Azure AD pass-through authentication offers the same capability as Azure AD password hash synchronization. Users can log in to their Azure resources as well as on-premises resources using the same credentials. The difference is that the passwords don't sync with Azure AD using pass-through authentication. The passwords are validated using the on-premises Active Directory and are not stored in the Azure AD at all.

This method is suitable for organizations that have security and compliance restrictions and aren't allowed to send usernames and passwords outside the on-premises network. Pass-through authentication requires an agent to be installed on a domain-joined Windows server that resides inside the on-premises environment. This agent then listens for password validation requests and only makes an outbound connection from within your network. It also offers support for multi-factor authentication (MFA) and Azure AD Conditional Access policies.

Azure AD pass-through authentication offers Azure AD Seamless SSO as well.

In the next section, we are going to install Azure AD Connect and synchronize some on-premises users to Azure.