Password Hash Synchronization & Pass-Through Authentication: A Complete SC-300 Guide
Why This Topic Is Important
Password Hash Synchronization (PHS) and Pass-Through Authentication (PTA) are two of the most critical authentication methods in hybrid identity environments. For the SC-300 (Microsoft Identity and Access Administrator) exam, understanding these two methods—how they work, when to use them, and how they differ—is essential. Microsoft frequently tests candidates on their ability to choose the correct authentication method based on organizational requirements, security posture, and infrastructure constraints. Mastering these concepts not only helps you pass the exam but also equips you to design secure, resilient identity solutions in real-world scenarios.
What Is Password Hash Synchronization (PHS)?
Password Hash Synchronization is a sign-in method that synchronizes a hash of a user's on-premises Active Directory password to Azure Active Directory (Azure AD / Microsoft Entra ID). It is one of the simplest ways to enable authentication for hybrid identity scenarios.
Key characteristics of PHS:
- Azure AD Connect extracts the password hash from on-premises Active Directory.
- The password hash is further hashed (using SHA-256) before being sent to Azure AD. The actual plaintext password is never transmitted or stored in the cloud.
- Authentication is performed entirely by Azure AD—there is no dependency on on-premises infrastructure at sign-in time.
- PHS runs as a background process every 2 minutes by default via Azure AD Connect.
- It enables features like leaked credential detection through Microsoft Entra ID Protection, which compares password hashes against known compromised credentials on the dark web.
- PHS can serve as a fallback authentication method when used alongside federation or pass-through authentication.
What Is Pass-Through Authentication (PTA)?
Pass-Through Authentication is a sign-in method that validates users' passwords directly against on-premises Active Directory. When a user signs in to Azure AD, their password is validated in real-time against the on-premises AD without storing any form of the password in the cloud.
Key characteristics of PTA:
- A lightweight authentication agent is installed on one or more on-premises servers.
- When a user signs in, Azure AD encrypts the password and places it in a queue. The on-premises agent picks up the request, decrypts the password, and validates it against Active Directory.
- The password is never stored in the cloud in any form—not even as a hash.
- PTA enforces on-premises Active Directory account policies in real time, including account disabled status, locked accounts, password expiration, and logon hour restrictions.
- PTA requires an always-available connection between the on-premises authentication agents and Azure AD.
- Microsoft recommends deploying at least 3 authentication agents for high availability.
- PTA agents communicate outbound on ports 80 and 443—no inbound ports need to be opened in the firewall.
How Password Hash Synchronization Works (Step by Step)
1. Azure AD Connect is installed and configured on an on-premises server joined to the Active Directory domain.
2. During synchronization, Azure AD Connect reads the password hash (MD4 hash) from on-premises AD.
3. The MD4 hash is transformed using the SHA-256 algorithm and a salt before transmission.
4. The derived hash is sent to Azure AD over a secure HTTPS (TLS 1.2) connection.
5. Azure AD stores this derived hash and uses it to authenticate cloud sign-in requests.
6. The synchronization cycle repeats every 2 minutes, independent of the standard directory sync cycle (which runs every 30 minutes).
7. When a user signs in to an Azure AD-integrated service, Azure AD compares the submitted password hash against the stored hash—if they match, authentication succeeds.
How Pass-Through Authentication Works (Step by Step)
1. A user attempts to sign in to an Azure AD-connected application.
2. Azure AD encrypts the user's password using the public key of the registered PTA agent(s).
3. The encrypted password is placed in a per-tenant queue in Azure AD.
4. An on-premises PTA agent polls this queue (via persistent outbound connection) and retrieves the encrypted password.
5. The agent decrypts the password using its private key.
6. The agent validates the username and password against on-premises Active Directory using the Win32 LogonUser API.
7. Active Directory evaluates the request and returns a response (success, failure, password expired, account locked, etc.).
8. The PTA agent relays this response back to Azure AD.
9. Azure AD completes or denies the sign-in based on the response.
Key Differences Between PHS and PTA
Authentication Location:
- PHS: Authentication happens in Azure AD (cloud).
- PTA: Authentication happens in on-premises Active Directory.
Password Storage in Cloud:
- PHS: A derived hash of the password is stored in Azure AD.
- PTA: No password data is stored in Azure AD.
On-Premises Dependency at Sign-In:
- PHS: No dependency—users can sign in even if on-premises infrastructure is completely down.
- PTA: Dependent—if all authentication agents and on-premises AD are unavailable, users cannot sign in.
Enforcement of On-Premises Policies:
- PHS: On-premises password policies (e.g., account disabled, logon hours) are enforced only at the next sync cycle.
- PTA: On-premises policies are enforced in real time at every sign-in.
Leaked Credential Detection:
- PHS: Supported—Microsoft Entra ID Protection can detect leaked credentials.
- PTA: Not natively supported without enabling PHS as well.
Infrastructure Requirements:
- PHS: Only requires Azure AD Connect.
- PTA: Requires Azure AD Connect plus one or more authentication agents on on-premises servers.
When to Use PHS
- The organization wants the simplest hybrid authentication setup.
- High availability and resilience are priorities (no on-premises dependency at sign-in).
- The organization wants to leverage leaked credential reports from Microsoft Entra ID Protection.
- The organization is migrating from AD FS and wants a simpler solution.
- There is no strict compliance requirement preventing password hashes from being stored in the cloud.
- PHS is recommended as a backup/fallback method even when using PTA or federation.
When to Use PTA
- The organization has a security or compliance requirement that prohibits storing password hashes in the cloud (even in hashed form).
- The organization needs real-time enforcement of on-premises account states (disabled accounts, logon hours, password expiration).
- The organization wants users to authenticate against on-premises AD but does not want to deploy AD FS infrastructure.
- PTA is a simpler alternative to AD FS for organizations that need on-premises authentication validation.
Common Scenarios Tested in the SC-300 Exam
1. Scenario: An organization needs to ensure that disabled accounts are immediately blocked from cloud sign-in.
Answer: Pass-Through Authentication (PTA) — PTA validates credentials in real time against on-premises AD, so a disabled account is immediately rejected.
2. Scenario: An organization wants the most resilient authentication method that works even during on-premises outages.
Answer: Password Hash Synchronization (PHS) — Since authentication occurs entirely in Azure AD, on-premises outages have no impact.
3. Scenario: An organization wants to detect compromised credentials using Microsoft Entra ID Protection.
Answer: Password Hash Synchronization (PHS) — Leaked credential detection requires PHS to be enabled.
4. Scenario: A company's security policy strictly prohibits any form of password data from being stored outside on-premises infrastructure.
Answer: Pass-Through Authentication (PTA) — No password data (not even a hash) is stored in Azure AD.
5. Scenario: An organization currently uses AD FS but wants to simplify infrastructure while still validating passwords on-premises.
Answer: Pass-Through Authentication (PTA) — It provides on-premises validation without the complexity of AD FS.
6. Scenario: The company wants both leaked credential detection AND real-time account policy enforcement.
Answer: Enable both PHS and PTA together. PTA handles sign-in with real-time enforcement, while PHS runs in the background for leaked credential detection.
Exam Tips: Answering Questions on Password Hash Synchronization and Pass-Through Authentication
1. Read the requirements carefully. Look for keywords like "no password stored in cloud" (PTA), "resilience" or "high availability" (PHS), "real-time enforcement" (PTA), and "leaked credentials" (PHS).
2. Remember that PHS and PTA can coexist. Enabling PHS alongside PTA is a Microsoft best practice. PHS serves as a backup and enables leaked credential detection. If a question mentions needing BOTH real-time validation and leaked credential reports, the answer is to enable both.
3. Know the infrastructure requirements. PTA requires authentication agents on-premises with outbound connectivity. PHS only requires Azure AD Connect. Questions may describe limited infrastructure and expect you to choose the simpler option.
4. Understand the sync intervals. Password hashes sync every 2 minutes. This means PHS has a slight delay in reflecting password changes. If a question emphasizes immediate password change enforcement, PTA is the better choice.
5. Remember that PTA does NOT open inbound firewall ports. PTA agents make outbound connections only. If a question mentions firewall restrictions preventing inbound connections, PTA is still viable.
6. Know the high availability recommendations. Microsoft recommends at least 3 PTA agents for production environments. If a question asks about ensuring PTA availability, deploying multiple agents across different servers is the correct approach.
7. PHS enables Seamless SSO. Both PHS and PTA support Azure AD Seamless Single Sign-On for domain-joined devices on the corporate network. Don't confuse this with AD FS SSO.
8. Differentiate from Federation (AD FS). The exam may present scenarios comparing PHS, PTA, and AD FS. AD FS is the most complex but offers the most granular control (claims-based rules, smart card authentication, third-party MFA). PTA is a middle ground. PHS is the simplest.
9. Watch for trick answers. Some questions might imply that PHS sends plaintext passwords to the cloud—this is false. The password is hashed multiple times before transmission. Similarly, PTA does not store passwords in Azure AD even temporarily—the encrypted password sits briefly in a queue and is not persisted.
10. Understand the Staged Rollout feature. Microsoft allows organizations to test PHS or PTA with selected groups of users before switching the entire domain. Exam questions may reference migrating from AD FS using staged rollout—know that this is a supported scenario.
11. Associate PHS with disaster recovery scenarios. If on-premises infrastructure fails, PHS ensures business continuity because authentication occurs in the cloud. This is a common exam scenario: "What authentication method ensures users can still sign in during a complete on-premises outage?" The answer is PHS.
12. Remember licensing considerations. Both PHS and PTA are included with Azure AD Free (Microsoft Entra ID Free). However, leaked credential detection requires Microsoft Entra ID P2 (Azure AD Premium P2). If a question asks about detecting compromised passwords, ensure both PHS is enabled AND the correct license is in place.
Summary
Password Hash Synchronization and Pass-Through Authentication are foundational hybrid identity concepts for the SC-300 exam. PHS offers simplicity and resilience by authenticating entirely in the cloud using a synchronized hash, while PTA offers real-time on-premises validation without storing any password data in Azure AD. The best practice is often to enable both together. By understanding their mechanics, differences, use cases, and the specific keywords that exam questions use, you can confidently identify the correct answer in any scenario-based question on this topic.
