This chapter covers the three authentication methods for synchronizing identities from on-premises Active Directory to Microsoft Entra ID (formerly Azure AD): Password Hash Sync (PHS), Pass-Through Authentication (PTA), and Federation (AD FS). For the MS-102 exam, understanding the differences, use cases, and technical mechanisms of each is critical, as roughly 10-15% of Identity Access questions touch this topic. You must know when to choose each method, how they handle failures, and their security implications.
Jump to a section
Think of a company's identity system as an international airport. Every employee is a passenger with a passport (their on-premises credential). When they want to enter a new country (cloud resources), they must go through immigration. There are three ways immigration can verify their identity.
Password Hash Sync (PHS) is like having a trusted courier who takes a photocopy of every passenger's passport and sends it ahead to the destination country's immigration database. When the passenger arrives, the local immigration officer simply pulls up the photocopy and matches the face to the photo. No need to call the home country. This is fast, always available, but the home country never knows the passenger has arrived unless the courier reports it.
Pass-Through Authentication (PTA) is like having a direct video call to the home country's immigration officer. When the passenger arrives, the local officer dials the home office, shows the passenger's face and passport, and waits for a 'yes' or 'no' from the home officer. The home country retains full control and knows exactly when each passenger arrives. However, if the video connection goes down, no one gets through — unless you have a backup courier (PTA with fallback to PHS).
Federation (AD FS) is like having a trusted agreement between two countries. The home country issues a special tamper-proof visa (SAML token) to the passenger before they travel. When they arrive, they just show the visa, and the local officer trusts it because the visa is signed with the home country's official seal (certificate). No real-time call needed, and the home country can revoke visas instantly. But setting up this trust requires complex negotiations (certificate exchanges) and expensive infrastructure (dedicated servers).
Introduction to Authentication Methods for Hybrid Identity
Microsoft Entra ID supports three primary authentication methods for synchronizing on-premises Active Directory credentials to the cloud: Password Hash Sync (PHS), Pass-Through Authentication (PTA), and Federation (typically via Active Directory Federation Services – AD FS). Each method provides a different balance of security, complexity, and user experience. The MS-102 exam expects you to understand not only what each method does, but also the underlying mechanisms, configuration requirements, and troubleshooting steps.
Password Hash Sync (PHS)
#### What It Is
Password Hash Sync is the simplest and most commonly used authentication method. It synchronizes a hash of the user's on-premises password from Active Directory to Microsoft Entra ID. When a user signs in to Microsoft 365, they enter the same password they use on-premises. Entra ID compares the hash of the entered password with the stored hash. If they match, authentication succeeds.
#### How It Works Internally
Password Change Detection: The Entra Connect sync engine monitors the Active Directory domain controller for password changes. It uses the DirSync password change notification mechanism. When a password is changed or set, the domain controller updates the unicodePwd attribute. The sync engine polls for changes every 3 minutes by default (configurable via the PasswordHashSyncInterval parameter).
Hash Extraction and Synchronization: The sync engine reads the password hash from the domain controller. It then applies a series of cryptographic transformations:
The MD4 hash of the password (as stored in AD) is first converted to UTF-16.
This hash is then hashed with SHA-256, and the result is base64-encoded.
The resulting string is salted with a per-user salt (a 10-byte random value) and hashed again with PBKDF2 (1000 iterations).
The final value is stored in Entra ID.
Sync Frequency: Password hashes are synchronized every 2 minutes (default) after a change is detected. The full sync cycle for all users occurs every 30 minutes by default.
Authentication Flow: When a user attempts to sign in to Microsoft 365:
The user enters their username and password.
Entra ID looks up the user's stored password hash.
It hashes the entered password using the same algorithm (including the salt and iterations).
If the hash matches, authentication succeeds; otherwise, it fails.
#### Key Components and Defaults
Synchronization Interval: 2 minutes for password changes; 30 minutes for full sync.
Authentication Protocol: Standard OAuth 2.0 / OpenID Connect with resource owner password credentials grant (ROPC) for legacy protocols, but modern apps use the web sign-in flow.
Password Writeback: PHS does not support password writeback by itself; you need to enable password writeback separately in Entra Connect.
Security: The actual password is never stored in the cloud; only the hash. The hash is not reversible to the original password.
#### Configuration and Verification
To configure PHS, run the Azure AD Connect wizard and select "Password Hash Synchronization" as the authentication method. You can verify sync status using:
Get-ADSyncAADPasswordSyncConfigurationOr in the Entra admin center, navigate to Microsoft Entra Connect > Password hash sync to see the status.
Pass-Through Authentication (PTA)
#### What It Is
Pass-Through Authentication validates user passwords directly against on-premises Active Directory without storing any password hash in the cloud. When a user signs in, Entra ID sends the credentials to an on-premises PTA agent, which validates them against the local DC and returns a success or failure response.
#### How It Works Internally
User Sign-In: The user enters their username and password on a Microsoft 365 sign-in page.
Credential Forwarding: Entra ID encrypts the password using the public key of the PTA agent (the agent's certificate). It sends the encrypted password along with the username to a Service Bus relay endpoint.
Agent Retrieval: The PTA agent (running on an on-premises server) polls the Service Bus relay for pending authentication requests. It retrieves the encrypted password and decrypts it using its private key.
Validation: The agent attempts to validate the username and password against the on-premises Active Directory using the Win32 LogonUser API (specifically, the LOGON32_LOGON_NETWORK logon type). This requires the agent to have network connectivity to a domain controller.
Response: The agent sends back a response (success or failure) to Entra ID via the same Service Bus relay. Entra ID then either issues a token or denies access.
#### Key Components and Defaults
PTA Agents: You must install at least one PTA agent on a Windows Server 2012 R2 or later (not a domain controller). Microsoft recommends at least three agents for high availability.
Service Bus: The communication between Entra ID and the agent uses Azure Service Bus (listener endpoint). The agent initiates outbound connections to Azure over TCP 443 and 5671.
Fallback: PTA can be configured to fall back to PHS if all agents are unavailable. This is done via the Entra Connect wizard.
Password Writeback: PTA supports password writeback if enabled separately.
Lockout Protection: PTA does not forward incorrect passwords that would lock out an on-premises account; it returns a failure before the lockout threshold is reached (configurable).
#### Configuration and Verification
To enable PTA, run the Azure AD Connect wizard and select "Pass-through authentication" as the sign-on method. You must also download and install the PTA agent on at least one server. Verify agent status using:
Get-AADPassThroughAuthenticationAgentOr in the Entra admin center, go to Microsoft Entra Connect > Pass-through authentication to see the list of agents and their health.
Federation (AD FS)
#### What It Is
Federation establishes a trust relationship between Microsoft Entra ID and an on-premises identity provider (IdP), typically Active Directory Federation Services (AD FS). When a user signs in, they are redirected to the on-premises IdP for authentication. The IdP issues a SAML token that is then used to access cloud resources.
#### How It Works Internally
User Sign-In: The user attempts to access a Microsoft 365 resource. They are redirected to the Microsoft Entra ID sign-in endpoint.
Home Realm Discovery: Entra ID determines the user's federated domain (via the domain's federation configuration). It redirects the user to the on-premises AD FS server (the IdP).
Authentication: The user authenticates to AD FS using their on-premises credentials (password, smart card, MFA, etc.). AD FS validates the credentials against the local AD.
Token Issuance: AD FS issues a SAML 2.0 token containing claims (such as UPN, group memberships, etc.). The token is digitally signed using AD FS's token-signing certificate.
Token Exchange: The user's browser posts the SAML token to Entra ID. Entra ID validates the signature against the configured trust (the token-signing certificate must be uploaded to Entra ID). If valid, Entra ID issues a cloud access token (JWT) to the user.
#### Key Components and Defaults
AD FS Farm: At least two AD FS servers behind a load balancer for high availability.
WAP Servers: Web Application Proxy servers are required to proxy requests from the internet to AD FS. They must be placed in the DMZ.
Certificates: Token-signing and token-decrypting certificates are critical. They have a default validity of 1 year for token-signing (auto-renewed) and 1 year for token-decrypting.
Claims Rules: Transform incoming AD attributes into claims that Entra ID understands.
MFA: AD FS can integrate with on-premises MFA solutions (e.g., smart cards, Azure MFA via AD FS).
#### Configuration and Verification
To set up federation, run the Azure AD Connect wizard and select "Federation with AD FS" as the sign-on method. You must have AD FS infrastructure already deployed. Verify federation status using:
Get-MsolDomainFederationSettings -DomainName contoso.comOr in the Entra admin center, check the domain's federation settings.
Interactions with Related Technologies
Seamless SSO: Both PHS and PTA can be combined with Seamless SSO. This enables users on domain-joined machines to automatically sign in without entering credentials. It uses Kerberos delegation to present a Kerberos ticket to Entra ID, which validates it.
Azure AD Connect: The tool that orchestrates synchronization and sets up the authentication method. The version must be 1.1.557.0 or later for PTA, and 1.1.614.0 or later for federation.
Password Writeback: Supported with PHS and PTA, but not with federation (password changes are handled on-premises).
Choose Authentication Method
Before deploying, you must decide which method to use. The decision is based on requirements: PHS is simplest and requires no additional infrastructure. PTA is chosen when you cannot store password hashes in the cloud or need real-time validation against on-premises policies. Federation is for organizations that already have AD FS or need advanced claims, MFA integration, or smart card authentication. The MS-102 exam tests your ability to match requirements to the correct method.
Install and Configure Azure AD Connect
Download and run the Azure AD Connect wizard. During installation, select the appropriate sign-on method. For PHS, simply check 'Password Hash Synchronization'. For PTA, select 'Pass-through authentication' and then install the PTA agent on a separate server. For federation, you need to have AD FS infrastructure ready and select 'Federation with AD FS'. The wizard will configure the trust and synchronization rules.
Verify Synchronization and Authentication
After configuration, verify that users can sign in. For PHS, check that password hashes are syncing by running the PowerShell cmdlet `Get-ADSyncAADPasswordSyncConfiguration`. For PTA, check the agent health in the Entra admin center. For federation, test with a federated user by accessing a Microsoft 365 app and ensuring they are redirected to the on-premises AD FS login page.
Plan for High Availability and Disaster Recovery
For PTA, deploy at least two agents on separate servers to avoid a single point of failure. For federation, deploy a load-balanced AD FS farm with WAP servers. Consider enabling PHS as a fallback for PTA in case all agents are down. For federation, ensure you have a backup token-signing certificate and a plan for certificate renewal. The exam often tests these high-availability requirements.
Monitor and Troubleshoot
Use the Microsoft Entra Connect Health tool to monitor the health of your authentication infrastructure. For PHS, check sync errors. For PTA, monitor agent connectivity and event logs. For federation, monitor AD FS logs and performance. Common issues include certificate expiration (federation), agent communication failures (PTA), and sync delays (PHS). The exam expects you to know the troubleshooting steps for each.
Real-World Enterprise Scenarios
Scenario 1: Large Enterprise with Regulatory Compliance
A multinational bank with 50,000 employees cannot store password hashes in the cloud due to regulatory requirements. They choose Pass-Through Authentication to validate passwords directly against on-premises Active Directory. They deploy four PTA agents across two data centers for high availability. The agents are installed on dedicated Windows Server 2019 VMs (not domain controllers) with outbound internet access via a firewall. They enable Seamless SSO for a better user experience on domain-joined machines. The challenge is that the agents must maintain persistent outbound connections to Azure Service Bus; if the firewall blocks long-lived connections, authentication fails. They configure firewall rules to allow outbound TCP 443 and 5671. They also enable fallback to PHS (with hash sync enabled) so that if all agents are unreachable, users can still authenticate using cached hashes. In production, they see an average authentication latency of 500ms, which is acceptable. Misconfiguration of the Service Bus endpoint (e.g., proxy settings) is a common issue that leads to agent disconnection.
Scenario 2: Merger of Two Companies with Different Identity Systems
Company A uses PHS and Company B uses AD FS. They merge and need a unified authentication method. The decision is to move to PTA because it provides real-time validation and avoids the complexity of federation. During the transition, they run both methods simultaneously for different user groups by configuring domain-level authentication methods. They use Azure AD Connect to synchronize both on-premises forests and set the authentication method per domain. This requires careful planning of UPN suffixes and domain federation settings. The most common problem is that users from the AD FS domain cannot sign in after changing to PTA because their password hashes are not synced yet. They use the Set-MsolDomainAuthentication cmdlet to switch domains. The exam tests this scenario: you must know that you can have different authentication methods for different domains in the same tenant.
Scenario 3: Healthcare Provider with Smart Card Authentication
A hospital with 10,000 employees requires smart card authentication for accessing electronic health records. They choose federation with AD FS because it supports certificate-based authentication. They deploy an AD FS farm with two servers and two WAP servers in the DMZ. They configure claims rules to issue the employee ID as a claim. The challenge is certificate lifecycle management: the token-signing certificate expires every year, and if not renewed before expiry, all federated authentication fails. They set up automatic certificate renewal using Azure AD Connect and monitor with alerts. The exam often tests that federation is required for smart card or certificate-based auth, and that PHS/PTA cannot support that.
MS-102 Exam Focus: Identity Access Objective 2.2
The MS-102 exam tests your ability to compare and contrast the three authentication methods, especially in scenario-based questions. Here is exactly what you need to know:
Objective Codes: This falls under "Implement and manage identity and access" -> "Plan and implement identity synchronization" -> "Choose an authentication method".
Common Wrong Answers: 1. Choosing PHS when the requirement is 'real-time validation against on-premises policies' – PHS does not validate in real-time; it uses a stored hash. The correct answer is PTA or federation. 2. Choosing federation when the requirement is 'simplest deployment' – Federation is the most complex. PHS is simplest. 3. Thinking PTA stores passwords in the cloud – It does not. It validates on-premises. The hash is not stored. 4. Believing PHS cannot be used with Seamless SSO – It can. Both PHS and PTA support Seamless SSO.
Specific Numbers and Terms:
PTA requires at least one agent (recommended three).
Federation requires AD FS and WAP servers.
PHS syncs password hashes every 2 minutes (change) and 30 minutes (full).
PTA uses Service Bus on TCP 443 and 5671.
The cmdlet Set-MsolDomainAuthentication is used to change authentication method for a domain.
Edge Cases:
If a user's password is changed on-premises, PHS syncs the new hash within 2 minutes. But if the user tries to sign in before sync, they will fail with the old password. This is a common exam scenario.
PTA agents must not be installed on a domain controller. The exam may test this constraint.
Federation requires that the token-signing certificate is uploaded to Entra ID. If it expires, all federated users cannot sign in.
How to Eliminate Wrong Answers:
If the question mentions 'no additional infrastructure', eliminate federation and PTA (which need agents/servers).
If it mentions 'real-time password validation', eliminate PHS.
If it mentions 'smart card authentication', only federation supports it.
If it mentions 'password writeback', note that PHS and PTA support it, but federation does not (password changes are handled on-premises).
Use the underlying mechanism: PHS is offline validation; PTA is online validation with a proxy; federation is redirect-based validation with a third-party IdP. Match the scenario to the mechanism.
PHS is the simplest method and should be chosen unless specific requirements demand PTA or federation.
PTA validates passwords in real-time against on-premises AD, requiring at least one agent (recommended three for HA).
Federation with AD FS is required for smart card or certificate-based authentication.
PHS and PTA both support Seamless SSO and password writeback; federation does not support password writeback.
Password hash sync interval is 2 minutes for changes; full sync every 30 minutes.
PTA agents must not be installed on domain controllers and need outbound TCP 443 and 5671 to Azure.
You can mix authentication methods per domain in the same tenant using Set-MsolDomainAuthentication.
Federation relies on token-signing certificates; if expired, all federated sign-ins fail.
These come up on the exam all the time. Here's how to tell them apart.
Password Hash Sync
Stores password hash in Entra ID (not plaintext).
No additional on-premises infrastructure required.
Simplest to deploy and maintain.
Cannot enforce on-premises password policies at sign-in (e.g., account lockout).
Password changes synced every 2 minutes.
Pass-Through Authentication
No password hash stored in cloud.
Requires at least one PTA agent on a member server.
More complex deployment than PHS.
Validates against on-premises AD in real-time, enforcing lockout policies.
Requires outbound connectivity from agents to Azure Service Bus.
Pass-Through Authentication
No additional servers beyond PTA agents.
Uses Azure Service Bus for communication.
Supports Seamless SSO with Kerberos.
Cannot support smart card or certificate-based authentication.
Simple claims handling (only basic attributes).
Federation (AD FS)
Requires AD FS farm and WAP servers.
Uses SAML 2.0 tokens.
Supports Seamless SSO via Kerberos (but complex).
Supports smart card, certificate, and third-party MFA.
Full claims-based identity with customizable rules.
Mistake
Password Hash Sync stores actual passwords in the cloud.
Correct
PHS stores only a cryptographic hash of the password, not the plaintext password. The hash is salted and iteratively hashed, making it computationally infeasible to reverse.
Mistake
Pass-Through Authentication requires the password to be sent in plaintext over the internet.
Correct
The password is encrypted using the PTA agent's public key before being sent over the Azure Service Bus. It is decrypted only on the on-premises agent.
Mistake
Federation with AD FS is required for Single Sign-On (SSO).
Correct
Seamless SSO works with both PHS and PTA, providing SSO without federation. Federation is only needed for advanced scenarios like smart card auth.
Mistake
You can only use one authentication method per tenant.
Correct
You can configure different authentication methods for different domains in the same tenant. For example, domain1.com can use PHS while domain2.com uses federation.
Mistake
PTA agents must be installed on a domain controller.
Correct
PTA agents must NOT be installed on a domain controller. They should be installed on a member server with network access to a domain controller.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
PHS synchronizes a hash of the password to Entra ID, allowing authentication without contacting on-premises AD. PTA validates passwords directly against on-premises AD in real-time, without storing any hash in the cloud. PHS is simpler and more resilient to network outages, but PTA enforces on-premises password policies and lockout. Choose PHS when simplicity and high availability are key; choose PTA when you cannot store hashes in the cloud or need real-time validation.
Yes, Seamless SSO works with both PHS and PTA. It uses Kerberos delegation to automatically sign in users on domain-joined machines. For PTA, the Seamless SSO component is installed on the PTA agent servers. The user's machine presents a Kerberos ticket to Entra ID, which validates it against the on-premises AD. This provides a silent sign-in experience without prompting for credentials.
Yes, PTA agents require outbound connectivity to Azure Service Bus over TCP 443 and 5671. They initiate outbound connections to specific Azure data center IP ranges. No inbound ports are required. The agents must be able to resolve the Service Bus endpoint (servicebus.windows.net). If the network uses a proxy, the agent supports proxy configuration via the `ConfigureProxy.ps1` script.
If no PTA agent is available, authentication fails unless you have enabled fallback to PHS. During Azure AD Connect configuration, you can select 'Enable fallback to password hash sync' for PTA. If enabled, when all agents are unreachable, Entra ID will use the stored password hash (if synced) to authenticate users. This provides a disaster recovery option but requires that PHS is also enabled.
Yes, you can switch authentication methods using Azure AD Connect. Run the wizard again and change the sign-on method. The switch is seamless because the user's UPN and domain remain the same. However, during the transition, ensure that both methods are configured correctly. For PTA, install agents before switching. The switch may cause a brief authentication interruption while the change propagates.
Yes, federation with AD FS requires at least two AD FS servers (for high availability) and two Web Application Proxy (WAP) servers in the DMZ. You also need a load balancer. This infrastructure adds significant complexity and cost. The exam tests that federation is only recommended when you have specific requirements like smart card authentication or existing on-premises IdP.
Password hashes are synchronized every 2 minutes after a password change is detected. A full synchronization of all passwords occurs every 30 minutes. The sync interval can be configured using the `Set-ADSyncAADPasswordSyncConfiguration` PowerShell cmdlet. The exam may ask for these default values.
You've just covered PHS vs Pass-Through Authentication vs Federation — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?