Recent days you might have heard passthrough authentication is a better solution compared to Active Directory Federation Services (ADFS) and all companies are moving towards ADFS as it is less complex and easy to configure and maintain, is that Trus? Can I migrate to passthrough authentication? what are the difference and advantage over ADFS, is there any limitation which needs to be considered while moving to passthrough authentication?
Also Read: Configure Multi-Factor Authentication on ADFS (Globally or relying party trust)
As said passthrough authentication is easy to configure and maintain, however you need to know a couple of points before selecting which one suits for your environment
Also Read: ADFS 2016 failing to add secondary members to the farm with missing SPN error
Will start with a good one: passthrough authentication Advantage
Seamless Single Sign-on: passthrough authentication provides Seamless Single Sign-on if the user connected to their company network with Domain joined workstations, no need to enter the password as it takes it from a users login session
Easy to Manage: passthrough authentication is less complex and no need to have highly available and redundant AD FS farm like expensive load-balancer, no need to have a complex certificate infrastructure which reduces the management cost
Reduce Risk: passthrough authentication uses the Conditional Access policies on Azure AD, which replace the complex custom claims issuance rules in ADFS
Secure: No need to open any additional firewall ports as the Authentication users the HTTPS and only outbound communication which product from security attacks (no inbound communication required)
Login logs: Azure sign-in logs can be used for audit reporting and tracking
Also Read: Can we Replace on-premise Domain Controller with Cloud-based Active Directory
Passthrough Authentication Disadvantage
3rd party MFA: 3rd party multi-factor authentication (MFA) can’t be used, only supports Azure AD managed MFA solutions
Certificate-based authentication: Your existing secure certificate-based authentication can’t be used
ADFS Lock-out: Extranet Lock-out feature from ADFS can’t be used, Azure AD Smart Lock-out feature can be used and it requires Azure AD Premium licenses
Monitoring capabilities: Azure AD Connect Health agent can’t be used, this is very useful for troubleshooting the Azure sync issues
Even Azure AD Connect Health for Active Directory Domain Services can’t be used this is used to monitor the Domain Controllers
3rd party Application: legacy 3rd party application still requires ADFS, which won’t support passthrough authentication
3rd party applications need to be integrated through Azure AD
Also Read: Compare primary and staging Azure AD connect (AADC) sync servers
Hope this will give some idea to understand and make your decision
Also Read: Active Directory 2016 New Features