Setup Hybrid Azure AD Join – Part 1

In addition to users, device identities can be managed by Azure Active Directory as well, event if they are already managed by your on-premise network. This two part series will walk you throught the step to allow your devices to be both on-premise and Azure active directory joined, otherwise known as hybrid Azure ad join. Part 1 and 2 are listed below. This post will step you through configuring pass-through authentication.

  1. Configure Pass-through authentication
  2. Setup Hybrid Azure AD Join

Configure Pass-Through Authentication

Pass-through authentication (PTA) allow users to use the same password to connect with their organizations network and Azure cloud applications. For more info on PTA click here


  • Install the latest version of AD Connect (
  • Install AD Connect on Windows Server 2012 R2 or later
  • Authentication Agents need access to
  • Whitelist connections to:
    • *
    • *

Steps to configure pass-through authentication

After installing AD Connect, the configuration screen will open, click Customize.

Accept the defaults on this page and click Install. SQL express will be install which support 100,000 users. Install SQL 2016 or higher to support more than 100,000 users.

Select Pass-Through Authentication

Use your Azure AD global administrator credential to login. Enter your username and password.

Select the first option to create a new AD account. This will require your on-premise enterprise admin account. This account will be used for periodic synchronization.

Click Add Directory for synchronization

The UPN domains present in your organization AD which have been verified in Azure AD. You can also use this page to configure the attribute to use for the userPrincipalName.

Select the OU’s that you would like to synchronize.

Select how users should be identified in your on-premises directories. You can leave the defaults.

Select which users and devices to synchronize.

Select optional features if desired.

On the ready to configure page, select start the synchronization process when configuration completes.

A successful configuration page.

This process will install the first authentication agent. To validate the process, login to Azure and confirm that the Sync Status is “enabled” and that pass-through authentication is “enabled”.


One thought on “Setup Hybrid Azure AD Join – Part 1

  1. Hi,
    interesting blog post. Why do you enable first pass-through authentication and not Password Hash Sync before configuring Setup Hybrid Azure AD Join? Is Pass-through authentication a requirement for Hybrid Azure AD Join?

    Kind Regards