Hybrid IdentityAuthentication Methods: PHS, PTA & Federation

Authentication Methods: PHS, PTA & Federation

30 mins

Understanding the Concept

Password Hash Synchronization (PHS) syncs a hash of the on-premises password hash to Entra ID. Users authenticate directly against the cloud with the same password. PHS is the simplest method, provides the best high-availability, and enables leaked credential detection via Identity Protection.

Pass-Through Authentication (PTA) validates passwords directly against on-premises AD in real-time. Each authentication request is forwarded to PTA agents running on-premises. PTA ensures on-premises password policies and account states are enforced immediately.

Federation with AD FS delegates authentication entirely to on-premises infrastructure. This provides the most control but is the most complex. Microsoft is actively guiding customers to migrate from AD FS to PHS or PTA for simplicity and security.

Key Points

  • PHS: Hash of hash synced to cloud, simplest, enables leak detection
  • PTA: Real-time validation against on-prem AD, enforces AD policies
  • Federation (AD FS): Full on-prem auth, most complex, being deprecated
  • Seamless SSO: Automatic sign-in from domain-joined devices (with PHS/PTA)
  • Staged rollout: Migrate users from federation to PHS/PTA in groups

Authentication Method Comparison

Step 1

PHS

Password hash synced → user authenticates against cloud

Step 2

PTA

Auth request forwarded → validated against on-prem AD in real-time

Step 3

Federation

User redirected → AD FS handles entire authentication

Step 4

Seamless SSO

Kerberos ticket exchange → transparent sign-in on domain PCs

Why This Matters in Real Organizations

Choosing the right hybrid authentication method impacts security, availability, and user experience. PHS is recommended by Microsoft as the default due to its simplicity and enabling of Identity Protection. Organizations on AD FS should plan migration to reduce complexity and attack surface.

Common Mistakes to Avoid

Choosing PTA when PHS would be more appropriate for the scenario
Not deploying multiple PTA agents for high availability
Remaining on AD FS without a migration plan
Not enabling Seamless SSO alongside PHS or PTA

Interview Tips

  • Compare all three methods with clear recommendation criteria
  • Explain when PTA is preferred over PHS (compliance, immediate lockout)
  • Discuss AD FS migration strategies using staged rollout

Exam Tips (SC-300)

  • Know the advantages of each method and Microsoft's recommendation
  • Understand staged rollout for federation migration
  • Know that PHS enables Identity Protection leak detection

Course Complete!

You've finished all lessons

Previous|Next|HHome