution, you can use the following source to help you with your decision https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn.